Understanding the French Supervisory Authority’s €240,000 Fine Against Kaspr for Data Scraping

Understanding the French Supervisory Authority’s €240,000 Fine Against Kaspr for Data Scraping
Photo by Chris Karidis / Unsplash

On January 10, 2025, the French Supervisory Authority (CNIL) imposed a fine of €240,000 on Kaspr, a data enrichment and lead generation tool, for unlawful data scraping activities. This enforcement action, highlighted by the European Data Protection Board (EDPB), underscores regulators’ increasing attention on how companies harvest and reuse publicly available personal data—and reaffirms the principle that mere availability of personal data online does not equate to free, unrestricted use under the General Data Protection Regulation (GDPR).


1. Who Is Kaspr and What Happened?

Kaspr is a tool that allows sales and marketing teams to gather business prospects’ information—such as names, email addresses, phone numbers, and LinkedIn profiles—to streamline outreach. By integrating with social media and professional networking platforms, Kaspr helps its clients quickly locate and verify contact data.

However, in this instance, the French Supervisory Authority (Commission nationale de l'informatique et des libertés, or CNIL) determined that Kaspr’s methods of collecting and processing personal data fell short of GDPR requirements. Specifically, Kaspr scraped personal data from online sources without fully informing the data subjects or obtaining valid legal bases for these processing operations.


2. The Core GDPR Violations

The CNIL investigation—and subsequent fine—hinged on a handful of GDPR principles that Kaspr allegedly violated:

  1. Lack of a Legitimate Legal Basis (Article 6 GDPR)
    • For personal data to be lawfully processed, data controllers must rely on specific legal bases listed under GDPR. These bases include consent, contract, legal obligation, vital interests, public interest, or legitimate interests.
    • According to the CNIL’s assessment, Kaspr neither obtained valid consent from the data subjects nor appropriately substantiated any legitimate interest in collecting and redistributing their personal data.
  2. Failure to Provide Adequate Information to Data Subjects (Articles 12–14 GDPR)
    • GDPR mandates transparency. Data controllers must inform individuals—clearly and comprehensively—about how their data is collected, why it is processed, how long it is stored, and with whom it might be shared.
    • Kaspr allegedly neglected to notify individuals that their data was being scraped and used for commercial prospecting. As the CNIL noted, relying on publicly accessible data does not negate the requirement to inform data subjects about collection and processing activities.
  3. Not Honoring Individuals’ Rights (Articles 15–22 GDPR)
    • The GDPR grants individuals various rights—access, rectification, erasure (right to be forgotten), restriction of processing, data portability, and the right to object, among others.
    • Scraping operations can make it difficult for individuals to exercise these rights, particularly if they are unaware their data is being processed. The CNIL found that Kaspr lacked sufficient mechanisms for responding to data subject requests effectively.
  4. Privacy by Design and Default (Article 25 GDPR)
    • GDPR also obliges data controllers to implement data protection principles from the outset of any new processing activity.
    • The CNIL held that Kaspr did not incorporate privacy safeguards when building and deploying its data scraping tool, resulting in indiscriminate or excessive data collection.

3. Why Is This Fine Significant?

  1. Clear Stance on Data Scraping
    Data scraping is a common practice among lead generation services, social media analytics companies, and data aggregators. This penalty emphasizes that GDPR obligations do not vanish just because the data is publicly accessible. Organizations cannot bypass transparency and user rights simply by pointing to the public nature of the source.
  2. Increasing Regulatory Enforcement
    Regulatory authorities across Europe have signaled that they will continue—or even intensify—scrutiny of companies that scrape and resell personal data. Recent decisions and guidance from the EDPB reinforce the idea that personal data found on LinkedIn, Twitter, or other open platforms is still protected under GDPR.
  3. Financial Consequences for Non-Compliance
    Fines under the GDPR can reach up to 4% of a company’s annual global turnover or €20 million (whichever is higher). Although €240,000 is a modest figure in comparison to some high-profile fines, it is significant for a smaller technology provider and serves as a deterrent to others in the lead generation or data-enrichment space.
  4. Relevance for B2B Data Tools
    Many companies that rely on scraping or third-party enrichment are marketing B2B data solutions. This ruling shows that business-focused data is not automatically exempt from GDPR protection. Even if data is related to professional identities or corporate roles, it can still be personal data under GDPR if it identifies a natural person.

