Legal

Viva la revolución: LinkedIn profile visitor lists belong to the people, says Noyb

GDPR Article 15 doesn't care if you want to make money by selling users' data back to them

Brandon Vigliarolo Brandon Vigliarolo Published tue 5 May 2026 // 21:31 UTC

A LinkedIn feature the average non-paying user likely only glances past could end up setting a legal precedent in the EU regarding how companies treat customer data that they've processed. 

Take a look at your LinkedIn profile, if you have one, and you'll see a space where you can look at profile viewers. For premium LinkedIn users, the list of people who visit one's profile goes back 365 days and includes names, job title and employer, and an easy link to the person's profile, unless they've toggled their visibility off for privacy reasons. 

Non-premium LinkedIn users, on the other hand, don't get nearly the same level of visibility on their profiles. If you don't fork over cash to LinkedIn owner Microsoft each month for the privilege, you'll just see things like "12 people found you though the homepage," or that someone with a certain job title from a certain company was scoping out your LinkedIn page. 

Clicking anything on the free user list redirects you to a LinkedIn premium signup page or search results for employees at one of the aforementioned companies.

One unnamed LinkedIn user refused to accept this lesser status, and approached Microsoft to exercise their GDPR Article 15 right to a copy of their personal data processed by LinkedIn. "Processed" can mean a variety of things, including something as broad as simply hosting a particular type of information. 

LinkedIn rejected the request on the grounds that protecting that data took precedence. Now the data protection warriors at EU privacy outfit Noyb ("none of your business") are getting involved.

"Selling data to its own users is a popular practice among companies," Noyb data protection lawyer Martin Baumann said of the case. "In reality, however, people have the right to receive their own data free of charge."

Take a look at the language of Article 15, and it's pretty clear: data subjects (i.e., users) have the right to a copy of any and all data concerning them that's been processed by the provider. A full list of profile visitors seemingly should fall under Article 15 data – even if it's normally reserved for paying users and presented to them in a nicer way, it should still be accessible to free users who actually request it. 

LinkedIn didn't appear to believe that it was doing anything wrong at all. In a clear denial of facts that are obviously apparent to any non-paying LinkedIn user, including the writer and both editors who worked on this story, a LinkedIn spokesperson told us, "Not only is it incorrect that only Premium members can see who has viewed their profile, but we also satisfy GDPR Article 15 by disclosing the information at issue via our Privacy Policy." The first part of that statement is false, as you can see from the screenshot above. Given the obvious untrustworthiness of that half of the statement, we didn't bother wasting any time trying to evaluate the second part.

Noyb acknowledges there's a clear bit of legal fuzz stuck in this corner of the GDPR when it comes to premium service offerings. 

"If any business processes a person's personal data, this information is generally covered by their right of access under the GDPR," Baumann told The Register. "It does not matter that the business would prefer to sell the data to the data subject or that it would be harmful for their business model if they would." 

There's only one exception in Article 15 that would give LinkedIn an out, Baumann told us, and that's the last paragraph, which says a person's right to their data can't adversely affect the rights and freedoms of others. Were LinkedIn to argue that it had to protect the identities of people who visited a data subject's profile, they could have an excuse. But not a good one, in Baumann's opinion. 

"Since LinkedIn does provide information about profile visits to paying Premium members, it cannot consider that disclosing the data would adversely affect the rights of the visitors whose data is disclosed," the Noyb lawyer explained. "Otherwise, providing this information to Premium users would be unlawful too."

What seems to be the sticking point here is where right of access begins and a company's right to make money off data they hold (data that was, ahem, supplied by users) ends. Baumann said he hopes this case can clear the legal air. 

MORE CONTEXT

• You have one week to opt out or become fodder for LinkedIn AI training

• Europe's GDPR cops dished out €1.2B in fines last year as data breaches piled up

• Go straight to sell! Windows second-chance setup hawks Microsoft services at IT's expense

• Microsoft's turned Windows into a cesspool, but it wants to do better

"We expect a clarification concerning the fact that personal data that can be accessed when a user pays for it is also covered by their right of access," he explained. 

Think of it like this: LinkedIn has every right under the GDPR to take data it has about profile visitors, package it up, add analytics, and present it in its most useful form to those willing to pay the platform for such a premium service. But a masochistic user who wants to rawdog a CSV file of the same data should have the right to do that, too - and GDPR Article 15 gives it to them.

It's not just LinkedIn, either. Baumann said there are numerous other cases where similar legal clarification would be appreciated, citing the example of a bank that is unwilling to provide access to account statements in response to a GDPR request, but is happy to hand over similar data for a fee. 

