The administrative penalties, which are worth around $335 million at current exchange rates, have been issued by Ireland’s Data Protection Commission (DPC) under the European Union’s General Data Protection Regulation (GDPR). The regulator found a raft of breaches, including beaches to the lawfulness, fairness and transparency of its data processing in this area.
The GDPR requires that uses of people’s information have a proper legal basis. In this case, the justifications LinkedIn had relied upon to run its tracking ads business were found to be invalid. It also did not properly inform users about its uses of their information, per the DPC’s decision.
LinkedIn had sought to claim (variously) “consent”-, “legitimate interests”- and “contractual necessity”-based legal bases for processing people’s information — when obtained directly and/or from third parties — to track and profile its users for behavioral advertising. However, the DPC found none were valid. LinkedIn also failed to comply with the GDPR principles of transparency and fairness.
This is really it. Businesses are about making money. If you want to change the way businesses behave, you have to change the financial incentives. You can condemn the capitalist greed motivation if you want, but that really only amounts to moralistic posturing, it doesn’t accomplish anything practical. It’s more useful to understand how businesses make decisions, and then adjust rules to incentivize the behavior you want and disincentivize the behavior you don’t want.
An ounce of prevention is worth a pound of cure.