linkedin.com

#01

Privacy Audit — linkedin.com

2026-03-095.1/10 overall

TL;DR

✅

Reject actually works

Clicking Reject stops all trackers — 0 tracking fires post-reject vs 6 post-accept. The consent mechanism meaningfully controls data collection.

🔍

Fingerprinting before consent

Five fingerprinting APIs (WebRTC, MediaDevices, WebGL, AudioContext) fire from LinkedIn's own CDN before any consent interaction — an ePrivacy Art. 5(3) concern.

🤔

11 cookies before you choose

Including bcookie (tracking, 1 year) and PerimeterX cookies — all set before the consent banner is even acknowledged.

Score breakdown

5.1

Consent

5.1 / 10

6.9

Legal Pages

6.9 / 10

5.9

Cross-Border

5.9 / 10

9.1

Dark Patterns

9.1 / 10

4.6

Security Headers

4.6 / 10

5.5

Cookie Management

5.5 / 10

4.2

Pre-Consent Tracking

4.2 / 10

Full audit deck

Loading deck…

GDPR compliance

Article	Topic	Status	Finding
ePrivacy Art. 5(3)	Cookie consent	partial	Consent banner present with reject option, but 11 cookies set pre-consent including bcookie (tracking)
Art. 6(1)(a)	Consent basis	partial	Valid accept/reject mechanism but no granular category toggles for informed consent
Art. 7(3)	Withdrawal of consent	fail	No consent revocation mechanism found — cannot withdraw consent as easily as giving it
Art. 13	Information provision	pass	Privacy policy and cookie policy linked from banner and footer
Art. 25	Privacy by design	partial	Reject works effectively but fingerprinting runs pre-consent from first-party CDN
ePrivacy Art. 5(3)	Fingerprinting consent	fail	WebRTC, MediaDevices, WebGL and AudioContext APIs accessed pre-consent without legal basis

Recommendations

critical

Remove pre-consent fingerprinting

WebRTC, MediaDevices, WebGL and AudioContext APIs fire from static.licdn.com before consent. Under ePrivacy Art. 5(3), device fingerprinting requires consent.

ePrivacy Art. 5(3) · EDPB Guidelines 2023 on tracking

high

Gate bcookie behind consent

bcookie is classified as tracking and persists for 1 year, but is set before consent interaction. Move behind consent or reclassify as essential with justification.

ePrivacy Art. 5(3) · CNIL v. Amazon EUR 35M (Dec 2020)

high

Add consent revocation mechanism

No way to withdraw consent after accepting. GDPR Art. 7(3) requires withdrawal to be as easy as giving consent.

Art. 7(3) · EDPB Guidelines 05/2020

medium

Add granular consent toggles

Current binary accept/reject doesn't allow per-category choices (analytics vs marketing). Granular control strengthens consent validity.

Art. 6(1)(a)

medium

Add Referrer-Policy and Permissions-Policy headers

Missing 2 of 6 security headers. Referrer-Policy prevents URL leakage to third parties; Permissions-Policy restricts browser API access.

Art. 32

low

Implement Subresource Integrity for external scripts

0 of 7 external scripts have SRI hashes. Supply chain compromise of static.licdn.com would affect all visitors.

Art. 32