linkedin.com privacy policy — score 55/100 (medium risk)
Sidst analyseret
Rapportindholdet (resumé, fund, citater) er genereret på engelsk og er ikke lokaliseret.
LinkedIn · linkedin.com
Rapportdetaljer
medium risikoLinkedIn collects a vast amount of your data—including from your contacts, calendar, and across the web—uses it to train AI models with no clear opt-out, shares it extensively with Microsoft and advertisers, and retains it broadly, though EU users get some extra protections.
LinkedIn's global Privacy Policy is detailed but reveals expansive data practices. The company collects data from numerous sources (user-provided, inferred, from others, from third-party sites), uses it for AI model training without a clear opt-out, shares it widely with Microsoft affiliates and advertising partners, and retains it indefinitely while the account is open. EU/EEA users are directed to a separate European Regional Privacy Notice for additional rights. Cross-border transfer mechanisms are vaguely described. User rights are listed but tempered by broad retention exceptions.
Vurdering pr. kategori
Opdeling af politikken på vigtige compliance-områder. God = stærk, rimelig = blandet, dårlig = bekymrende.
Collects extensive categories including calendar data, contacts from others' uploads, inferred attributes, and reserves the right to collect new types of data as services evolve (Section 1.9).
The policy is detailed and covers many areas, but its length and complexity make full comprehension difficult; key details are deferred to separate documents (Cookie Policy, EU Notice, Help Center links).
Extensive sharing with Microsoft affiliates for service development and advertising (Section 3.4), hashed IDs shared with non-affiliated advertisers (Section 2.4), and data shared with enterprise customers like employers (Section 3.1).
Acknowledges cross-border transfers exist (Section 5.2) and references 'legally-provided mechanisms' but does not specify which mechanisms (SCCs, BCRs, DPF) are actually relied upon.
Section 2 explicitly states personal data is used to 'develop and train artificial intelligence (AI) models' but provides no clear opt-out mechanism in the global policy; only a link to 'Responsible AI principles' is offered.
Section 4.2 describes access, deletion, correction, objection, and portability rights, and EU users are directed to additional rights, but broad retention exceptions (Section 4.3) and the complexity of settings limit practical effectiveness.
Vigtige fund
Bemærkelsesværdige klausuler, problemer eller gode praksisser (kritiske først)
AI model training on personal data without clear opt-out
Section 2 states LinkedIn uses personal data to 'develop and train artificial intelligence (AI) models.' The global policy provides no mechanism to opt out of this processing. While EU users may have objection rights under the separate European Regional Privacy Notice, the global policy is silent on any opt-out, raising concerns about lawful basis and proportionality for AI training.
Extensive data sharing with Microsoft affiliates
Section 3.4 reveals that LinkedIn shares personal data with Affiliates including Microsoft Corporation. This includes publicly-shared content 'to provide or develop their services' and personal data 'to improve, provide or develop their advertising services.' The policy also mentions referring queries to Bing in chat experiences. This creates a significant data flow within the Microsoft ecosystem that users may not fully understand or control.
Broad and vague data retention practices
Section 4.1 states LinkedIn retains personal data 'as long as you keep your account open' and will keep profiles open even if users only engage occasionally. Section 4.3 lists broad exceptions allowing data retention after account closure including 'legal obligations,' 'resolve disputes,' 'maintain security,' 'prevent fraud and abuse,' and 'enforce our User Agreement.' These exceptions are not time-bounded or narrowly defined.
Cross-border transfer mechanisms unspecified
Section 5.2 acknowledges that data is processed 'both inside and outside of the United States' and relies on 'legally-provided mechanisms to lawfully transfer data across borders.' The policy does not specify whether it uses Standard Contractual Clauses, the EU-US Data Privacy Framework, Binding Corporate Rules, or other mechanisms. This lack of specificity is a transparency concern under GDPR Articles 13(1)(f) and 46.
Third-party contact and calendar data collection without data subjects' consent
Sections 1.1 and 1.2 describe collecting calendar meeting information (times, places, attendees, contacts) and contact information when other users sync their calendars or upload contacts. The data subjects whose information is harvested through others' actions have no direct relationship with LinkedIn and may not be aware their data has been collected.
