In a bid to gain more members, professional networking site LinkedIn obtained the email addresses of 18 million non-members and targeted them with Facebook ads, violating data privacy protections, according to a recent investigation from Ireland’s Data Protection Commissioner (DPC).

The investigation was opened by a non-LinkedIn user in Ireland, who filed a complaint involving LinkedIn’s obtaining and using their email address for such targeted advertising, according to the DPC report. The DPC concluded that LinkedIn Ireland’s data processor in the US, LinkedIn Corporation, had processed hashed email addresses of about 18 million non-members and targeted these individuals on Facebook, without permission from LinkedIn Ireland.

SEE: EU General Data Protection Regulation (GDPR) policy (Tech Pro Research)

The DPC informed LinkedIn of its findings, and the tech giant ceased processing user data for ad targeting. An audit of LinkedIn following the incident found that LinkedIn Corporation was still using its algorithms to create suggested professional networks for non-members, again likely to get more people to join the platform.

As a result, LinkedIn Ireland (as data controller of EU user data) instructed LinkedIn Corporation to stop this “pre-compute processing,” according to the report, and to delete all personal data associated with it before May 25, 2018–when the General Data Protection Regulation (GDPR) went into effect in the EU. Since this occurred before GDPR implementation, LinkedIn was not fined.

LinkedIn has long faced criticism for exactly how its algorithms suggest “other users you may know” on the platform, and what data it can access. Shortly after GDPR went into effect, it was named in a privacy complaint from French digital rights group La Quadrature du Net, as reported by our sister site ZDNet.

At that time, a LinkedIn spokesperson told ZDNet that it always aims to give its members control over the data it collects and how it is used and shared. “We have approached GDPR as an opportunity to reinforce our commitment to data privacy for all members globally,” the spokesperson said.

LinkedIn currently has more than 562 million members. It remains unknown how the company obtained the 18 million email addresses of non-members. But if the company wants to gain new members and adhere to privacy laws, it’s going to need to find a new tactic.

The big takeaways for tech leaders:

  • LinkedIn obtained the email addresses of 18 million non-members and targeted them with Facebook ads, according to a DPC investigation.
  • LinkedIn has since stopped this practice to adhere to GDPR.