Yes, LinkedIn business pages need a privacy policy. If you run LinkedIn Ads, use Lead Gen Forms, install the Insight Tag on your website, upload matched audiences for ad targeting, or collect prospect data through Sales Navigator, you are collecting personal data. Privacy laws and LinkedIn's own advertising agreements require you to disclose these practices in a published privacy policy.
When LinkedIn Users Need a Privacy Policy
LinkedIn has its own privacy policy that covers the data LinkedIn (a Microsoft company) collects through the platform. However, LinkedIn's policy does not cover data that you, as a business or marketer, collect from LinkedIn members through your own tools and advertising activities. If you engage in any of the following, you need your own privacy policy:
Running LinkedIn Ads (Sponsored Content, Message Ads, Dynamic Ads)
LinkedIn's advertising platform requires advertisers to have a privacy policy. When you run ads, LinkedIn collects data on your behalf including click-through behaviour, conversion tracking (via the Insight Tag), and professional demographic targeting data. You are responsible for disclosing how this advertising data is used.
Using Lead Gen Forms
LinkedIn Lead Gen Forms collect personal data (names, email addresses, job titles, company names, phone numbers) directly from LinkedIn members. The form auto-fills with the member's profile data, and submissions flow to your CRM or marketing automation platform. Because you are the party collecting and using this data, you must have a privacy policy disclosing the collection and its purposes.
Installing the Insight Tag on your website
The LinkedIn Insight Tag is a JavaScript tracking snippet that sends visitor data from your website back to LinkedIn. It enables conversion tracking, website retargeting, and website demographics reporting. Because it sets cookies and collects personal data (IP addresses, browser data, page visits), your privacy policy must disclose its presence and purpose.
Uploading matched audiences (contact lists or account lists)
When you upload email lists, company lists, or use website retargeting audiences for ad targeting, you are sharing personal data with LinkedIn. Your privacy policy must disclose that customer or prospect data may be shared with LinkedIn for advertising purposes. Under GDPR, this sharing creates data protection obligations for both parties.
Using Sales Navigator for prospecting
Sales Navigator provides access to detailed professional profiles, company data, and relationship intelligence. If you export lead lists, sync data to your CRM, or use InMail for outreach, you are processing personal data for sales purposes. Your privacy policy must cover how you handle prospect data obtained through LinkedIn.
Hosting LinkedIn Events or collecting RSVPs
LinkedIn Events collect attendee names, profile data, and RSVP information. If you use this data for follow-up marketing, add attendees to email lists, or share it with co-hosts or sponsors, each of these uses must be disclosed in your privacy policy.
Without a privacy policy, you risk
LinkedIn Ads account suspension, rejection of Lead Gen Form campaigns, GDPR fines up to €20 million, CCPA penalties of $7,500 per violation, loss of LinkedIn API access, and damaged professional credibility. LinkedIn actively reviews advertiser compliance and can restrict your Campaign Manager account without warning. Learn the full breakdown of what happens without a privacy policy.
Does this apply to personal LinkedIn profiles?
Personal profiles used purely for job searching and networking generally do not need their own privacy policy because LinkedIn's policy covers platform-level data collection. However, the moment you use a personal profile for business development, sales prospecting with Sales Navigator, or run ads through Campaign Manager, the requirement applies.
What about LinkedIn for recruitment?
Recruiters who use LinkedIn Recruiter, collect candidate data, or build talent pipelines are processing personal data for business purposes. Under GDPR, candidate data is personal data regardless of whether it is publicly visible on a LinkedIn profile. If you store candidate information in an ATS or spreadsheet, you need a privacy policy covering recruitment data handling.
LinkedIn Data Sources Your Policy Must Cover
Every data type your LinkedIn presence might collect or facilitate.
