Tag: Privacy

TechTarget Much Better Positioned to Withstand Recession than in 2008

Technology Sales and Marketing Services vendor TechTarget ($TTGT) believes it is in a much stronger marketplace and revenue position than in 2008, the last recession not caused by a pandemic. It has shifted away from economically sensitive brand revenues to a “robust product suite, which allows us to address the evolving needs of our customers.”  As a result, brand revenues have declined from 30% of total revenue to 10% since 2009.

TechTarget is fundamentally much stronger than in 2008.  It has trebled its revenue over the past fourteen years and doubled its Adjusted EBITDA margin.  In 2009, the firm had virtually no long-term contracts; now, 42% of revenue is associated with longer-term contracts.  Other positive signs: TechTarget has grown its customer base from 1,000 to 3,200 customers and is much less reliant on legacy global customers, reducing its revenue share from 32% to 20%.  Furthermore, its largest customers have shifted from hardware to cloud and software vendors with subscription customers.  Whereas its top customers in 2009 suffered revenue downturns, its current customer base is more likely to struggle to grow revenue than to suffer declining revenue.

“The modernization of the sales and marketing organization is a strong and durable trend.  It is hard to compete in today’s IT market without a data-driven go-to-market strategy,” argued CEO Michael Cotoia on TechTarget’s Q3 earnings call earlier this month.  “As the leading provider of first-party purchase intent data in the enterprise IT market, we will continue to benefit from this trend.”

Priority Engine

Priority Engine, its subscription sales intelligence platform, grew revenues by 15% last quarter.  TechTarget will continue to invest in Priority Engine after doubling the number of engineers working on the product in 2022.

In 2023, Priority Engine will further bolster its Salesforce integration with “bi-directional data flow, campaign orchestration from within Priority Engine, additional program impact reporting, market insights to inform marketing and sales outreach, and alert-driven account and prospect intelligence for our sales users.”

Priority Engine also plans to ingest Salesforce data for analytics dashboards around ROI, open pipeline, and won/lost opportunities.   The dashboards will answer the question, “how do we set up our sales reps within our customers’ environment to make the most appropriate and relevant follow-up?”

“We also want to make sure that we are working with our customers to provide more insights across their total campaign with TechTarget, both on the sales side and on the marketing side.  So, what you’re doing with their lead generation and demand gen, their content, their branding, the visitors on their website to really bring that end-to-end view into Priority Engine to help fuel and help modernize…both sales and marketing.”

TechTarget CEO Michael Cotoia

The firm sees significant opportunity for growth in TechTarget’s sales-specific module, which is still in the early adoption phase as it was rolled out less than a year ago.

TechTarget does not break out the number of customers licensing Priority Engine or the Priority Engine sales module.  However, CFO Daniel Noreck said that the module is “growing nicely but still a small base.”

More broadly, the firm has 3,200 customers, but there are over 18,000 global technology companies with at least $50 million in annual revenue, providing plenty of market opportunity. 

“We believe most of those companies are good candidates for the Priority Engine sales module,” stated Cotoia.  “While we expect that our rollout to those customers will be slowed by macroeconomic weakness in the short term, we think the long-term opportunity is enormous.”

Content to Close

TechTarget’s fastest-growing service is Content Enablement which powers its Content to Close strategy.  In conjunction with its customers, TechTarget produced content “to fuel their marketing and sales outreach.”  The service is aligned with the growing focus on self-service research among younger purchasing and business professionals.

“Most technology companies’ current go-to-market strategy is very sales rep heavy. We believe this approach is going to need to transform in the coming years to adjust to the changing buyer dynamics.  The companies that win business will have a comprehensive content strategy to effectively influence buyers before their sales reps get involved.”

TechTarget CEO Michael Cotoia

The acquisitions of Enterprise Strategy Group (“ESG”) and BrightTALK have “uniquely positioned” TechTarget to support growing self-service requirements.  Content Enablement via these subsidiaries will continue to be an “aggressive” investment area.

