The General Data Protection Regulation (GDPR) is a European privacy law that imposes obligations on companies that collect and process EU residents’ personal data. One of the main requirements is that companies must obtain consent from users before collecting and processing their personal data. This has raised questions around whether certain tracking technologies, like the LinkedIn Insight tag, are GDPR compliant.
What is the LinkedIn Insight tag?
The LinkedIn Insight tag is a piece of lightweight JavaScript code that can be added to a website to enable tracking and analytics for LinkedIn ad campaigns. It allows advertisers to track conversions, retarget site visitors, build custom audiences, and unlock additional insights about visitors coming from LinkedIn.
When implemented, the Insight tag captures various data points like IP address, timestamp, URL of current page, referrer URL, etc. This information is then sent back to LinkedIn servers and matched with existing LinkedIn user profiles based on email hashes. It enables advertisers to understand the ROI of their LinkedIn ad campaigns.
Does the Insight tag require consent under GDPR?
The Insight tag does involve processing of personal data like IP addresses, which could indirectly identify an individual. Under GDPR, the use of such tracking technologies requires an appropriate legal basis like user consent, legitimate interests, contractual necessity, etc.
LinkedIn’s position is that implied consent from users is sufficient when implementing the Insight tag. The reasoning is that people voluntarily upload their professional data to LinkedIn and engage with Sponsored Content on the platform. So LinkedIn considers its ad tracking and targeting as part of providing an expected service to users under its terms of service.
However, many privacy advocates argue that this interpretation does not fully align with GDPR’s principles around consent. The regulation states consent must be freely given, specific, informed, and unambiguous. Simply having a LinkedIn account does not automatically mean specific consent for ad tracking through the Insight tag.
Is implied consent enough under GDPR?
The issue around implied consent has been debated extensively since GDPR came into effect. Here are some key considerations:
- GDPR does not explicitly prohibit implied consent in all cases, but it establishes a much higher bar compared to previous regulations.
- For sensitive data like health information, political views, sexual orientation etc, explicit opt-in consent is definitely required under GDPR.
- For non-sensitive data, implied consent may be acceptable if it is very context-specific, limited in scope, and tied to a service where users have unambiguously opted in and been adequately informed.
- Most regulatory guidance emphasizes that consent should still be prominently displayed and require some affirmative action from users even in implied consent models.
So for non-essential tracking like the Insight tag, relying solely on implied consent from general T&Cs is risky under GDPR. The consensus view is that more granular, opt-in mechanisms for tag implementation are advisable.
How can companies comply with GDPR when using the Insight tag?
Here are some tips on using the Insight tag in a GDPR compliant manner:
Obtain opt-in consent
Adding a GDPR-compliant consent management platform to show a notice and obtain opt-in consent before the Insight tag loads is the safest approach. The consent platform should provide transparency into data usage and the ability for users to revoke consent.
Limit data collection
Configure the Insight tag to only capture minimal data required for your use case. Avoid extraneous data collection beyond IP address and basic event tracking.
Anonymize IP addresses
The GDPR considers IP addresses as personal data. Anonymizing the last octet of IP addresses when capturing through the Insight tag can reduce privacy risks.
Delete data after use
Remove or aggregate Insight tag data that is no longer required for your processing activities. Only retain individual data for the minimum duration necessary.
Document diligence around tags
Maintain audit trails and impact assessments demonstrating how you evaluate and implement tracking tools like the Insight tag in a privacy-conscious manner compliant with GDPR principles.
Does LinkedIn provide any GDPR compliance support?
LinkedIn does make certain GDPR-specific assurances when it comes to use of customer data:
- LinkedIn offers options like Audience Restrictions and Matched Audiences Processing to limit use of insight tag data for ads targeting.
- Its Marketing Developer Policy states that customers must have appropriate GDPR legal bases when using LinkedIn APIs and tags.
- LinkedIn’s GDPR compliance overview mentions that it supports compliance of its advertising products.
However, ultimately the compliance burden rests with the advertisers implementing the Insight tag. LinkedIn disclaims responsibility for customers’ GDPR compliance in its terms.
Key takeaways on Insight tag GDPR compliance
Here are the key takeaways on whether use of LinkedIn’s Insight tag is compliant with GDPR requirements:
- Reliance on implied consent from general T&Cs is risky for non-essential tracking like the Insight tag.
- Obtaining clear opt-in consent before tag implementation is advisable.
- Tag configurations should be privacy-conscious – collect minimal data, anonymize where possible, delete after use.
- Documented diligence and compliance processes are important.
- While LinkedIn offers some GDPR-specific options, responsibility ultimately lies with the advertiser.
With the right consent mechanisms and data practices in place, the Insight tag can likely be used in compliance with GDPR. But marketers must be careful and consult with legal counsel to fully understand their obligations.
Frequently Asked Questions
Is the LinkedIn Insight tag considered a cookie under GDPR?
No, the Insight tag is not a cookie. It is a piece of JavaScript code that runs client-side in the browser. The GDPR has regulations around consent for cookies and similar technologies, but the Insight tag is not technically a cookie.
Does use of the Insight tag require a Data Processing Agreement (DPA)?
It depends. If the Insight tag data is being used to make significant decisions about individuals like targeted ads personalization, a DPA is advisable. For more basic website analytics, a DPA may not be legally required but is still a best practice.
Is GDPR enforced for websites based outside the EU that may collect data from EU residents?
Yes, GDPR applies extraterritorially. So websites based outside the EU still need GDPR-compliant consent mechanisms if they are targeting and collecting data from people in the EU.
What are the penalties for non-compliance with GDPR requirements?
GDPR penalties can be steep – up to 4% of global annual revenue or €20 million, whichever is higher. Fines take into account factors like violation severity, culpability, cooperation with authorities, and more.
Does use of the Insight tag require notifying Data Protection Authorities?
Not directly. The GDPR does not require proactively informing DPAs about use of technologies like the Insight tag. But violations related to the tag may need to be reported. Maintaining diligent compliance is critical.
Conclusion
The LinkedIn Insight tag is a valuable tool for marketers looking to optimize their LinkedIn advertising efforts and gain insights into conversion tracking. However, proper consent mechanisms and privacy-focused data practices are essential when implementing the tag to comply with GDPR regulations. With the right consent, transparency, data minimization and documentation safeguards in place, using the Insight tag in a GDPR compliant manner is certainly feasible for most advertisers.