The data your LinkedIn business presence handles depends on which features, advertising tools, and integrations you use. Here is a comprehensive breakdown by source:
| Data Source | Data Collected | Who Controls It |
|---|---|---|
| Company Page Insights | Follower demographics, visitor analytics, content engagement metrics, industry breakdowns | LinkedIn (controller, aggregated data) |
| LinkedIn Ads (Campaign Manager) | Click-through data, impression metrics, conversion events, audience segment performance, cost data | Joint controller (you and LinkedIn) |
| Insight Tag | Page URLs, referrer URLs, IP addresses (truncated), device and browser data, timestamps, conversion events | Joint controller (you and LinkedIn) |
| Lead Gen Forms | Names, email addresses, job titles, company names, phone numbers, custom form fields | You (controller), LinkedIn (processor) |
| Matched Audiences | Hashed email lists, company name lists, website visitor retargeting data, engagement retargeting data | Joint controller (you and LinkedIn) |
| Sales Navigator | Professional profiles, contact details, company data, relationship history, InMail correspondence | LinkedIn (platform), you (business use) |
| LinkedIn Learning (enterprise) | Employee learning activity, course completions, skill assessments, engagement time | You (controller for employee data), LinkedIn (processor) |
| Events | Attendee names, profile data, RSVP status, event engagement, follow-up interactions | You (controller), LinkedIn (platform) |
The critical distinction: Company Page Insights provides aggregated demographic data that LinkedIn controls. But Lead Gen Forms, Insight Tag tracking, matched audience uploads, and Sales Navigator data involve personal data that you collect, control, or jointly control with LinkedIn. These are what your privacy policy must cover.
Did you know?
When you upload a customer email list to LinkedIn for matched audience targeting, LinkedIn hashes the data and matches it against its member database. Under GDPR, the European Court of Justice has established that this type of data sharing for advertising purposes creates a joint controller relationship. This means both you and LinkedIn are responsible for data protection compliance, and your privacy policy must disclose that you share customer data with LinkedIn for advertising purposes.
LinkedIn Insight Tag Requirements
What your privacy policy must say about the Insight Tag.
The LinkedIn Insight Tag is a lightweight JavaScript snippet placed on every page of your website. It is the foundation of LinkedIn's conversion tracking, website retargeting, and website demographics features. Because it collects personal data and sets cookies, it has specific privacy policy requirements.
What the Insight Tag collects
The tag collects the page URL, referrer URL, IP address (which LinkedIn truncates for storage), device and browser characteristics, and a timestamp for each page visit. It also fires conversion events when visitors complete specific actions you define, such as form submissions, page views, or button clicks. This data flows to your LinkedIn Campaign Manager account.
Cookie consent is required under GDPR
The Insight Tag sets a first-party cookie (li_fat_id) and relies on LinkedIn's third-party cookies for cross-site tracking. Under GDPR and the ePrivacy Directive, you must obtain cookie consent before the Insight Tag fires. This means implementing a cookie consent banner that blocks the tag until the visitor consents to marketing or analytics cookies.
Privacy policy disclosure requirements
Your privacy policy must state that you use the LinkedIn Insight Tag, explain what data it collects (page visits, IP addresses, device data, conversion events), state that data is shared with LinkedIn for advertising purposes, and explain that visitors can opt out through LinkedIn's advertising settings or your cookie consent preferences.
Website demographics and the joint controller issue
LinkedIn's Website Demographics feature uses Insight Tag data to show you aggregated professional characteristics (job titles, industries, company sizes) of your website visitors. Under GDPR, this creates a joint controller relationship between you and LinkedIn because both parties determine the purposes and means of processing visitor data for this feature.
Did you know?
The LinkedIn Insight Tag can track conversions across multiple LinkedIn ad campaigns simultaneously. A single website visit can trigger conversion events for Sponsored Content, Message Ads, and Dynamic Ads all at once. This means the volume of data shared with LinkedIn from your website may be significantly higher than most businesses realize. Your privacy policy should reflect the full scope of this tracking, not just mention "conversion tracking" in passing.
Lead Gen Forms Data Handling
How to handle personal data collected through LinkedIn Lead Gen Forms.