TechTarget also believes it has a market advantage due to its opted-in, privacy-compliant intent data sets gathered from its B2B media websites and BrightTALK.  Cotoia argues that customer sensitivity to privacy issues and growing government regulations will offer an ongoing competitive advantage for its intent data from permission-based audiences owned and operated by TechTarget.  This advantage “will become even more apparent when Google eliminates third-party cookies.”

TechTarget will continue to look for acquisitions like BrightTALK and ESG that expand the firm’s product capabilities.  It is also interested in acquiring vertical media companies like Xtelligent Healthcare that expand the firm’s TAM into verticals that share similar attributes as Enterprise IT: significant purchase price, complex buying process, long lead times, and large buyer teams.

Healthcare Intent

TechTarget recently integrated XTelligent Healthcare intent into Priority Engine, creating a sales intelligence solution for HealthTech and Healthcare.

Priority Engine for Healthcare Highlights for Top Accounts.

Priority Engine for Healthcare supports over 400,000 opted-in healthcare contacts, including Providers, Health Systems, Payers, Pharmaceuticals, Life Sciences, Accountable Care Organizations, and Federal/State Healthcare Agencies.  TechTarget claims that 90% of the US healthcare system is covered.  Xtelligent said its audience contains “70% Business & Finance Executives and Clinicians who have critical involvement across healthcare technology purchases that are becoming increasingly complex.”

To demonstrate confidence in the company, TechTarget began a new stock buyback program to repurchase up to $200 million in common stock and convertible debt over the next two years.

ZoomInfo Business Contact Preference Registry

ZoomInfo launched its Business Contact Preference Registry (BCPR), a centralized registry for recording B2B opt-out requests which will be shared across the industry.  The BCPR is ZoomInfo’s latest step in burnishing its data privacy positioning.

“The collection of data is central to businesses in the B2B data industry, but the responsibility of ethical data stewardship falls onto the shoulders of each individual company,” wrote the firm.  “As industry leaders in data privacy, ZoomInfo has made it easier for businesses in the B2B data marketplace to address the preferences of consumers by building, maintaining, and sharing access to the BCPR.”

“It’s critical for data-focused companies to prioritize privacy. The Business Contact Preference Registry offers businesses a convenient way to prioritize privacy by supplying the entire B2B data industry with a ready-made list of consumer opt-outs. We’re proactively sharing our opt-outs as an invitation to B2B companies to join us in putting privacy first.”

Bubba Nunnery, ZoomInfo’s Senior Director of Privacy and Public Policy

I had been flagging data privacy as a weakness in ZoomInfo’s model, which could slow their entry to the European market post-COVID, but they have been actively working to shore up their data privacy practices and demonstrate that they are respectful of the data they hold. 

ZoomInfo developed a proactive data compliance program based upon “notice and choice” that notifies business professionals about ZoomInfo’s data.  The program is global in scope, so not limited to countries that require notifications.  ZoomInfo also expanded its data privacy team earlier this year, naming Hannah Zimmerman, ZoomInfo’s Privacy Counsel and Bubba Nunnery, Senior Director, Privacy and Public Policy.

ZoomInfo data privacy certifications

“Our business is founded on the trust our customers have in our data,” said General Counsel Anthony Stark back in March. “Collecting data is central to all businesses, and it’s our job to be ethical stewards of the data we hold.  ZoomInfo adheres to its core privacy tenets of transparency and control, showcasing that we are respectful of the rights of consumers while providing critical service to our customers.”

In May, ZoomInfo announced that it received GDPR and CCPA Practices Validation from TrustArc, saying that its policies “are in line with the strictest privacy regulations in the world.”

“Organizations of all sizes must become privacy-forward to earn the trust of their customers,” said Chris Babel, CEO, TrustArc. “ZoomInfo understands that building trust requires an ongoing, scalable approach to data privacy. The organization has consistently prioritized privacy as the enabler of a better experience for its customers and their subscribers, and the TrustArc GDPR and CCPA Validations reinforce that standing.”

“ZoomInfo is leading the way in data privacy.  We are working to accept opt-outs from other vendors as part of our efforts to elevate privacy standards across the B2B data industry.”

