LinkedIn — Microsoft — Are We Screwed?

⚠️ The bottom line

LinkedIn claimed three separate legal justifications for tracking users and serving targeted ads. The Irish Data Protection Commission demolished all three. Consent wasn't freely given. "Legitimate interests" didn't hold. And personalized ads being "necessary to fulfill the contract" was rejected — you don't need targeted advertising to run a job board. The EUR 310 million fine came from a complaint filed in 2018 by French privacy group La Quadrature Du Net. It took six years for regulators to act. During those six years, LinkedIn kept profiling a billion users with no valid legal basis. In April 2021, data from 500 million LinkedIn users showed up for sale on a hacker forum. Two months later, it happened again — 700 million users, meaning virtually every person on the platform had their full name, email, phone number, and gender exposed. LinkedIn's response was to argue semantics: "It's scraping, not a breach." The distinction is meaningless to the 700 million people whose details were compiled into a searchable database and sold. LinkedIn's position: "We didn't lose your data, we just made it so easy to collect that someone vacuumed up all of it.".

Legal jurisdiction

🇺🇸 United States (headquarters)

⚠CLOUD Act read more →

US govt can demand your data from this company even if stored overseas

⚠FISA §702 / PRISM read more →

NSA collects stored emails, photos, messages without individual warrants

●Geofence warrants read more →

Police can demand location data for everyone near a crime scene

Spying

1/4 LOW

Is someone spying on me?

Data Sharing

3/4 HIGH

Who gets my data?

Security

2/4 MODERATE

Is it actually secure?

Honesty

3/4 HIGH

Can I trust what they say?

6Contradictions

1Critical

4High

1Medium

5Sources

Findings by concern

Spying 1/4 LOW 1 finding

⚫ mediumpolicy claims vs app permissions

LinkedIn charges up to $59.99 per month for Premium, which reduces the number of ads you see but doesn't stop the tracking behind them. Free users get the full surveillance experience — maximum data extraction to fund LinkedIn's ad business. Premium users pay to see fewer ads while being profiled identically. The EUR 310 million GDPR fine covered treatment of all users, confirming even paying customers had data processed without valid legal basis. You can pay LinkedIn to stop showing you ads. You cannot pay LinkedIn to stop watching you. The privacy upgrade doesn't exist at any price tier.

What they claim: LinkedIn offers Premium tiers providing enhanced features for career advancement.

What we found: Free users experience maximum data extraction with full ad targeting. Premium users ($29.99-$59.99/month) get reduced ads but not reduced tracking. The EUR 310 million fine applied to treatment of all users, both free and premium.

Data Sharing 3/4 HIGH 2 findings

⚠️ criticalpolicy claims vs regulatory findings

What they claim: LinkedIn states it processes member data lawfully and with appropriate consent.

What we found: In October 2024, the Irish DPC fined LinkedIn EUR 310 million for processing data without valid legal basis. All three justifications were rejected: consent was not freely given, legitimate interests were outweighed by users' rights, and targeted ads were not contractually necessary. Complaint originated from La Quadrature Du Net in 2018.

⚡ highpolicy claims vs app permissions

When you update your LinkedIn profile with your job title, employer, and skills, you think you're building a resume. Microsoft thinks you're building an ad profile. After the $26.2 billion acquisition, LinkedIn data flows directly into Microsoft's advertising machine — your professional identity targets ads across Bing, Outlook, and other Microsoft services. Outside the EU, you're automatically opted in. Microsoft brags that LinkedIn data boosted ad click-through by 16% and conversions by 64%. Your career history isn't helping you network — it's making Microsoft's ad business more profitable.

What they claim: LinkedIn is a professional networking platform with data collection justified by connecting professionals.

What we found: After Microsoft's $26.2 billion acquisition, LinkedIn data flows into Microsoft's ad ecosystem. Profile data — job titles, industries, seniority — is used for targeting across Microsoft Advertising and Bing. Outside the EU, members are auto-opted into data sharing. LinkedIn Profile Targeting boosted click-through 16% and conversion 64%.

Security 2/4 MODERATE 2 findings

⚡ highpolicy claims vs firmware analysis

In April 2021, data from 500 million LinkedIn users showed up for sale on a hacker forum. Two months later, it happened again — 700 million users, meaning virtually every person on the platform had their full name, email, phone number, and gender exposed. LinkedIn's response was to argue semantics: "It's scraping, not a breach." The distinction is meaningless to the 700 million people whose details were compiled into a searchable database and sold. LinkedIn's position: "We didn't lose your data, we just made it so easy to collect that someone vacuumed up all of it."

