Kaspr Fined for GDPR Violations: Unlawful Data Collection and Retention Exposed

The National Commission on Informatics and Liberty (CNIL) has determined that the Paris-based company Kaspr violated EU privacy laws by collecting and storing data from LinkedIn that it was neither authorized to access nor retain.

According to regulators, Kaspr unlawfully gathered contact information from LinkedIn users who had restricted visibility of their details to their 1st and 2nd-degree connections. While the company was permitted to collect publicly visible information, it violated the rules by retaining such data for an “excessive period,” the CNIL stated.

Kaspr operates through a paid Chrome browser extension that enables customers to obtain professional contact information from LinkedIn, create lead lists, and run outreach campaigns. The company, owned by the data firm Cognism, reportedly holds a database of approximately 160 million contacts, scraped from LinkedIn and other websites, such as domain registries.

The CNIL revealed that it had received multiple complaints from individuals who were contacted by organizations using data obtained via the Kaspr extension. Furthermore, Kaspr failed to meet its obligation to provide transparent information to those whose data it collected.

The company only began notifying individuals of its data collection practices in 2022—four years after launching the extension—and even then, the information provided was deemed unclear. Regulators also noted that Kaspr violated individuals’ right to access their data. When queried about the source of their contact details, Kaspr merely stated that the data had been obtained from publicly accessible sources, offering no additional clarity.

In response to these violations, the CNIL imposed a fine on Kaspr and ordered the company to halt its unlawful practices and ensure compliance with the General Data Protection Regulation (GDPR).