CEO Henry Schuck

The BCPR is an excellent idea, but I’m not sure whether the registry should be hosted by one of the major vendors in the space.  ZoomInfo plans on accepting opt outs from other vendors, but It is unclear whether other vendors would promote ZoomInfo in the lead data collection role. Preferably, it would be hosted by a government agency such as the FTC, which manages the US Do Not Call Registry, or a neutral body similar to the ICANN domain registry.  DataGrail, a leader in data privacy compliance, could administer an independent database across businesses and consumers.

MSD 365 Customer Insights Partnerships

Microsoft rolled out a set of enhancements to its Customer Insights CDP earlier this month, including a set of technology and data partnerships. I covered the functional enhancements yesterday.

“Organizations can automatically augment profiles with survey responses to truly uncover sentiment and drive detailed segmentation of customers, empowering agile actions that build brand loyalty and driving detailed understanding of customers,” said James Phillips, President of Microsoft Business Applications.  “Furthermore, organizations can enrich customer profiles with proprietary audience intelligence on brand affinity and user interests or by using third-party enrichments such as Experian and Leadspace.”

Leadspace supports B2B firmographic enrichment use cases, including industry codes, discrete and ranged sizing variables, geocodes, social media links, URLs, and standardized addresses.  Leadspace plans to include more advanced account-level insights such as company hierarchy and site-level details, as well as lead and intent scores, in future releases.  Firmographic updates may be processed daily or weekly with company matching performed by Leadspace.

The Leadspace data license is written on Leadspace paper and based upon the number of records under management.  Volume discounts apply.  When additional content sets are available, tiered pricing will be employed.

“We’ve been really honored to collaborate closely with the Microsoft Dynamics 365 Customer Insights team as their first B2B data enrichment partner and excited about the value it’ll bring our joint customers who want a single source of truth to fuel their sales and marketing efforts.  This offering goes a long way to helping them improve their ability to segment, prioritize, and personalize engagement across the customer lifecycle.”

Leadspace CTO Amnon Mishor

Experian supports consumer data enrichment spanning lifestyle segmentation, demographics, purchasing habits, brand preferences, life-event triggers, and mobile location data.  

Microsoft also rolled out a set of new Customer Insights integrations that “drive meaningful actions across the customer journey.”  Customer Insights is vendor-agnostic, “from ingesting data from any source to activating insights on multiple destinations.”  New partners include AutopilotHQ, Bing ads, dotdigital, Facebook, Google Ads, HubSpot, LiveRamp, Marketo, Mailchimp, and SendGrid (Twilio).

Phillips emphasized Microsoft’s commitment to data privacy and security “by enabling organizations to better control and secure sensitive data with data classification and permissions from Microsoft Information Protection.”  Organization can “configure policies to classify, label, and protect data based on its sensitivity.”

Customer Insights pricing begins at $1,500 per tenant per month for up to 100,000 profiles.

CJEU Invalidates EU-US Privacy Shield Data Transfers

The Court of Justice of the European Union (CJEU) struck down the EU-US Privacy Shield that allows firms to transfer EU citizen’s private data to the United States for data processing.  The EU maintains higher consumer data privacy laws that conflict with US security and legal policies.

“Today’s decision effectively blocks legal transfers of personal data from the EU to the US.  It will undoubtedly leave tens of thousands of US companies scrambling and without a legal means to conduct transatlantic business, worth trillions of dollars annually,” said Caitlin Fennessy, research director at the International Association of Privacy Professionals (IAPP).

The CJEU held that “the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country.”

“In the absence of an adequacy decision, such transfer may take place only if the personal data exporter established in the EU has provided appropriate safeguards, which may arise, in particular, from standard data protection clauses adopted by the Commission, and if data subjects have enforceable rights and effective legal remedies…

The Court considers, first of all, that EU law, and in particular the GDPR, applies to the transfer of personal data for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country, even if, at the time of that transfer or thereafter, that data may be processed by the authorities of the third country in question for the purposes of public security, defence and State security. The Court adds that this type of data processing by the authorities of a third country cannot preclude such a transfer from the scope of the GDPR.