LinkedIn Lead Gen Forms are pre-filled forms that appear within the LinkedIn app when a member interacts with your Sponsored Content or Message Ad. The form auto-populates with the member's LinkedIn profile data, making it easy to submit. This convenience creates specific data handling obligations that your privacy policy must address.
Pre-filled data from LinkedIn profiles
Lead Gen Forms can auto-fill fields including first name, last name, email address, phone number, job title, company name, company size, industry, and seniority level. LinkedIn pulls this directly from the member's profile. Even though LinkedIn provides the data, you become the data controller once the member submits the form to you.
Custom questions and hidden fields
You can add custom questions to Lead Gen Forms, such as budget range, timeline, or specific product interest. Hidden fields can pass campaign data, ad creative IDs, or UTM parameters. All of this data flows to your download or CRM integration. Your privacy policy must disclose both the visible and hidden data points you collect.
CRM and marketing automation integration
Most businesses connect Lead Gen Forms to their CRM (Salesforce, HubSpot, Pipedrive) or marketing automation platform (Marketo, Pardot, ActiveCampaign) through LinkedIn's native integrations or Zapier. Each system that receives lead data is a data processor that must be named in your privacy policy. You must also ensure each processor has appropriate data processing agreements in place.
Lead data retention and deletion
LinkedIn retains Lead Gen Form submissions in Campaign Manager for 90 days, after which they are automatically deleted from LinkedIn's systems. However, any data you have downloaded or synced to your CRM persists indefinitely unless you implement retention policies. Your privacy policy must state your data retention period and how leads can request deletion.
Does the member's form submission count as consent?
Not necessarily. Under GDPR, the act of submitting a Lead Gen Form can be considered consent for the specific purpose described on the form (such as receiving a whitepaper or booking a demo). However, it does not automatically grant consent for unrelated marketing. If you plan to add leads to a general email newsletter or share their data with partners, you need separate, specific consent for each additional purpose.
What if a lead requests deletion of their data?
Under GDPR's right to erasure, you must delete the lead's data from your CRM, marketing automation platform, email lists, and any other systems where it has been stored or synced. LinkedIn deletes the submission from Campaign Manager after 90 days automatically, but you are responsible for deleting data in your own systems within 30 days of the request.
Matched Audiences and Retargeting
Privacy requirements for LinkedIn audience targeting features.
LinkedIn matched audiences allow you to target ads to specific groups of people based on data you provide or data collected through the Insight Tag. There are several types of matched audiences, each with different privacy implications that your policy must address.
Contact targeting (email list uploads)
You upload a list of email addresses (from your CRM, email platform, or customer database), and LinkedIn hashes and matches them against its member database. This is a direct transfer of personal data to LinkedIn for advertising purposes. Your privacy policy must disclose that you share customer contact information with LinkedIn, explain the purpose (ad targeting), and identify the lawful basis (typically legitimate interests with an opt-out mechanism).
Company targeting (account-based marketing)
You upload a list of company names, and LinkedIn matches them to Company Pages. While company names are not personal data on their own, the targeting results in ads being shown to identifiable individuals at those companies. Under GDPR, this can be considered profiling because you are targeting individuals based on their employment relationship. Your privacy policy should disclose account-based marketing practices.
Website retargeting (Insight Tag audiences)
The Insight Tag enables you to create audiences of people who visited specific pages on your website and then show them targeted ads on LinkedIn. This combines first-party website data with LinkedIn's member data. Cookie consent is required before the Insight Tag fires, and your privacy policy must explain that website visitors may see retargeted ads on LinkedIn.
Engagement retargeting
LinkedIn allows you to retarget people who have interacted with your Company Page, Sponsored Content, Lead Gen Forms, or Events. While this uses LinkedIn's first-party data, you are the party determining the targeting criteria and ad content. Your privacy policy should mention that you use engagement data for retargeting purposes on LinkedIn.
Lookalike audiences
LinkedIn can create lookalike audiences based on your matched audience segments. This means LinkedIn analyzes the characteristics of people on your contact list or website visitors to find similar members. Your privacy policy should disclose that customer data may be used to identify and target similar audiences on LinkedIn.