Tracking across third-party websites without engagement
Section 1.4 states that for users outside the Designated Countries, LinkedIn collects 'information about your device where you have not engaged with our Services (e.g., ad ID, IP address, operating system and browser information)' for ad targeting. While EU users may be protected by the European Regional Privacy Notice, the global policy permits tracking of non-users who have never interacted with LinkedIn.
Hashed IDs shared with non-affiliated advertisers
Section 2.4 under 'Info to Ad Providers' discloses that LinkedIn shares 'hashed IDs or device identifiers' with non-affiliated third-party advertisers. The policy notes these may constitute personal data 'in some countries' and that advertising partners can associate this with personal data they collect directly. This creates a linkage risk that could re-identify users across platforms.
Resumé til brugeren
LinkedIn's business model depends on extensive data collection and sharing, especially for advertising and AI development. EU users have stronger protections, but the global policy leaves significant gaps around AI training opt-outs, specific transfer mechanisms, and meaningful data minimization.
Compliance-stilling
LinkedIn attempts GDPR compliance for EU users via a separate European Regional Privacy Notice and an Ireland-based controller, but the global policy itself lacks specificity on lawful bases per processing activity, AI training opt-outs, and transfer safeguards—creating potential compliance gaps for non-EU users and raising questions about the adequacy of the global framework.
EU-overførsler
The policy acknowledges cross-border transfers (Section 5.2) and states it 'relies on legally-provided mechanisms' but does not specify whether it uses Standard Contractual Clauses, Binding Corporate Rules, or the EU-US Data Privacy Framework. This vagueness is a compliance concern under GDPR Chapter V.
Registrerede signaler
Specifikke datapunkter og praksisser identificeret i teksten
Bevisuddrag
Direkte citater fra politikken, der understøtter disse fund
We may use your personal data to improve, develop, and provide products and Services, develop and train artificial intelligence (AI) models, develop, provide, and personalize our Services, and gain insights with the help of AI, automated systems, and inferences
We process data both inside and outside of the United States and rely on legally-provided mechanisms to lawfully transfer data across borders.
We generally retain your personal data as long as you keep your account open or as needed to provide you Services.
If you are outside the Designated Countries, we also collect (or rely on others, including Microsoft, who collect) information about your device where you have not engaged with our Services (e.g., ad ID, IP address, operating system and browser information) so we can provide our Members with relevant ads
We do not share your personal data with any non-Affiliated third-party advertisers or ad networks except for: (i) hashed IDs or device identifiers (to the extent they are personal data in some countries)
we may also share with our Affiliates, including Microsoft, your (1) publicly-shared content (such as your public LinkedIn posts) to provide or develop their services and (2) personal data to improve, provide or develop their advertising services.
Mangler eller uklart
- No specific list of subprocessors or data processors
- No specification of which legal transfer mechanism is used (SCCs, DPF, BCRs)
- No clear opt-out for AI model training
- No data retention periods specified beyond 'as long as account is open'
- No detail on how long post-closure data is retained under each exception
- No DPIA summary or reference
- No detail on automated decision-making with legal effects under GDPR Article 22
- No specification of which data categories are processed under which lawful basis
Spørgsmål at stille
- What specific legal mechanism does LinkedIn rely on for EU-US data transfers (Standard Contractual Clauses, EU-US Data Privacy Framework, or Binding Corporate Rules)?
- How can users opt out of having their personal data used for AI model training, and does this right extend to data already incorporated into trained models?
- What are the specific retention periods for personal data retained after account closure under each exception listed in Section 4.3?
- Where can users find the complete list of subprocessors and data processors with access to their personal data?
- How does LinkedIn ensure that data subjects whose information is collected through others' calendar syncs and contact uploads are informed and can exercise their rights?
- Does LinkedIn conduct Data Protection Impact Assessments for its AI training and advertising profiling activities, and can summaries be made available?
- What specific safeguards prevent re-identification of users when hashed IDs are shared with non-affiliated advertisers?
Del denne analyse
Alle med dette link kan se resultatet ovenfor.
Bygget af DentroChat
100 % europæisk AI-chat for alle
Chat med AI, arbejd med filer, generer billeder og søg på nettet. Data forbliver i Europa.