Regarding the level of protection required in respect of such a transfer, the Court holds that the requirements laid down for such purposes by the GDPR concerning appropriate safeguards, enforceable rights and effective legal remedies must be interpreted as meaning that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR, read in the light of the Charter. In those circumstances, the Court specifies that the assessment of that level of protection must take into consideration both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the data transferred, the relevant aspects of the legal system of that third country.

Regarding the supervisory authorities’ obligations in connection with such a transfer, the Court holds that, unless there is a valid Commission adequacy decision, those competent supervisory authorities are required to suspend or prohibit a transfer of personal data to a third country where they take the view, in the light of all the circumstances of that transfer, that the standard data protection clauses are not or cannot be complied with in that country and that the protection of the data transferred that is required by EU law cannot be ensured by other means, where the data exporter established in the EU has not itself suspended or put an end to such a transfer.”

“Data Protection Commissioner Ireland v Facebook Ireland Limited, Maximillian Schrems,” 16 July 2020

The EU-US Privacy Shield was implemented several years ago after the CJEU held that the prior US Safe Harbor regime was insufficient.

Privacy advocate Max Schrems brought the cases that invalidated Safe Harbor and EU-US Privacy Shield.  Following the ruling, he stated:

“It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a role on the EU market…The Court clarified for a second time now that there is a clash of EU privacy law and US surveillance law.  As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people — including foreigners.  Surveillance reform thereby becomes crucial for the business interests of Silicon Valley…

This judgment is not the cause of a limit to data transfers, but the consequence of US surveillance laws.  You can’t blame the Court to say the unavoidable — when shit hits the fan, you can’t blame the fan.”

Privacy Advocate and Plaintiff Max Schrems

“This leaves a huge question mark over data transfers to the US, said Tanguy Van Overstraeten, partner and global head of privacy and data protection law at the law firm Linklaters.  “The Court has struck down the EU-U.S. Privacy Shield because it considers the US state surveillance powers are excessive.  For the thousands of businesses registered with the US Privacy Shield, this will be groundhog day; this is the second time the FTC operated scheme has been struck down after the Shields predecessor — the Safe Harbor — was struck down in 2015.  Businesses will now look to EU regulators to propose some form of transition to allow them to move away from Privacy Shield without the threat of significant sanctions and civil compensation claims.”

The ruling also puts in question data transfers to Russia, China, and potentially the UK post-Brexit.

“The CJEU’s judgment could have implications for the UK’s prospects of gaining adequacy at the end of the Brexit transition period,” said Peter Church, counsel at Linklaters.  “This will necessarily involve an assessment of the UK’s surveillance powers under the Investigatory Powers Act 2016.  However, there are a number of differences between the UK and US regimes.  For example, the UK regime has already been reviewed by the European courts and a number of amendments have been made to bring it into line with European law.  In addition, the UK regime does not have the same distinction between UK and foreign nationals, unlike US law which does not grant the same rights to non-US citizens.”

“This is a bold move by Europe,” said Jonathan Kewley, co-head of technology at law firm Clifford Chance.  “What we are seeing here looks suspiciously like a privacy trade war, where Europe is saying their data standards can be trusted but those in the US cannot.”

Standard Contract Clauses (SCCs) may also be insufficient.  “If the law in the relevant country – let’s say the USA – could override what the contract says, they don’t work,” said Kewley.  “I don’t know how much appetite they have to do this, but it’s hard to imagine that any European regulator would say that SCCs work for the US, and the pressure will pile on for them to make the assessment.  I don’t think SCCs escaped the court’s judgement – for some key countries, it’s probably just a stay of execution.”

One likely impact will be the localized processing of EU consumer data within EU data centers.  Over 5,300 companies rely upon the EU-US Privacy Shield as part of their GDPR and broader EU compliance.  Companies that rely upon the Privacy Shield span a broad set of B2B data, DaaS, social networking, CDPs, and cloud companies [searchable list].  These include Zoominfo, Dun & Bradstreet (including Lattice Engines), Experian, Infogroup, TechTarget, Microsoft (including LinkedIn), Facebook, Twitter, Google, Amazon (including AWS), Oracle, Salesforce, HubSpot, Adobe (including Marketo), LiveRamp, Melissa, TowerData, 6Sense, Leadspace, SalesLoft, Outreach, Groove, VanillaSoft, Yesware, and ConnectLeader.