4. Key Takeaways for Businesses

  1. Due Diligence in Data Collection
    Organizations that collect data from online platforms—whether via scraping or API-based integrations—must ensure they have a valid legal basis. Conduct a thorough GDPR compliance analysis to confirm your chosen basis (e.g., legitimate interests or consent).
  2. Implement Transparent Policies
    • Provide clear, user-friendly notices and privacy policies that detail data sources, processing purposes, and retention periods.
    • Ensure you can demonstrate these notices are easily accessible and that data subjects are informed promptly.
  3. Facilitate Data Subject Rights
    • Build robust processes for responding to access requests, erasure demands, and objections.
    • Make these rights visible on your website and ensure compliance teams are trained to handle requests within GDPR deadlines.
  4. Respect Privacy by Design and Default
    • Incorporate privacy protections from the start of any data-centric project.
    • Adopt technical safeguards that limit data collection to only what is necessary for defined purposes.
  5. Monitor Regulatory Guidance
    • Keep abreast of CNIL and EDPB guidelines. Regulations around data scraping and lead generation will continue to evolve.
    • Seek legal counsel or a Data Protection Officer’s advice to navigate complex compliance issues, especially if your business model hinges on scraping or large-scale data harvesting.

5. The Road Ahead

In the wake of this enforcement action, Kaspr may need to overhaul its data-gathering practices, align with GDPR obligations, and ensure adequate transparency for individuals. The CNIL’s decision also sends a broader signal that EU regulators will not hesitate to investigate and fine companies—big or small—when data subjects’ rights are potentially compromised.

Moreover, as technology advances, automated scraping tools are likely to become more sophisticated. Regulators will continue refining their guidelines for how personal data can be lawfully extracted, stored, and used from publicly accessible sources. Businesses must therefore remain vigilant and proactive in their compliance efforts.

Below is an overview of other notable data scraping and unlawful data harvesting cases worldwide, illustrating that this issue extends well beyond France and the Kaspr enforcement. While the specifics differ—ranging from facial recognition tools to lead-generation scrapers—each case emphasizes that “publicly accessible” data is not a free-for-all under data protection and privacy laws.


Clearview AI (Multiple Jurisdictions)

Key Jurisdictions Involved: United Kingdom, France, Italy, Greece, Australia, Canada, and others
Nature of Scraping: Facial recognition technology scraping billions of images from social media and other public websites

Overview

Clearview AI, a company specializing in facial recognition software, compiled a massive database of over three billion images scraped from publicly accessible websites and social media platforms like Facebook, Twitter, and YouTube. Numerous regulators around the globe determined that Clearview AI breached privacy and data protection regulations by collecting images without a valid legal basis or adequate notice to data subjects.

Key Regulatory Actions

  • United Kingdom (ICO): The Information Commissioner’s Office (ICO) fined Clearview AI over £7.5 million and ordered it to delete all data of UK residents.
  • France (CNIL): The French supervisory authority ordered Clearview to cease processing and delete data of individuals located in France; it later imposed sanctions for non-compliance.
  • Italy (Garante): The Italian Data Protection Authority fined Clearview AI €20 million.
  • Australia (OAIC): The Office of the Australian Information Commissioner also deemed Clearview’s scraping unlawful and required the deletion of facial images of Australian residents.
  • Canada (OPC): Canadian privacy commissioners concluded Clearview violated federal and provincial privacy laws.

Global Significance: Clearview’s worldwide scrutiny highlights how large-scale scraping—even for seemingly advanced technologies like facial recognition—remains subject to strict data protection rules, including consent and transparency obligations.


hiQ Labs vs. LinkedIn (United States)

Key Jurisdiction: United States (Federal Court – Ninth Circuit)
Nature of Scraping: Automated collection of publicly available LinkedIn user profiles

Overview

hiQ Labs, a people analytics company, scraped LinkedIn user profiles (public sections) to build “people analytics” products, including employee turnover predictions. LinkedIn attempted to block hiQ, arguing that the scraping violated its Terms of Service and constituted unauthorized access under the Computer Fraud and Abuse Act (CFAA).

  • District Court & Ninth Circuit: The courts repeatedly ruled in hiQ’s favor, holding that scraping publicly available data generally does not violate the CFAA (a U.S. anti-hacking statute). The Ninth Circuit reasoned that data accessible to the public is not “protected” by access controls in the sense required by the CFAA.
  • Supreme Court: LinkedIn sought to escalate the case, but the U.S. Supreme Court sent it back to the lower courts for reconsideration in light of the Van Buren decision (which clarified aspects of the CFAA). As of the latest developments, hiQ and LinkedIn remain embroiled in legal proceedings, though hiQ secured significant preliminary victories.

Key Takeaway: While hiQ’s case is more about unauthorized access under U.S. federal law than about privacy violations under GDPR-like statutes, it is a pivotal example of the legal complexities around scraping public-facing data. It also demonstrates differences between U.S. and EU approaches—EU regulators focus on GDPR compliance and the protection of personal data, while the hiQ–LinkedIn dispute centers on access and contractual terms.


Meta (Facebook) vs. Data Scrapers (Multiple Cases)

Key Jurisdiction: Primarily United States, but global user base impacted
Nature of Scraping: Unauthorized harvesting of Facebook and Instagram user data

Overview

Over the years, Meta (formerly Facebook) has filed multiple lawsuits against entities scraping user data from its platforms. In some instances, third-party developers or “data marketing” companies used automated bots to harvest profile information, friends lists, and other personal data without user consent or violating Facebook’s Terms of Service.

