>_ datagobes.dev
Privacy Audit #01
linkedin.com favicon

linkedin.com

5.1
POOR

Privacy Audit — linkedin.com · 6 trackers · 21 cookies

>_ datagobes.dev
1 / 26
TL;DR

Three Things to Know

Reject actually works
Clicking Reject stops all trackers — 0 tracking fires post-reject vs 6 post-accept. The consent mechanism meaningfully controls data collection.
🔍
Fingerprinting before consent
Five fingerprinting APIs (WebRTC, MediaDevices, WebGL, AudioContext) fire from LinkedIn's own CDN before any consent interaction — an ePrivacy Art. 5(3) concern.
🤔
11 cookies before you choose
Including bcookie (tracking, 1 year) and PerimeterX cookies — all set before the consent banner is even acknowledged.

Scroll for the full story →

>_ datagobes.dev
2 / 26
Consent Mechanism

Banner Blueprint

LinkedIn Custom (artdeco)
"LinkedIn and 3rd parties use essential and non-essential cookies to provide, secure, analyze and improve our Services, and to show you relevant ads on and off LinkedIn. Learn more in our Cookie Policy. Select Accept to consent or Reject to decline non-essential cookies for this use."
Reject
Accept
Accept standard Reject standard
Equal button treatment Accept and Reject are identical primary buttons — no visual bias
First-layer reject Reject is immediately available without navigating to settings
No granular toggles Binary accept/reject only — no per-category consent control
No revocation mechanism No visible way to withdraw consent after accepting; settings link leads to logged-in area
Pre-consent cookies 11 cookies including bcookie (tracking) set before any consent interaction
No granular toggles
necessary marketing
Global Privacy Control (GPC)
✓ Signal sent ✗ Site reads signal
>_ datagobes.dev
3 / 26
UX Fairness

Fairness Scale

Whether the consent interface makes it equally easy to accept or reject tracking.

Reject-biased Balanced Accept-biased
Accept Path
Button size Standard
Colour Blue primary
Position Inline with reject
Reject Path
Button size Standard
Colour Blue primary
Visibility First layer
No dark patterns detected — Accept and Reject are equally prominent
>_ datagobes.dev
4 / 26
Consent Delta

Before vs After Consent

How many cookies exist before you interact with the banner vs after clicking Accept.

Before Consent

11 cookies
essential 2
functional 1
tracking 1
unknown 7
0 trackers · 8 domains
◉ cookies◉ indexedDB
+10 cookies +6 trackers 1.9× increase

After Accept

21 cookies
essential 2
functional 1
tracking 2
unknown 16
6 trackers · 16 domains
◉ cookies◉ indexedDB
>_ datagobes.dev
5 / 26
Audit Trail

What Happens Before You Click Anything

Network requests fired before any user interaction — these happen without consent.

Phase 1 — Page Load (no interaction)
t+0ms
Page load begins www.linkedin.com
t+320ms
CDN stylesheet loaded static.licdn.com
t+531ms
Tracking pixel fires pre-consent ponf.linkedin.com
t+544ms
PerimeterX bot detection iframe li.protechts.net
t+552ms
Google Sign-In widget loaded accounts.google.com
t+556ms
Microsoft Sign-In widget loaded edge-auth.microsoft.com
t+623ms
PerimeterX client script client.protechts.net
t+660ms
PerimeterX timezone check tzm.protechts.net
t+664ms
PerimeterX telemetry beacon collector-pxdojv695v.protechts.net
t+684ms
Google Fonts loaded fonts.gstatic.com
>_ datagobes.dev
6 / 26
Audit Trail

What Happens After Accept

New requests triggered immediately after clicking Accept All.