Firms are also likely to ramp up their GDPR and CCPA compliance messaging, but that does not address the weaker data privacy structures of US law.

CCPA Now in Effect

The California Consumer Privacy Act (CCPA) went into force this week, but enforcement will be delayed for six months.  “We’re going to help folks understand our interpretation of the law,” said California Attorney General Xavier Becerra.  “And once we’ve done those things, our job is to make sure there’s compliance, so we’ll enforce.”

Microsoft indicated that CCPA will be used as a national standard. Microsoft has already extended EU GDPR compliance globally and called privacy “a fundamental human right.”

“CCPA marks an important step toward providing people with more robust control over their data in the United States,” wrote Microsoft’s Chief Privacy Officer Julie Brill.  “It also shows that we can make progress to strengthen privacy protections in this country at the state level even when Congress can’t or won’t act.”

CCPA requires firms to be transparent in how they collect and use consumer data.  Individuals also have the option to block sales of personal data.  However, “Exactly what will be required under CCPA to accomplish these goals is still developing,” wrote Brill.

Microsoft supports a national privacy law which cover “more robust accountability requirements” including minimizing data collection, transparency around how data is being used, and “making them more responsible for analyzing and improving data systems to ensure that they use personal data appropriately.”

Facebook is hedging, saying “we do not sell people’s data” without acknowledging that its business is based on monetizing member data and that it has a poor history of controlling partner data collection on its platform.

Salesforce CEO Marc Benioff called Facebook the “new cigarettes for our society,” which undermines societal trust.  On CNN’s Reliable Sources, Benioff called for Facebook to be regulated or split up.  “They’re certainly not exactly about truth in advertising.  Even they have said that.  That’s why we’re really in squarely a crisis of trust, when the core vendor themselves cannot say that trust is our most important value.  Look, we’re at a moment in time where each one of us in every company has to ask a question: What is our highest value?”

“I expect a fundamental reconceptualization of what Facebook’s role is in the world,” continued Benioff.  “When you have an entity that large with that much potential impact, and not fundamentally doing good things to improve the state of the world, well, then I think everyone is going to have it in its crosshairs.”

LinkedIn Restates Its Members-First Principles

LinkedIn Logo

In a blog titled, “Maintaining the Trust of our Members,” LinkedIn recommitted itself to a members-first approach.  The Microsoft subsidiary frames its decision-making with the question, “Is this the right thing to do for our members?”

Along with a members-first policy, LinkedIn employs four principles to frame decisions:

  • Members maintain clarity, consistency, and control over their data. This goal is manifested in a broad set of privacy settings, observing the stated wishes of each member, and protecting their data.  Microsoft employs a global GDPR standard and does not transfer member data to other companies.  For example, LinkedIn Sales Navigator limits data access to member-data view-only access, which displays profiles within CRMs and other partner applications but does not transfer data to those platforms.
  • LinkedIn will remain a safe, trusted, and professional platform.  The firm removes content which violates their Professional Community Policies and removes fake profiles, jobs, and companies.
  • LinkedIn is committed to removing unfair bias from its platform so that individuals with equal talent have equal access to opportunity.  “To achieve this goal, we are committed to building a product with no unfair bias that provides opportunity to all of our members.  There is a lot of work still to do, but we are focused on working across our company, with our members and customers, and across the industry to close the network gap.”
  • As a global platform, they are committed to respecting the laws that apply to them and “contributing to the dialogue” about legal frameworks.

LinkedIn Advertising is subject to an initial review.  LinkedIn vets ads to ensure they are non-discriminatory:

“Even if legal in the applicable jurisdiction, LinkedIn does not allow ads that advocate, promote, or contain discriminatory hiring practices or denial of education, housing, or economic opportunity based on age, gender, religion, ethnicity, race, or sexual preference.  Ads that promote the denial or restriction of fair and equal access to education, housing, or credit or career opportunities are prohibited.”