"A precedent would be welcomed," Baumann said. ®

linkedin offbeat gdpr privacy legal

$250M crypto-robbing gang’s dirty work guy sentenced to 6.5 years behind bars

The then-teen was told to break in and steal what the keyboard warriors couldn’t

Personal Tech

TomTom’s route planner takes an unplanned detour into oblivion

Users report disappearing favorites, blank route planners, and cloud sync failures amid outage

AI + ML

AI inference just plays by different rules

Why no cloud storage architecture was designed for what agentic AI is about to demand

Devops

C++ survey finds AI use rising, though trust is in short supply

Language's popularity continues to grow despite commonly cited frustrations

Microsoft's bad obsession is showing up in shabby services and slipshod software. Here's proof

If you can't bother to keep GitHub running, why should we bother with you?

Cybercrime

State-backed hackers hammer Palo Alto firewall zero-day before patch lands

Internet-facing PAN-OS firewalls are once again doing impressions of initial access brokers

Taiwan cops say student's radio kit brought bullet trains to a standstill

Software

Firefox integrates an ad-blocker, but not to block ads

AI + ML

Brit mathematician lets AI agent loose with credit card – cue password leaks, CAPTCHA chaos and more

PaaS + IaaS

AWS lets agents drive its virtual cloudy desktops – which could cost 500,000 tokens per click

Software

NHS to close-source hundreds of GitHub repos over AI, security concerns

Toxic Flows: When Your AI Agent Skill Becomes a Supply Chain Attack

When a developer installs an AI agent skill – granting it access to secured IT resources and data – they make a significant trust decision.

The Hardware Crunch: How Supply Chain Turbulence Is Forcing a New IT Playbook

Infrastructure teams are facing a perfect storm: extended hardware lead times, rising costs driven by AI demand, and accelerated platform timelines.

Identity Resilience: The New Mandate for Cyber Survival

Join Druva experts for a compelling deep dive into what it takes to build an identity-first recovery strategy in this new threat landscape.

Identity Resilience: The New Mandate for Cyber Survival

Join Druva experts for a compelling deep dive into what it takes to build an identity-first recovery strategy in this new threat landscape.

Unfriendly Followers: The Black Market For Your Identity

They’ll reveal how attackers use your profile as intel and show you how to make yourself harder to target

AI

• Add section name here

  $250M crypto-robbing gang’s dirty work guy sentenced to 6.5 years behind bars

  The then-teen was told to break in and steal what the keyboard warriors couldn’t

• Add section name here

  TomTom’s route planner takes an unplanned detour into oblivion

  Users report disappearing favorites, blank route planners, and cloud sync failures amid outage

• Devops

  C++ survey finds AI use rising, though trust is in short supply

  Language's popularity continues to grow despite commonly cited frustrations

• Add section name here

  State-backed hackers hammer Palo Alto firewall zero-day before patch lands

  Internet-facing PAN-OS firewalls are once again doing impressions of initial access brokers

• Storage

  Official PCIe 8.0 draft aims for 1 TB/s data rate

  Final specs due for release in 2028, so don't hold your breath for the hardware

Infosec

• Add section name here

  $250M crypto-robbing gang’s dirty work guy sentenced to 6.5 years behind bars

  The then-teen was told to break in and steal what the keyboard warriors couldn’t

• Add section name here

  TomTom’s route planner takes an unplanned detour into oblivion

  Users report disappearing favorites, blank route planners, and cloud sync failures amid outage

• Devops

  C++ survey finds AI use rising, though trust is in short supply

  Language's popularity continues to grow despite commonly cited frustrations

• Add section name here

  State-backed hackers hammer Palo Alto firewall zero-day before patch lands

  Internet-facing PAN-OS firewalls are once again doing impressions of initial access brokers

• Storage

  Official PCIe 8.0 draft aims for 1 TB/s data rate

  Final specs due for release in 2028, so don't hold your breath for the hardware

FOSS

• $250M crypto-robbing gang’s dirty work guy sentenced to 6.5 years behind bars

  The then-teen was told to break in and steal what the keyboard warriors couldn’t

• TomTom’s route planner takes an unplanned detour into oblivion

  Users report disappearing favorites, blank route planners, and cloud sync failures amid outage

• C++ survey finds AI use rising, though trust is in short supply

  Language's popularity continues to grow despite commonly cited frustrations

• State-backed hackers hammer Palo Alto firewall zero-day before patch lands

  Internet-facing PAN-OS firewalls are once again doing impressions of initial access brokers

• Official PCIe 8.0 draft aims for 1 TB/s data rate

  Final specs due for release in 2028, so don't hold your breath for the hardware

• AMD puts out new slottable GPU for AI-curious enterprises

  MI350P packs 144 GB of HBM3e and up to 4.6 teraFLOPS of FP4 grunt into a dual slot card

OpenClaw, but in containers: Meet NanoClaw

Open source registries don't have enough money to implement basic security

Contain your Windows apps inside Linux Windows

The Linux mid-life crisis that's an opportunity for Tux-led transformation

Too much AI for some, too little for others: Why AMD can't win with investors

How agentic AI can strain modern memory hierarchies

'Ralph Wiggum' loop prompts Claude to vibe-clone commercial software for $10 an hour

How one developer used Claude to build a memory-safe extension of C

No one talking about a datacenter could be a sign one is coming