Both platforms have been accused of significant GDPR violations this week over their advertising practices. But experts say that steep fines may not be enough to deter bad behavior – and that more intensive remedies are needed.
This week, both Pinterest and LinkedIn have found themselves under the regulatory microscope over their data tracking practices.
Microsoft-owned LinkedIn on Thursday was slapped with a fine of €310m – about $336m – by the Irish Data Protection Commission (IDPC), Europe’s most active big tech regulatory enforcer, for privacy violations related to its tracking ads business.
The Commission identified a handful of breaches of the EU’s sweeping consumer privacy framework, the General Data Protection Regulation (GDPR) – including violations around the fairness and transparency of its data processing practices. The platform failed to adequately inform users about its practices, and the regulator determined that some of the company’s justifications for processing user data were invalid.
“The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subject’s fundamental right to data protection,” the regulator’s deputy commissioner Graham Doyle said in a statement.
In addition to the fine, the Irish regulator issued an order to LinkedIn demanding that it come into full compliance with GDPR.
The company appeared surprised by the ruling. “While we believe we have been in compliance with the General Data Protection Regulation (GDPR), we are working to ensure our ad practices meet this decision by the IDPC’s deadline,” a LinkedIn spokesperson said in a statement.
GDPR penalties can be as steep as 4% of an organization’s global annual turnover.
Powered by AI
Explore frequently asked questions
It’s not LinkedIn’s first major privacy breach; in 2018, LinkedIn was found to have illegally acquired 18m email addresses and used them to serve targeted ads on Facebook in the US.
Just one day before the LinkedIn ruling, privacy rights organization Noyb accused Pinterest, known for its visual discovery engine, of violating the GDPR by failing to obtain explicit consent from users for tracking and profiling. Pinterest currently tracks all its 136 million European users by default for ‘ads personalization.’ In the EU, users need to manually switch off the setting if they don’t want to be tracked.
The dispute centers on the legal basis that Pinterest uses to process user data, known as ‘legitimate interest’ – which allows the processing of personal information if it is in the best interest of the individual or organization, even when not required by law. Noyb contends that Pinterest’s use of this basis for ad targeting is unjustified and infringes illegally on user privacy.
The privacy group cites a landmark 2023 ruling by the European Union’s Court of Justice that struck down Meta’s use of legitimate interest for targeted advertising; Noyb suggests that this decision cemented a precedent, and should necessitate that Pinterest secure explicit user consent for personalized advertising.
The complaint was filed with France’s data protection authority and seeks a fine as well as a requirement that Pinterest delete any unlawfully processed data.
Pinterest did not immediately respond to The Drum’s request for comment.
Both cases evidence the increasing challenges faced by tech companies and platforms in navigating the complex landscape of data privacy regulations.
In many ways, regulators are still refining the ways in which the law should be applied and enforced – which can create uncertainty for platforms. “These cases show that the GDPR, at eight years old, is still a living regulation, being interpreted and enforced in ways that many didn’t foresee [when it was adopted] in 2016,” says Joe Jones, director of research and insights at the International Association of Privacy Professionals (IAPP). “That’s especially true on issues relating to digital advertising, where there’s been a spate of enforcement over the past few years.”
Can the ad industry give up its bad habits?
The LinkedIn and Pinterest cases will certainly serve as warning bells for the digital advertising industry, which still relies heavily on user-level tracking for ad targeting and campaign measurement.
“When major social media platforms like LinkedIn and Pinterest come under fire for unethical data practices, the entire advertising industry is burned,“ says David McInerney, commercial manager of data privacy at consent management platform Cassie.
Research conducted by Cassie indicates that 92% of consumers today believe that companies prioritize profits over data protection. “These rulings feed consumers’ distrust of advertising practices and puts the onus on advertisers to define the industry’s methods,“ McInerney says.
Despite the incentive to change, some experts expect that the industry will continue to drag its feet on the transition to more transparent, consent-based tracking methods, because under-the-radar, default-style tracking has for so long been the norm. And it continues to pay off in spades.
“The GDPR permits real penalties… at the same time, the value in personally targeted ads means that platforms will continue to push the regulatory limits, reading provisions like ‘legitimate interest’ to their own advantage until corrected by regulators,” says Mark Bartholomew, professor of law and vice dean for research and faculty development at University at Buffalo School of Law.
It’s an assessment shared by Dr. Rob van Eijk, managing director for Europe at the Future of Privacy Forum, a privacy-focused think tank. In his words, “The online advertising ecosystem is stubborn to change. This is partly because many of the data flows occur invisibly between companies’ servers. Even though ripple effects can be effective in deterring publishers, advertisers and platforms, it is still profitable for bad actors to continue just a bit more.”
Suggested newsletters for you
Daily Briefing
Daily
Catch up on the most important stories of the day, curated by our editorial team.
Ads of the Week
Wednesday
See the best ads of the last week – all in one place.
The Drum Insider
Once a month
Learn how to pitch to our editors and get published on The Drum.
To make matters worse, for tech companies with deep pockets, fines for breaking consumer privacy laws are sometimes seen as the requisite price of conducting business – and have little effect in deterring further violations.
For this reason, rulings that require companies to make real, material changes to the way they operate are more likely to prove effective, according to IAPP’s Jones. “While the monetary fines are significant – and increasingly so – the enforcement orders mandating changed business practices may stand to have greater impact,” he says. “Orders directing the cessation of personalized advertising, for example, will have a more profound impact than a fine, and will also impact the digital advertising ecosystem more broadly.”
Regulatory pressure exerted from a variety of angles can also help spur meaningful change in the ways that organizations collect, process, use and store consumer data, suggests van Eijk. He points to the US Federal Trade Commission’s increasingly common use of consent decrees – legally binding agreements between the agency and an organization to correct a violation – as an example. Both Meta and Google are bound to stringent consent degrees concerning their privacy practices.
Traversing a complex landscape
Though a variety of pressure sources could incentivize better privacy compliance, the patchwork of different regulations – and approaches to enforcement – can prove difficult to navigate.
As Jones puts it: “The EU’s GDPR, Digital Markets Act and Digital Services Act all govern issues relevant to the sector. The extent to which the different regulations and their different regulators can cohere an approach is not clear yet, making for more uncertainty for industry.”
Despite the complexity of the regulatory landscape, it’s worth noting that the Digital Markets Act, which came into force in 2022, has some similar requirements to GDPR, and both laws interpret consent and personal data in the same way. The overlap may help streamline compliance for some platforms.
In 2025, experts largely expect that we’ll see more aggressive regulatory enforcement of privacy laws globally, upping the stakes for publishers, platforms, advertisers and others in the business of data brokering.
To avoid potentially intensive fines and remedies, organizations “should aim to empower consumers by giving them more control over their own data,” says Cassie’s McInerney. There are a variety of means to do so, he explains. “This can look like implementing user-friendly interfaces that allow consumers to manage their data preferences, enabling features like consent management tools and providing clear opt-in and opt-out options. All of these methods show consumers that their trust is worthy of protection.”
For more, sign up for The Drum’s daily newsletter here.