LinkedIn – Court Ruling (Germany, 2023)

The plaintiff in this case is a German Consumer Protection Association (Verbraucherzentrale Bundesverband e.V.), while the defendant is LinkedIn Ireland Unlimited Company, an Irish social media company operating throughout the EU and worldwide. The plaintiff found that the website of the defendant makes use of cookies and other technologies like fingerprinting that automatically process personal data and monitor users behavior for analytics and marketing purposes. In its privacy notice of 2018, the defendant clearly stated that it ignores “do not track” (DNT) signals on its users’ browsers. DNTs are a browser setting that users can decide to activate, to request websites not to track their online activities. The defendant claimed it would not react to DNT signals, as there was no established “DNT standard” yet. Firstly, the plaintiff claimed that the use of DNT signals constitutes an expression of the right to objection of users under Article 21(5) GDPR against processing activities carried out for marketing purposes under Article 6(1)(f) GDPR, and that the defendant should stop ignoring such signals as doing so constitutes an unfair commercial practice. Secondly, the plaintiff found that when a user decides to first set up a LinkedIn account, the “off-LinkedIn visibility” option is usually pre-activated, which means that personal data of users is shown on the defendant’s partner websites. This, according to the plaintiff constituted a violation of Article 6(1)(a) GDPR, Article 25(2) GDPR, third sentence and Article 4(11) GDPR as well as provisions of the German Federal Law against deceptive commercial practices ([https://www.gesetze-im-internet.de/uwg_2004/ Bundesgesetz gegen unlauteren Wettbewerb, UWG]). Further, the plaintiff asserted in this respect that the defendant wrongfully relied on Article 6(1)(f) GDPR as a legal basis and acted contrary to Article 5(1)(a) GDPR and Article 5(1)(c) GDPR. After the defendant rejected the plaintiff’s warning letter, the p