LinkedIn's privacy slip-up draws legal scrutiny

LinkedIn might have broken European law by changing privacy settings for its members without proper disclosure, legal experts assert.

The law requires that users explicitly consent to the use of their private data, the Dutch government watchdog College Bescherming Persoonsgegevens (CBP) said in response to questions by WebWereld, a Dutch IDG affiliate. Although the government body is unable to comment about specific cases including the LinkedIn case, a spokesperson for the privacy body said that "In general, we can say that settings for social networking sites by default have to be set to the advantage of the user's privacy. Requiring users to opt out doesn't qualify as consent."

Legal experts polled by Webwereld agree that LinkedIn likely violated the law when it changed the privacy settings for all its users last June. The new setting allows the social network to use the name and photos of its users in so-called social advertising. The move by LinkedIn drew little attention until last week, when users on blogs and Twitter denounced it for violating user privacy.

LinkedIn has defended the change in privacy settings by pointing out that the firm published two blog postings about the new policy. Every user also was presented with a banner ad that informed them about the changes. Responding to questions from WebWereld, the firm sent an e-mail statement referring to the blog postings and banner ads. LinkedIn declined to comment about the potential legal issues of the move.

In addition to potentially breaking Dutch law, the move by LinkedIn might also run afoul of European regulations. The European Data Protection Working Party on July 14 published an opinion stressing the need for explicit consent by the user and clarifying how this consent has to be obtained. LinkedIn has clearly violated the rules set forth in this document, said Milica Antic, a lawyer specializing in intellectual property matters for SOLV, a Dutch law firm.

"The Working Party might be overly strict in how it interprets the law, but it is obvious that LinkedIn has not followed the rules," Antic told Webwereld. LinkedIn has failed to clearly communicate the changes to its users, and failed to get a clear consent. "Personally, I've never seen the banner, and I haven't heard from anybody who has," Antic added.

Arnoud Engelfriet, a legal specialist focused on Iinternet law and privacy issues with ICTRecht, questions if a banner qualifies as consent. He argues that LinkedIn should have presented its users with a pop-up window that forces the user to either opt in or opt out before they can continue navigating the website. "I seriously question if LinkedIn has acted within the law," Engelfriet said.

Both Engelfriet and Antic called upon CPB to launch a formal investigation into the matter. "CPB has previously been very strict towards Google and could chose to investigate this matter as well," said Engelfriet in a reference to a case where Google illegally collected data from Wi-Fi networks.

A spokesperson for CPB couldn't say it if would launch an investigation into LinkedIn's privacy changes. As a policy, the privacy watchdog doesn't comment about cases that it might have under investigation.