For a broader look at social media advertising privacy, see the Facebook Page privacy policy guide and the Twitter privacy policy guide, which cover similar audience targeting and retargeting requirements on other platforms.
LinkedIn API Requirements
Privacy obligations for apps and integrations using LinkedIn's APIs.
If you build applications, integrations, or tools that access LinkedIn's APIs (including the Marketing API, Compliance API, or Sign In with LinkedIn), LinkedIn imposes strict privacy and data handling requirements through its API Terms of Use and Developer Agreement.
Privacy policy requirement for all API applications
LinkedIn requires every application that accesses its APIs to have a publicly accessible privacy policy. The privacy policy URL must be provided during the app registration process. LinkedIn reviews this policy as part of the API access approval process and can revoke access if the policy is missing, inaccessible, or non-compliant.
Data usage restrictions
LinkedIn's API Terms restrict how you can use member data obtained through the API. You cannot use API data for surveillance, unauthorized profiling, or selling member data to third parties. Your privacy policy must accurately reflect how you use LinkedIn data, and any use beyond what is disclosed may result in API access revocation.
Sign In with LinkedIn (OpenID Connect)
If your application uses LinkedIn for authentication, you receive the member's name, email address, profile picture, and potentially additional profile fields depending on your approved scopes. Your privacy policy must disclose that you use LinkedIn for authentication, what profile data you access, and how you store and use this data in your application.
Data retention and deletion obligations
LinkedIn's API Terms require you to delete member data when a member revokes access to your application, when your API access is terminated, or when LinkedIn requests deletion. Your privacy policy must include a data retention section that addresses these scenarios and explains how users can request data deletion.
If you are building a SaaS product that integrates with LinkedIn, see the SaaS privacy policy guide for additional requirements around user data, third-party integrations, and data processing agreements.
B2B Marketing Compliance
Why B2B does not mean you can skip privacy requirements.
A common misconception in LinkedIn marketing is that B2B data handling is somehow exempt from privacy regulations. The reasoning is that you are targeting businesses, not individuals. This is incorrect. Under GDPR, any data that can identify a natural person is personal data, regardless of whether the context is B2B or B2C.
Business email addresses are personal data
An email address like john.smith@acmecorp.com identifies a specific individual and is therefore personal data under GDPR. When you collect business email addresses through LinkedIn Lead Gen Forms, import them into your CRM, or use them for matched audience targeting, you are processing personal data. The B2B context does not change this classification.
Job titles and professional profiles are personal data
A LinkedIn profile containing a person's name, photo, job title, employer, work history, and education is a rich set of personal data. When Sales Navigator provides you with this information for prospecting, you become a data controller for that data. Your privacy policy must explain how you handle professional profile data.
Legitimate interests as a lawful basis for B2B marketing
GDPR allows 'legitimate interests' as a lawful basis for processing, which is commonly used for B2B marketing. However, this is not a blanket exemption. You must conduct a legitimate interests assessment (LIA), document the balancing test between your interests and the individual's rights, and provide an easy opt-out mechanism. Your privacy policy should reference legitimate interests where applicable and explain how individuals can object.
Account-based marketing (ABM) and profiling concerns
ABM strategies that combine LinkedIn data with intent data from third-party providers, firmographic databases, and website analytics to target specific individuals at specific companies can constitute profiling under GDPR Article 22. If your ABM approach builds detailed profiles of decision-makers to personalize outreach, your privacy policy must disclose this profiling activity and explain how individuals can opt out.
Did you know?
In 2024, the French data protection authority (CNIL) fined a B2B marketing company for scraping LinkedIn profiles and using the data for sales prospecting without proper disclosure or consent. The ruling confirmed that publicly visible LinkedIn profile data is still personal data under GDPR, and that collecting it for commercial purposes requires a lawful basis, proper disclosure in a privacy policy, and a mechanism for individuals to object. Being "B2B" provided no protection.
