CNIL of France has imposed a fine of €240,000 on KASPR for multiple GDPR violations linked to the unlawful collection and retention of personal data.
KASPR, a company offering a Chrome extension to extract professional contact details from LinkedIn and other online sources, has faced regulatory action for its practices. Through its database of approximately 160 million contacts, KASPR enabled users to access contact information for purposes like recruitment, marketing, and identity verification. However, its methods sparked complaints and prompted an investigation by the CNIL, France’s data protection authority. The investigation uncovered several GDPR violations.
CNIL’s investigation revealed that KASPR’s Chrome extension facilitated the unlawful collection of restricted contact details.
The CNIL found that KASPR’s Chrome extension collected contact details of LinkedIn users who restricted their visibility settings to 1st and 2nd-degree connections, not just users who consented to their details being shared with anyone on LinkedIn. While LinkedIn users should be able to control how visible their contact details are, KASPR exceeded reasonable expectations by accessing and processing restricted data without proper authorization, violating Article 6 of the GDPR. Article 6 (1) (a) of the GDPR states that data processing is only lawful if “the data subject has given consent to the processing of his or her personal data for one or more specific purposes.”
CNIL also found that the company retained the personal data of individuals for a disproportionately lengthy period of time.
KASPR’s retention practices were deemed disproportionate. The company stored contact details for up to five years, renewing this period whenever individuals updated their information, such as changing jobs. This automatic renewal led to data being kept for longer than necessary, in breach of Article 5 (1) (e) of the GDPR, which mandates that personal data should only be retained for a period proportionate to its processing purpose.
Other GDPR violations by KASPR included transparency failures, and violations to data subjects’ right of access to information.
Transparency failures were another major issue found by CNIL. According to their investigation, KASPR only began notifying individuals about its data collection in 2022—four years after the GDPR came into effect. Notifications were sent via email and written exclusively in English, which the CNIL found insufficient for providing clear, accessible information to all affected individuals, as required by Articles 12 and 14 of the GDPR. In addition when individuals asked how their data had been collected, KASPR offered insufficient explanations, stating only that the information came from publicly accessible sources. The CNIL ruled that KASPR should have disclosed specific details about the sources contributing to its database, which were already listed in its privacy policy. This failure to provide comprehensive responses violated Article 15 of the GDPR, which details data subjects’ right of access to information from a data controller or processor.
CNIL imposed a fine of €240,000 on KASPR as well as mandatory corrective measures to which the company must adhere.
In response to these breaches, the CNIL imposed a €240,000 fine on KASPR and mandated several corrective actions to be completed by June 18, 2025. These include ceasing the collection of data from individuals who restrict their visibility, deleting unlawfully collected data, limiting data retention periods, providing transparent notifications in a language users understand, and improving responses to data access requests. The CNIL’s decision not only enforces GDPR but also empowers affected individuals to assert their rights. Those impacted by KASPR’s practices can object to the processing of their data, request its deletion, or seek further information. For businesses, this case is a cautionary tale, demonstrating the need to align data practices with legal and ethical standards, to avoid significant penalties.