Blake Lawit, LinkedIn General Counsel

The statement of principles comes at a time when other social media firms are struggling to develop rules and policies around political advertising. LinkedIn does not carry political advertising and also restricts adult content, illegal, health, gaming, weapons, multi-level marketing, alcohol, tobacco, and financial (payday loans, cryptocurrency) products.  

LinkedIn continues to grow its customer base with 660 million members across 200 countries and 30 million companies.  The top countries are the United States (165M members), India (62M), China (48M), Brazil (40M), and the UK (27M).

LinkedIn maintains offices in nine US cities and 24 international locations. The platform supports 24 languages.

LinkedIn Concerned about Tech Regulations

LinkedIn CEO Jeff Weiner raised concern about a tide of tech regulation following recent data privacy scandals.  Of particular concern is the impact of removing tech company immunity for the content shared by users under Section 230 of the Communications Decency Act.  If the Section were removed, social networks would be forced to proactively censor posts.

“Even if the [technology] industry were to do greater self-regulation, you’re going to see more regulatory oversight.”

Just as the wide use of algorithms has provided a megaphone to misinformation and fringe social media, regulation can have unintended consequences.  “The unintended consequences work both ways,” said Weiner.  “Companies make decisions only with the best of intentions, and there are unintended consequences of those decisions.  But from a regulatory perspective, I think it’s the same thing.”

“You could stifle a lot of innovation.  You could stifle a lot of openness.  You could stifle a lot of the things that create value by virtue of changing these liability rules and laws. That is just almost a canonical example of where these unintended consequences would really proliferate.  The things companies would need to do to ensure that they were protected is going to hurt the way in which people can communicate with one another.”

LinkedIn CEO Jeff Weiner

LinkedIn operates in China where it is subject to censorship.  The firm decided to enter the market as it’s mission is to create economic opportunity globally.  “The censorship issue in China is always a painful one,” he said.  “It has to be navigated and managed in the context of the broader vision.” While LinkedIn is advocating for Section 230, its parent company has taken a pro-regulatory view on data privacy, calling for an American version of GDPR.  Microsoft has built GDPR into the infrastructure of its platforms.

Court Rules LinkedIn Scraping Legal

In a ninth Circuit Court ruling last week, the Court sided with hiQ Labs which had been barred from accessing LinkedIn for the purposes of scraping public profiles.  hiQ Labs, a data analytics company which identifies employees who may be looking to depart, won a preliminary injunction against LinkedIn.  This is the second court which has evaluated the case and sided against the Microsoft subsidiary.

LinkedIn argued that scraping after a cease-and-desist letter was “without authorization” under the federal Computer Fraud and Abuse Act (CFAA), but hiQ Labs argued that the content was public and that scraping public data was not akin to hacking.

The Court ruled that “there is little evidence that LinkedIn users who choose to make their profiles public actually maintain an expectation of privacy with respect to the information that they post publicly, and it is doubtful that they do.”

The Court continued, “LinkedIn invokes an interest in preventing ‘free riders’ from using profiles posted on its platform.  But LinkedIn has no protected property interest in the data contributed by its users, as the users retain ownership over their profiles.”

The National Law Review summarized the case:

Most notably, the Ninth Circuit held that HiQ had shown a likelihood of success on the merits in its claim that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access “without authorization” under the CFAA.

In light of this ruling, data scrapers, content aggregators and advocates of a more open internet will certainly be emboldened, but we reiterate something we advised back in our 2017 Client Alert about the lower court HiQ decision: while the Ninth Circuit’s decision suggests that the CFAA is not an available remedy to protect against unwanted scraping of public website data that is “presumptively open to all,” entities engaged in scraping should remain careful. The road ahead, while perhaps less bumpy than before, still contains rough patches.  Indeed, the Ninth Circuit cautioned that its opinion was issued only at the preliminary injunction stage and that the court did not “resolve the companies’ legal dispute definitively, nor do we address all the claims and defenses they have pleaded in the district court.”…

On appeal, the parties offered dueling visions of what the law surrounding the CFAA and scraping should be:

LinkedIn: “[A]uthorization from LinkedIn—the server’s owner—is ‘needed’ to avoid CFAA liability, regardless of whether those servers also host data that LinkedIn generally makes available on its website.  hiQ lacked that required “authorization” once LinkedIn sent hiQ its cease-and-desist letter and implemented additional technological barriers restricting bot access.”