Common LinkedIn Privacy Mistakes
These assumptions are widespread among LinkedIn marketers. All of them are wrong.
"LinkedIn's privacy policy covers my Company Page"
LinkedIn's privacy policy covers data that LinkedIn collects through its platform, such as profile views, connection activity, and content engagement within the app. It does not cover data you collect through Lead Gen Forms, your external website, CRM systems, email marketing platforms, or Sales Navigator exports. When you collect a lead's email address through a Lead Gen Form and add it to your HubSpot nurture sequence, LinkedIn's privacy policy says nothing about how your HubSpot list handles that email. You need your own policy for that.
"B2B data is not personal data"
Under GDPR, any data that identifies or can identify a natural person is personal data. A business email address (john.smith@acmecorp.com), a LinkedIn profile with a name and photo, a job title at a specific company, and a direct phone number are all personal data. The fact that you are marketing to businesses does not change the classification of the data. B2B marketers have the same obligations as B2C marketers when it comes to handling personal data.
"The Insight Tag is just analytics"
The Insight Tag does far more than count page views. It sets cookies, collects IP addresses, tracks conversion events, enables website retargeting, and sends visitor data to LinkedIn for demographic profiling and ad optimization. Under GDPR, this is tracking that requires cookie consent. Under CCPA, it may constitute a "sale" of personal information if LinkedIn uses the data for its own advertising optimization. Treating it as simple analytics understates its privacy impact significantly.
"Lead Gen Form submissions equal consent for everything"
When someone submits a Lead Gen Form to download your whitepaper, they are consenting to receive the whitepaper. They are not consenting to be added to a weekly newsletter, have their data shared with your partner companies, or be targeted with retargeting ads for six months. Under GDPR, consent must be specific, informed, and freely given. Each distinct purpose requires its own disclosure and, where consent is the lawful basis, its own consent mechanism.
"Sales Navigator data is public, so no policy needed"
While LinkedIn profiles are visible to other LinkedIn members, extracting profile data through Sales Navigator and storing it in your CRM for sales purposes constitutes data processing under GDPR. The data is "publicly accessible" within the LinkedIn platform, but that does not grant you unlimited rights to collect, store, and use it for commercial purposes. Your privacy policy must disclose that you collect professional data from LinkedIn for sales outreach and explain the individual's right to object.
How to Create a Privacy Policy for Your LinkedIn Business
Six steps from audit to publication.
Creating a privacy policy for your LinkedIn business presence is straightforward once you map out your data collection points. Follow these steps:
Audit your LinkedIn data collection points
List every LinkedIn feature and tool you use: Company Page, LinkedIn Ads (Campaign Manager), Insight Tag, Lead Gen Forms, matched audiences, Sales Navigator, LinkedIn Learning (enterprise), Events, and any LinkedIn API integrations. For each, document what personal data it collects or processes.
Identify which privacy laws apply to your audience
Check your LinkedIn Page analytics for audience geography. If any followers or ad targets are in the EU or UK, GDPR applies. Members in California trigger CCPA and CalOPPA. B2B companies targeting global audiences will typically need to comply with GDPR, CCPA, and CalOPPA at minimum.
Map data types to purposes and lawful bases
For each type of personal data, document the purpose and GDPR lawful basis. Lead Gen Form data for sales outreach = legitimate interests or consent. Insight Tag tracking for ad optimization = consent (cookie consent required). Matched audience uploads = legitimate interests with disclosure. Email marketing follow-ups = consent. Map every data flow.
Name every third-party service and processor
GDPR requires naming specific services. Write 'LinkedIn Corporation (for advertising and lead generation)' not 'professional networking partners'. Write 'Salesforce (for CRM and lead management)' not 'customer management platform'. Name your email provider, CRM, analytics tools, and any Sales Navigator or API integrations.
Generate your privacy policy
Use a structured privacy policy generator that asks about your specific LinkedIn business setup and produces a customized document. This covers LinkedIn advertising, Insight Tag, Lead Gen Forms, matched audiences, and B2B marketing in a single, coherent policy. Our generator handles this in under 60 seconds for $4.99.