User Clicks Accept
Phase 2 — Post-Consent
t+0ms
Consent accepted www.linkedin.com
t+1.0s
Adobe Audience Manager ID sync dpm.demdex.net
t+1.2s
Barometric/trkn.us conversion pixel trkn.us
t+1.2s
Meta Pixel fires PageView event www.facebook.com
t+1.5s
Adobe Audience Manager destination sync lnkd.demdex.net
t+1.7s
DoubleClick cookie sync (GDPR=0) cm.g.doubleclick.net
t+1.8s
Bing UET cookie sync (GDPR=0) c.bing.com
t+5.2s
Google Play logging play.google.com
>_ datagobes.dev
7 / 26
Reject Scenario

What Happens When You Say No?

0
Trackers persist
2
Cookies persist
Reject honoured
bcookie .linkedin.com tracking
Set pre-consent before banner loads; not gated by consent mechanism
_pxvid .protechts.net unknown
PerimeterX bot detection cookie set on page load; outside CMP scope

Persisting cookies were set pre-consent or fall outside CMP scope — not a consent violation.

>_ datagobes.dev
8 / 26
Audit Trail

What Happens After Reject

Requests that still fire after explicitly clicking Reject — these shouldn't exist.

User Clicks Reject
Phase 2 — Post-Reject
t+0ms
Consent rejected www.linkedin.com
>_ datagobes.dev
9 / 26
Consent Variants

Ignore vs Accept vs Reject

Side-by-side comparison of what gets loaded depending on your consent choice.

No Interaction Accept All Reject All

Trackers

No Interaction
0
Accept All
6
Reject All
0

Cookies

No Interaction
11
Accept All
21
Reject All
11

3rd Parties

No Interaction
8
Accept All
16
Reject All
8
Rejecting eliminates all 6 trackers and prevents 10 new cookies — reject is fully honoured for consent-gated tracking
>_ datagobes.dev
10 / 26
Tracking Systems

Who's Watching?

Adobe Audience Manager
dpm.demdex.net, lnkd.demdex.net
Data Management
Gated (post-consent)
Meta Pixel
www.facebook.com
Advertising
Gated (post-consent)
Barometric (trkn.us)
trkn.us
Analytics
Gated (post-consent)
DoubleClick
cm.g.doubleclick.net
Advertising
Gated (post-consent)
Bing UET
c.bing.com
Advertising
Gated (post-consent)
LinkedIn Tracking Pixel
ponf.linkedin.com
Analytics
Active pre-consent
1 active pre-consent
5 gated post-consent
>_ datagobes.dev
11 / 26
Cookie Lifespan

Persistence Bars

0 30d 6mo 1yr 2yr
Marketing & Tracking 8 cookies
IDE .doubleclick.net
1.1yr
MUID .bing.com
1.1yr
bcookie .linkedin.com
1.0yr
demdex .demdex.net
6mo
dextp .demdex.net
6mo
dpm .dpm.demdex.net
6mo
aam_uuid .linkedin.com
1mo
MR .c.bing.com
7d
Analytics 3 cookies
barometric[cuid] .trkn.us
1.0yr
AMCV_*@AdobeOrg .linkedin.com
6mo
AMCVS_*@AdobeOrg .linkedin.com
Session
Marketing
Analytics
>_ datagobes.dev
12 / 26
Cookie Lifespan

Persistence Bars

0 30d 6mo 1yr 2yr
Functional 1 cookie
lang .linkedin.com
Session
Essential 2 cookies
JSESSIONID .www.linkedin.com
Session
__cf_bm .linkedin.com
Session
Unknown 7 cookies
bscookie .www.linkedin.com
1.0yr
li_alerts www.linkedin.com
1.0yr
_pxvid .protechts.net
1.0yr
li_gc .linkedin.com
6mo
lidc .linkedin.com
1d
pxcts .protechts.net
Session
_px3 .protechts.net
Session
Functional
Essential
Unknown
>_ datagobes.dev
13 / 26
Cookie Audit

Declared vs Observed Purpose

Whether cookies are used for the purpose the site claims in its consent banner.