HiQ: “LinkedIn does not grant permission to access its public content because those pages are, by definition, open for all to see and use.  hiQ, like any other Internet user, simply requests LinkedIn’s public pages, and LinkedIn’s servers automatically provide them.  There is no “authorization” for LinkedIn to revoke.  Reading the statute in accordance with the language’s ordinary significance, “without authorization” refers to circumstances where authorization is a prerequisite to access.”

National Law Review

Intentional access without authorization under the CFAA generally covers hacking and employee access after permission has been rescinded.  As public profiles are not subject to passwords, the question of whether the CFAA applied was in question.

“It is likely that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access without authorization under the CFAA,” wrote the Court.  “The data hiQ seeks to access is not owned by LinkedIn and has not been demarcated by LinkedIn as private using such an authorization system.  HiQ has therefore raised serious questions about whether LinkedIn may invoke the CFAA to preempt hiQ’s possibly meritorious tortious interference claim.”

Thus, the ruling supports web scraping of public sites.  What it doesn’t address is whether harvesting member data for the purposes of generating datasets which counter the interests of social media sites and its members is against the public interest.  This question may be more of a public policy question than a legal one.  Members join LinkedIn for the purposes of professional networking, job searching, and self-marketing.  While public LinkedIn does not publish emails or direct dials, it includes work and educational histories, interests, affiliations, and other personal content.  Furthermore, it is easy to guess at emails making it fairly trivial to assemble email files for spammers.  It is very possible, that the HiQ Labs ruling conforms with US law but due to the Personally Identifiable Information content being gathered is counter to European GDPR.  The result could well be the loss of public LinkedIn profiles or a thinning of publicly posted profiles.

The Court focused on the CFAA and did not evaluate other arguments when granting relief.  “State law trespass to chattels claims may still be available.  And other causes of action, such as copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract, or breach of privacy, may also lie,” stated the Court.

Orin Kerr, a law professor at UC Berkeley called the ruling a “major decision for the open internet.  It doesn’t establish that scraping websites is completely legal, but it goes a long way toward establishing that it’s not a federal crime.”

In the case of HiQ, they offer predictive attrition models which could result in individuals not being hired or employees not being promoted.  “Keeper is the first HCM tool to offer predictive attrition insights about an organization’s employees based on publicly available data,” says the firm.  While some high-value employees may enjoy additional leverage due to these models, others may be mistrusted.  

One could imagine other detrimental use cases such as credit companies tracking employment and lowering credit scores.  The result would be higher interest costs and a lowered ability to find a job.  The result would be decreased transparency and truthfulness on LinkedIn.

As such, the scraping of LinkedIn data could undermine the trust members have in LinkedIn or limit the permissions granted to LinkedIn.  If LinkedIn played fast-and-loose with member data, they would have less standing, but LinkedIn does not permit downloading of member data to Excel or the uploading of member data to CRMs.  Sales Navigator treats member data as view only in its SNAP connectors.  Thus, LinkedIn is placing data privacy rules on itself that it cannot place on third-parties that gather LinkedIn data.  More broadly, parent company Microsoft has committed itself to GDPR as a global data privacy standard.

Analyst David Raab of the Customer Data Platform Institute had a tongue-in-cheek view of the case: “In what I like to think of as CSI: Obvious Division, a federal appeals court ruled that LinkedIn can’t block scraping of published member data because people had no expectation of privacy for their public profiles.  It’s rather amazing LinkedIn thought they could win with that one.” .dialogRendere

GDPR First Anniversary (Is Your Data More Secure?)

EU Flag

As GDPR hit its first anniversary on Saturday, Microsoft once again called for a US privacy law which shifts the onus of data privacy from the individual to corporations.  Today, Americans operate in an opt-out regime which requires them to find and manage their privacy settings.

