LinkedIn sued over charging for profile visitor data that GDPR says must be free

Key facts

• noyb filed a complaint on May 5 with the Austrian Data Protection Authority (DSB) against LinkedIn.
• LinkedIn offers a paid Premium subscription that reveals the names of profile visitors from the past 365 days.
• A user requested the visitor list via GDPR Article 15 but LinkedIn refused, citing privacy of other members.
• noyb argues that since LinkedIn already obtains consent to track visitors, it cannot withhold the data when access is requested.
• Martin Baumann, noyb data protection lawyer, stated: 'It is absurd that companies only recognize data protection when they want to sell data.'
• The complaint seeks both full access to the requested data and a deterrent fine against LinkedIn.
• LinkedIn allows users to browse profiles anonymously; those who do not opt for anonymity consent to being tracked as recipients.
• The CJEU has previously ruled that 'recipients' under Article 15(1)(c) must be disclosed upon request.

A premium feature that clashes with European privacy law

LinkedIn, the Microsoft-owned professional network, is facing a formal complaint from the privacy advocacy group noyb (None of Your Business) for charging users to see who has viewed their profiles — data that the group argues must be provided for free under the European Union's General Data Protection Regulation. The complaint, filed Tuesday with the Austrian Data Protection Authority (DSB), centers on LinkedIn Premium, a paid subscription that unlocks the full list of profile visitors from the previous 365 days. Free users see only vague hints, such as 'a recruiter' or 'three other people,' and are prompted to upgrade to Premium to learn more. '270 people have viewed your profile in the last 90 days,' the platform might display, but identifying those visitors requires payment. noyb contends that this practice violates Article 15 of the GDPR, which grants individuals the right to access all personal data a controller holds about them.

A user's request met with refusal

The case originated with a LinkedIn user who first attempted to download their data using the platform's built-in export tool. When the visitor list was not included, the user submitted a formal access request via LinkedIn's contact form, only to be rebuffed. After a follow-up, LinkedIn responded that it was not obliged to disclose data about other members — namely, the identities of profile visitors — because that information belonged to those third parties, not the requesting user. Yet the same data is made available to any user who pays for Premium. For noyb, this creates an untenable double standard. 'If these data are displayed as part of a Premium subscription, they should also be accessible upon request under Article 15 of the GDPR,' the association said in a statement.

The legal argument: recipients must be disclosed

noyb's legal reasoning hinges on Article 15(1)(c) of the GDPR, which explicitly requires controllers to provide information about 'the recipients or categories of recipients' to whom personal data have been or will be disclosed. the Court of Justice of the European Union has already confirmed this interpretation in a landmark ruling. Furthermore, noyb points out that LinkedIn itself offers users the option to browse profiles anonymously. Those who do not enable this setting, the argument goes, implicitly consent to being treated as 'recipients' of the profile owner's data — namely, the fact that they visited. That consent, once given, undermines any claim that disclosing their identity would violate their privacy. 'Protection of the rights and freedoms of others can certainly justify not disclosing shared personal data,' said Martin Baumann, a data protection lawyer at noyb. 'However, if a company has obtained the necessary consent and is clearly willing to make the same data available for payment, that argument no longer holds.'

A broader pattern of monetizing access rights

The complaint highlights a wider trend of companies charging users to exercise their GDPR rights. From credit agencies demanding fees for access requests to airlines imposing charges for correcting names on tickets, businesses have long treated data access as a revenue opportunity — despite the regulation's clear prohibition on such fees. LinkedIn's Premium feature is a particularly stark example, noyb argues, because the company actively tracks profile visits and uses that data to upsell its subscription. The group estimates that millions of users are affected, though LinkedIn has not disclosed how many pay for Premium. 'LinkedIn tracks profile visits. Indeed, visitor data is, to some extent, shared data between visitors and those whose profiles are visited,' Baumann said. 'It is absurd that companies only seem to recognize the importance of data protection when they want to sell data.'

What the complaint demands

noyb is asking the Austrian DSB to order LinkedIn to comply with the user's original access request and to impose a deterrent fine to prevent future violations. The group has not specified an amount, but under the GDPR, fines can reach up to 4% of annual global turnover — which for Microsoft, LinkedIn's parent company, could amount to billions of dollars. The authority now has up to two months to acknowledge receipt of the complaint and begin its investigation. If it finds in noyb's favor, LinkedIn could be forced to either provide the visitor data for free or stop collecting it altogether. LinkedIn has not publicly commented on the complaint. The company previously told media that it takes its privacy obligations seriously and that Premium features are designed to enhance the user experience — a position that noyb dismisses as a pretext for monetizing personal data.

A test case for the boundaries of paid data access

The outcome of this complaint could have far-reaching implications for the business models of social networks and other platforms that rely on selling access to user-generated data. If the DSB rules that data available behind a paywall must also be provided for free under Article 15, companies across Europe may need to rethink how they structure premium features. For now, noyb's action serves as a reminder that the GDPR's access right is not merely a bureaucratic formality but a tool that can challenge commercial practices. 'The sale of data to its own users is a very widespread practice among companies,' Baumann said. 'In reality, people have the right to receive their own data for free.' As the Austrian authority weighs its decision, privacy advocates and tech companies alike will be watching closely — not just for the fate of LinkedIn Premium, but for the broader principle of whether data can be sold back to those who generated it.

The bottom line

• noyb has filed a GDPR complaint against LinkedIn for charging users to see profile visitors, arguing the data must be free under Article 15.
• LinkedIn refuses to disclose visitor identities in access requests, citing third-party privacy, yet sells the same data via Premium subscriptions.
• The complaint relies on Article 15(1)(c) and CJEU case law requiring disclosure of 'recipients' of personal data.
• LinkedIn allows anonymous browsing; users who don't opt in consent to being tracked, undermining privacy objections.
• The Austrian DSB can impose fines up to 4% of Microsoft's global turnover if it finds LinkedIn in violation.
• The case tests whether companies can monetize GDPR access rights by hiding data behind paywalls.