Cookie Declared Observed
bcookie Functional (browser ID) Tracking
li_gc Functional (consent) Unknown
JSESSIONID Essential (session) Essential
lidc Functional (routing) Unknown
bscookie Essential (secure browser ID) Unknown
_pxvid Not disclosed Unknown (PerimeterX)
IDE Not disclosed (3rd party) Marketing (DoubleClick)
3 match
4 mismatch
>_ datagobes.dev
14 / 26
Network Activity

Request Pulse

Volume of third-party network requests per domain, split by consent phase.

0 19 38
static.licdn.com
38
edge-auth.microsoft.com
7
trkn.us
6
fonts.gstatic.com
4
accounts.google.com
3
dpm.demdex.net
3
collector-pxdojv695v.protechts.net
2
lnkd.demdex.net
2
cm.g.doubleclick.net
2
play.google.com
2
www.facebook.com
1
c.bing.com
1
Essential / CDN
Pre-consent
Post-consent
>_ datagobes.dev
15 / 26
Browser Fingerprinting

API Interception Heatmap

Browser fingerprinting techniques detected — these work even without cookies.

Severity: HIGH
WebRTC.RTCPeerConnection PRE
2
MediaDevices.enumerateDevices PRE
2
WebGL.getExtension(WEBGL_debug_renderer_info) PRE
4
WebGL.getParameter PRE
12
AudioContext.OfflineAudioContext PRE
2
Pre-consent (5)
>_ datagobes.dev
16 / 26
Data Transfers

Transfer Circuit

Where your data travels — each destination's jurisdiction and legal safeguards.

🌐 linkedin.com
🌍 US
static.licdn.com
38 reqs
🌍 US
edge-auth.microsoft.com
7 reqs
🌍 US
trkn.us
6 reqs
🌍 US
dpm.demdex.net
3 reqs
🌍 US
fonts.gstatic.com
4 reqs
🌍 US
accounts.google.com
3 reqs
Adequate
DPF Certified
No Safeguards
>_ datagobes.dev
17 / 26
Security Posture

Shield Rings

4/6
strict-transport-security Active
content-security-policy Active
x-content-type-options Active
x-frame-options Active
referrer-policy Missing
permissions-policy Missing
4 / 6 headers active
SRI Coverage: 0% (0/7 external scripts)
>_ datagobes.dev
18 / 26
Browser Storage

Beyond Cookies

All browser storage mechanisms used — cookies, localStorage, IndexedDB, and more.

Sites increasingly use storage APIs to avoid cookie regulations

IndexedDB

Pre-Consent (2)
test sequenceNumber
Post-Consent (2)
test sequenceNumber
>_ datagobes.dev
19 / 26
Legal Compliance

Document Shelf

Privacy Policy Found
Cookie Policy Found
User Agreement Found
Copyright Policy Found
Community Guidelines Found
5 found
0 missing
>_ datagobes.dev
20 / 26
Art. 13/14 Compliance

Privacy Policy Checklist

How well the privacy policy covers the 13 GDPR-required information items.

77%
10/13 required elements
Controller identity
LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
DPO contact
Data Protection Officer contact provided via online form
Processing purposes
Purposes listed: providing services, advertising, communications, research, security
Legal basis per purpose
Contract, consent, legitimate interests, and legal obligations cited per purpose
Legitimate interests
Legitimate interests specified: service improvement, security, analytics, advertising
Recipients
Categories listed: affiliates, service providers, legal authorities, acquirers
International transfers
Transfers to US and other countries; references SCCs and adequacy decisions
Retention periods
General statement about retaining data as long as account is open; limited per-purpose detail
Data subject rights
Access, deletion, correction, portability, objection, restriction all mentioned
Right to withdraw consent
States consent can be withdrawn at any time; references settings
Right to complain
Right to lodge complaint with Irish DPC and local supervisory authority
Statutory/contractual requirement
Automated decision-making
Mentions algorithmic recommendations but lacks Art. 22 detail on logic and consequences
10 present
1 absent
2 vague
>_ datagobes.dev
21 / 26
Art. 15-22

Data Subject Rights Accessibility

How accessible GDPR rights are — data access, deletion, portability, and objection.

How many clicks to exercise each right?