Notable Examples

  • Company A (2018): Sued for using bots to scrape millions of Facebook user profiles and publicly posted personal details.
  • Company B (2021): Accused of lifting Instagram user data and selling it as marketing leads to external brokers.

Key Takeaway: Although Meta sues scrapers primarily under breach of contract (violating Terms of Service) and sometimes under U.S. anti-hacking laws, these cases illustrate that the fight against scraping can cut both ways. Meta has also faced regulatory scrutiny for its own data handling (e.g., Cambridge Analytica scandal), proving that data scraping remains a major privacy concern whether it’s done by outside “scrapers” or inadvertently enabled by large platforms themselves.


Cambridge Analytica (United States & United Kingdom)

Key Jurisdiction: United States (Federal Trade Commission) and the United Kingdom (ICO)
Nature of Scraping: Harvesting of Facebook user data through deceptive app permissions

Overview

Although not a classic “scraping” operation—because data was collected via an app rather than purely web scraping—Cambridge Analytica’s scandal is often cited in the same breath. The data analytics firm used a quiz app to gather extensive Facebook profile data, not just from consenting users but also from their friends, without explicit permission.

Regulatory Actions

  • US FTC: Fined Facebook (now Meta) $5 billion for various privacy violations, though Cambridge Analytica itself went bankrupt amid the scandal.
  • UK ICO: Investigated Cambridge Analytica’s practices extensively, leading to stricter oversight of political profiling and microtargeting.

Key Takeaway: This high-profile episode drew global attention to how personal data—public or not—can be misused for targeted political advertising and profiling. While different from pure automated scraping, it reinforced the principle that collecting personal data en masse without transparency or valid consent is legally risky.


Other European DPAs Cracking Down on Scraping

Germany

German data protection authorities have indicated growing scrutiny of data brokers and analytics companies that mine publicly available sources like business registers and social media. While there have not been as many headline-grabbing fines as with Clearview AI, ongoing investigations signal a tightening stance.

Spain

The Spanish Data Protection Authority (AEPD) has also taken action against companies scraping personal data from websites like job portals or classified ads without adequately informing data subjects or obtaining a valid legal basis.


Lessons Learned from Global Enforcement

  1. Public Does Not Equal Free
    Across jurisdictions, regulators and courts alike stress that data being publicly accessible online does not allow companies to bypass consent or other legal bases under privacy laws.
  2. Transparency & Notices Are Paramount
    Regardless of the method of collection, individuals must be informed about who is collecting their data, why, how long it will be stored, and how they can exercise their rights.
  3. Varying Legal Frameworks
    • EU: Enforcement is driven by the GDPR (and local DPAs), with a strong emphasis on consent, legitimate interest, and data subject rights.
    • US: Cases often center on the Computer Fraud and Abuse Act (CFAA), contract law (Terms of Service), or consumer protection laws. Federal privacy legislation is still piecemeal, leaving room for state-level or sector-specific rules.
  4. Potentially Massive Fines
    Under GDPR, fines can reach up to €20 million or 4% of a company’s worldwide annual revenue—whichever is higher. Major tech firms can face multi-million or even multi-billion euro penalties for large-scale violations.
  5. Impact on Tech & AI
    As artificial intelligence and machine learning rely heavily on large datasets, regulators are increasingly examining how companies acquire and handle training data—particularly if it involves personal identifiers.

Conclusion

From Clearview AI’s facial recognition controversies in Europe and Australia to LinkedIn’s U.S. court battles with hiQ Labs, global regulators and courts are tackling the legality of data scraping head-on. Despite differences in legal frameworks, the core message is consistent: Scraping personal data—whether from social media, professional networks, or public registries—requires respecting privacy and data protection principles.

Ultimately, whether you are a data broker, analytics startup, or large tech platform, ensuring robust compliance (especially around consent, transparency, and data subject rights) is crucial to mitigating legal and reputational risks. Cases like Kaspr in France, Clearview AI globally, and hiQ Labs in the U.S. serve as cautionary tales that data scraping is far from a “wild west.” Regulators worldwide are paying close attention—and taking concrete enforcement action—when personal data is harvested unlawfully.


The €240,000 fine levied against Kaspr highlights the critical importance of GDPR compliance when it comes to data scraping and subsequent use of personal data. Even if the information is publicly available, companies must have a lawful basis for processing, provide transparent notices, and respect individuals’ rights under the GDPR.

For any organization operating in or targeting the EU, this case serves as a compelling reminder: public data is not “free” data—and failure to comply with fundamental data protection principles can lead to significant regulatory and reputational fallout. By embedding privacy by design, improving transparency measures, and reinforcing data governance practices, businesses can reduce their risk and align with the GDPR’s high standards for personal data protection.


References & Further Reading:

Disclaimer: This article is for informational purposes only and does not constitute legal advice. For specific concerns, consult a qualified legal professional or your organization’s Data Protection Officer.

Read more