Publish and link from every touchpoint
Host your privacy policy on a dedicated URL. Link to it from your LinkedIn Company Page (About section), every Lead Gen Form, LinkedIn Ads account settings, external website footer, email newsletter footer, and any landing pages you promote through LinkedIn. Set a reminder to review and update every 6 months.
For guidance on GDPR-specific sections, see the GDPR privacy policy template. Learn about Instagram privacy policy requirements if you also market on Instagram. And see why operating without a privacy policy puts your LinkedIn ad account at risk.
Generate Your LinkedIn Privacy Policy
Answer a few questions about your LinkedIn business setup and get a customized, compliant privacy policy covering LinkedIn Ads, Insight Tag, Lead Gen Forms, matched audiences, and B2B marketing in under 60 seconds.
Structured around widely accepted GDPR and CCPA requirements. Not legal advice.
Frequently Asked Questions
Do LinkedIn Company Pages need a privacy policy?
Yes. If you run LinkedIn Ads, use Lead Gen Forms, install the Insight Tag, upload matched audiences, or collect follower data through your Company Page, you are collecting or facilitating the collection of personal data. Privacy laws (GDPR, CCPA, CalOPPA) and LinkedIn's own advertising agreements require you to have a privacy policy.
Does LinkedIn require a privacy policy for advertising?
Yes. LinkedIn's advertising policies require that advertisers provide a privacy policy URL. For Lead Gen Forms specifically, LinkedIn requires a privacy policy link on the form itself because you are collecting personal data (names, emails, job titles, company names) directly from LinkedIn members. The form cannot be published without this link.
What data does the LinkedIn Insight Tag collect?
The Insight Tag collects page URLs, referrer URLs, IP addresses (truncated), device and browser characteristics, and timestamps. It enables conversion tracking, website retargeting, and website demographics reporting. Under GDPR, it requires cookie consent because it sets tracking cookies and shares data with LinkedIn for advertising purposes.
Do I need consent for LinkedIn Lead Gen Forms?
Under GDPR, you need a lawful basis for processing lead data. LinkedIn pre-fills form fields with member profile data (name, email, job title, company), and the user submits it to you. Your privacy policy must explain what you do with this data. For marketing follow-ups beyond the initial request, consent is the most appropriate lawful basis. LinkedIn requires a privacy policy link on every Lead Gen Form.
Does LinkedIn's privacy policy cover my Company Page?
No. LinkedIn's privacy policy covers data that LinkedIn collects through its platform. It does not cover data you collect through Lead Gen Forms, your external website, email lists, CRM systems, or Sales Navigator exports. You need your own privacy policy to disclose your specific data handling practices outside the LinkedIn platform.
What are LinkedIn matched audiences and do they need disclosure?
Matched audiences allow you to target LinkedIn ads to people on your contact lists, website visitors (via Insight Tag), or users who have engaged with your content. Uploading customer email lists or company names to LinkedIn for ad targeting creates a data sharing relationship that must be disclosed in your privacy policy. Under GDPR, this may constitute a joint controller arrangement.
Where should I link my LinkedIn privacy policy?
Link to it from your LinkedIn Company Page (About section), every Lead Gen Form, your LinkedIn Ads account settings, your external website footer, email newsletter footers, and any landing pages you promote through LinkedIn Ads. The privacy policy should be hosted on a dedicated URL that you control, not as a LinkedIn article or post.
Related Resources
Facebook Page Privacy Policy
Meta advertising compliance guide
Twitter Privacy Policy
Twitter ads and analytics compliance
Instagram Privacy Policy
Instagram business account guide
Small Business Privacy Policy
Compliance guide for small businesses
SaaS Privacy Policy
Software and platform compliance guide
GDPR Privacy Policy Template
EU and UK compliance template
What Happens Without One
Fines, platform bans, and legal risks
Generate Your Privacy Policy
Customized policy in under 60 seconds