What they claim: LinkedIn claims to protect member data and prevent unauthorized access.

What we found: In June 2021, data from 700 million LinkedIn users appeared for sale on RaidForums — nearly the entire user base. Two months earlier, 500 million records had surfaced separately. LinkedIn downplayed both as scraping not breaching, but the data was aggregated and sold regardless.

⚡ highpolicy claims vs regulatory findings

LinkedIn spent six years fighting hiQ Labs all the way to the Supreme Court to stop a small company from scraping publicly available profiles. LinkedIn won: hiQ was permanently banned, forced to delete all data, and ordered to pay $500,000. The stated reason: "protecting member privacy." During those same six years, LinkedIn was itself profiling the same members for targeted advertising without valid consent. The Irish DPC confirmed this with a EUR 310 million fine. LinkedIn successfully argued nobody else should exploit its users' data — while quietly exploiting it themselves. Member privacy was never the concern. Market exclusivity was.

What they claim: LinkedIn argues scraping violates its Terms of Service and harms member privacy, fighting hiQ Labs to the Supreme Court.

What we found: While fighting hiQ Labs for 6 years to prevent scraping of public profiles — winning a permanent injunction, forced data deletion, and $500,000 damages — LinkedIn was itself profiling every user for targeted advertising without valid legal consent per the EUR 310 million GDPR ruling.

Honesty 3/4 HIGH 1 finding

⚡ highpolicy claims vs firmware analysis

LinkedIn says you're in control of your data. The Irish DPC proved you're not. The EUR 310 million fine found LinkedIn's consent mechanisms were not "freely given, sufficiently informed, specific, or unambiguous" — failing every single GDPR requirement. In practice, LinkedIn buries privacy controls deep in menus while placing data-sharing at maximum by default. European regulators ruled LinkedIn's "choice architecture" was designed to extract consent, not inform users. A billion people were tracked for six years under a consent framework that Europe's regulators found was never legally valid.

What they claim: LinkedIn claims users control their data with clear options to limit use.

What we found: LinkedIn uses dark patterns to maximize data collection. Privacy settings are buried deep while data-sharing toggles default to maximum collection. The EUR 310 million fine specifically found consent mechanisms were not freely given, sufficiently informed, specific, or unambiguous — failing every GDPR requirement.

Latest Risks & Threats

New developments that compound existing privacy concerns. 1 active threat.

THREAT LinkedIn AI Trains on Your Posts and Messages 💼 Employment Launched 2024-09-18

LinkedIn quietly updated its privacy policy to use your posts, messages, and profile data to train AI models — then made it opt-out, not opt-in. By the time most users noticed, their professional history, salary negotiations, job searches, and private messages had already been processed. LinkedIn has 1 billion profiles. Microsoft now has the largest professional dataset on Earth feeding its AI, and you were enrolled without being asked.

Sources

404 Media: LinkedIn Is Training AI on User Data Before Updating Terms (2024-09-18)

What happened to real people

Documented incidents involving Microsoft products and user data.

First PRISM participant (2007). 31% of US legal demands come with secrecy orders — 1,974 gag orders in H1 2025 alone. Users never told their data was demanded. [source]

Storm-0558: Chinese hackers used a stolen Microsoft signing key to access US government officials' email accounts. Microsoft's own infrastructure was the attack vector. [source]

What your data is worth to governments

Microsoft complied with 6,288 government data requests in H1 2025. That's 31% of demands include secrecy orders. Microsoft has been a confirmed PRISM participant since 2007. Under this programme, the NSA collects stored communications. The company is legally prohibited from telling you. Jurisdiction: US (CLOUD Act, FISA Section 702, Patriot Act).

Documented: First PRISM participant (2007). 31% of US legal demands come with secrecy orders — 1,974 gag orders in H1 2025 alone. Users never told their data was demanded.

Documented: Storm-0558: Chinese hackers used a stolen Microsoft signing key to access US government officials' email accounts. Microsoft's own infrastructure was the attack vector.

What is PRISM? · What is the CLOUD Act? · Transparency report

Sources

Irish DPC: LinkedIn fined EUR 310M for processing data without valid consent(link unavailable) (2024-10-24)
Wired: 700M LinkedIn user records scraped and sold(link unavailable) (2021-06-29)
LinkedIn data flows into Microsoft ad ecosystem after $26.2B acquisition (2022-03-04)
CNIL fined LinkedIn EUR 10M for insufficient advertising consent(link unavailable) (2024-10-24)
Exodus Privacy: LinkedIn app (2024-01-01)