“This places an unreasonable — and unworkable — burden on individuals,” wrote Microsoft’s Deputy General Counsel Julie Brill.  “Strong federal privacy should not only empower consumers to control their data, it also should place accountability obligations on the companies that collect and use sensitive personal information.”

Microsoft prefers a single federal standard to piecemeal state-level laws such as California’s CCPA.  Brill said the legislation should be interoperable with the GDPR to help reduce the “cost and complexity of compliance.”  This framework should reflect ”the changing understanding of the right to privacy in the United States and around the world.”  The proposed legislation should “uphold the fundamental right to privacy through rules that give people control over their data and require greater accountability and transparency in how companies use the personal information they collect.”

“For American businesses, interoperability between U.S. law and GDPR will reduce the cost and complexity of compliance by ensuring that companies don’t have to build separate systems to meet differing—and even conflicting requirements—for privacy protection in the countries where they do business,” said Brill.

According to eMarketer analyst Ross Benes, the US ad industry has shifted from a call for self-regulation to supporting national privacy regulations, fearing ”a patchwork of different rules” as “legislation looks increasingly inevitable.”

A TrustArc/Ipsos survey of UK adults (16 – 75) found a 36% improvement in trust concerning personal data since GDPR went into effect.

Source: TrustArc / Ipsos GDPR Survey of 2,230 UK adults (May 2019)

A Snow study found that 39% of global business professionals believe their data is better protected since GDPR passed, with the biggest increase in the APAC region (48%).  40% of Europeans also believed their personally identifiable information is more secure, but only 30% in the US held the same belief.

74% of surveyed professionals believe that the technology industry needs more regulation with 83% of APAC and 72% of US respondents wanting additional tech regulation.

The EU has yet to strictly enforce the law with only one large fine ($56M) versus Google in France. However, Google and the social media and advertising companies are all subject to ongoing suits:

The latest investigation — the first by the Irish watchdog into Google — brings to 19 the number of open cases by the regulator targeting big U.S. tech companies. They include probes into Apple Inc., Twitter Inc., eight probes into Facebook Inc., plus one into Instagram and two into WhatsApp.

Los Angeles Times, “Google could face hefty EU fine over possible privacy violations,” May 22, 2019

“What is important to recognize is that the EU is taking GDPR very seriously, with fines being established for any breach,” said Ben Feldman, SVP of strategy and innovation at NYIAX.  “I would expect that the first six-to-nine months of any new regulation action would be spent working out the kinks and processes of implementation.  It is quite likely that we will see more fines in the coming months.”

Quora: Does LinkedIn Sell Your Info?

The following is a Quora post answering the question, “Does LinkedIn Sell Your Info?”

This is likely to fall into a semantics question. If data is employed in the aggregate and your personally identifiable information is not disclosed, then I would argue that your information is not sold. Likewise, if you are presented an ad because your LinkedIn profile conforms with a target audience definition, your data is also not being sold.

I can’t answer for LinkedIn Recruiter, but can answer in the Sales and Marketing context.

LinkedIn offers a sales product called Sales Navigator. Users can view company and contact information on Navigator just as they can on the free service. It even supports viewing this data within third-party SNAP products. However, Navigator and SNAP are view only. Sales reps cannot download your profile or sync it with any of their partner platforms. They also restrict display of your email and phone information to your direct connects as well as other content you flag as restricted.

LinkedIn Marketing sells advertising on LinkedIn and Bing based upon your profile attributes. Advertisers define their target audience across a broad set of firmographic, career, and location variables, but these segments are not provided directly to the marketer. Instead, they are used for advertising display. Thus, your data isn’t sold, just your eyeballs.

LinkedIn treats its member’s data with respect. Microsoft, its parent company, has called for a US version of GDPR, the European data privacy standard. CEO Satya Nadella stated that “privacy is a fundamental human right” on an April 2018 earnings call and said that the firm has implemented an “end-to-end privacy architecture” which is GDPR compliant.

The LinkedIn SNAP AppExchange connector displays LinkedIn content and functionality within Salesforce, but does not sync any company or contact data with SFDC.
The LinkedIn SNAP AppExchange connector displays LinkedIn content and functionality within Salesforce, but does not sync any company or contact data with SFDC.