Right of access (Art. 15)
2 clicks
Right to rectification (Art. 16)
1 click
Right to erasure (Art. 17)
3 clicks
Right to restriction (Art. 18)
Not found
Right to portability (Art. 20)
2 clicks
Right to object (Art. 21)
2 clicks
1-2 clicks 3-4 clicks 5+ clicks
5 accessible
1 not found
>_ datagobes.dev
22 / 26
GDPR Compliance

Compliance Matrix

ePrivacy Art. 5(3)
Cookie consent
Consent banner present with reject option, but 11 cookies set pre-consent including bcookie (tracking)
Art. 6(1)(a)
Consent basis
Valid accept/reject mechanism but no granular category toggles for informed consent
Art. 7(3)
Withdrawal of consent
No consent revocation mechanism found — cannot withdraw consent as easily as giving it
Art. 13
Information provision
Privacy policy and cookie policy linked from banner and footer
Art. 25
Privacy by design
Reject works effectively but fingerprinting runs pre-consent from first-party CDN
ePrivacy Art. 5(3)
Fingerprinting consent
WebRTC, MediaDevices, WebGL and AudioContext APIs accessed pre-consent without legal basis
1 compliant
2 violations
3 partial
>_ datagobes.dev
23 / 26
Risk Assessment

Privacy Risk Summary

Consent 5.1

Banner with equal Accept/Reject buttons, but no granular toggles, no revocation mechanism, and GPC signal ignored

Pre-Consent 4.2

No trackers pre-consent, but fingerprinting (4 APIs) and bcookie (tracking) fire before any consent interaction

Legal 6.9

Privacy policy, cookie policy, and user agreement all present and linked from banner and footer

Cross-Border 5.9

All third parties US-based; Microsoft/Google covered by Data Privacy Framework, but Adobe/trkn.us/PerimeterX jurisdiction unknown

Security 4.6

Strong CSP and HSTS, but missing Referrer-Policy and Permissions-Policy; 0% SRI coverage on 7 external scripts

Cookies 5.5

21 cookies post-consent with IDE and MUID at 390 days; 11 pre-consent cookies includes 4 with 1-year expiry

Dark Patterns 9.1

Exemplary: identical Accept and Reject buttons on the first layer with no visual bias

Overall
5.1
>_ datagobes.dev
24 / 26
Action Items

Recommendations

1
Remove pre-consent fingerprinting WebRTC, MediaDevices, WebGL and AudioContext APIs fire from static.licdn.com before consent. Under ePrivacy Art. 5(3), device fingerprinting requires consent.
2
Gate bcookie behind consent bcookie is classified as tracking and persists for 1 year, but is set before consent interaction. Move behind consent or reclassify as essential with justification.
3
Add consent revocation mechanism No way to withdraw consent after accepting. GDPR Art. 7(3) requires withdrawal to be as easy as giving consent.
4
Add granular consent toggles Current binary accept/reject doesn't allow per-category choices (analytics vs marketing). Granular control strengthens consent validity.
5
Add Referrer-Policy and Permissions-Policy headers Missing 2 of 6 security headers. Referrer-Policy prevents URL leakage to third parties; Permissions-Policy restricts browser API access.
6
Implement Subresource Integrity for external scripts 0 of 7 external scripts have SRI hashes. Supply chain compromise of static.licdn.com would affect all visitors.
>_ datagobes.dev
25 / 26
Methodology

How We Scanned

🔍
Scout
Banner detection
📡
Pre-Consent
Before interaction
11 cookies0 trackers46 requests8 domains
Post-Consent
After accept/reject
21 cookies6 trackers28 requests8 domains
Scan configuration
BrowserFirefox (stealth mode) Viewport1440×900 Localeen-NL (EU) Variantsignore · accept · reject Banner detectionContent-based detection ClassificationTracking fires → consent-mode pings → SDK loads
↧ Download JSON ↧ Download Report

Privacy Audit #01 in the datagobes.dev series

>_ datagobes.dev
26 / 26