Why the LinkedIn Insight Tag Raises GDPR Concerns
The LinkedIn Insight Tag is a lightweight JavaScript snippet that tracks visitor behaviour on your website. It collects page views, referrer URLs, IP addresses, device information, and timestamps, then sends that data back to LinkedIn for ad targeting, audience building, and conversion measurement.
Under GDPR and the ePrivacy Directive, storing or accessing information on a visitor's device requires prior consent unless the cookie is strictly necessary for delivering a service the visitor requested. The Insight Tag does not meet that exemption.
LinkedIn itself acknowledges this. Its marketing solutions documentation states that advertisers using the Insight Tag in the EEA must obtain explicit opt-in consent before the tag fires. The Irish Data Protection Commission reinforced this point in October 2024 when it fined LinkedIn EUR 310 million for processing personal data for behavioural advertising without a valid legal basis.
What Cookies the LinkedIn Insight Tag Sets
When the Insight Tag loads, it places several cookies on the visitor's browser. The most significant is li_fat_id, a first-party cookie that stores LinkedIn's ads tracking identifier. This cookie persists for 30 days from the most recent LinkedIn ad click and resets with each subsequent click.
Beyond li_fat_id, the tag also triggers third-party cookies set by the snap.licdn.com and px.ads.linkedin.com domains. These include cookies like AnalyticsSyncHistory, UserMatchHistory, li_sugr, and bcookie, which LinkedIn uses for cross-site tracking, analytics synchronisation, and audience matching.
All of these cookies fall into the marketing cookies category. None qualify as strictly necessary.
| Cookie Name | Type | Duration | Purpose |
|---|---|---|---|
li_fat_id | First-party | 30 days | LinkedIn click ID for ad attribution |
AnalyticsSyncHistory | Third-party | 30 days | Syncs analytics data with LinkedIn servers |
UserMatchHistory | Third-party | 30 days | Audience matching for ad targeting |
li_sugr | Third-party | 90 days | Browser identifier for non-LinkedIn members |
bcookie | Third-party | 1 year | Browser security identifier |
lidc | Third-party | 24 hours | Data centre routing optimisation |
Blocking the Insight Tag Until Consent Is Granted
The default LinkedIn installation snippet loads the tag immediately on page load. Under GDPR Article 7, consent must be given before any non-essential cookies are set. That means you need to prevent the tag from executing until a visitor actively opts in through your cookie banner.
There are two practical approaches to achieve this.
Using Google Tag Manager with Consent Mode
If you already use Google Tag Manager, configure the LinkedIn tag to fire only when the ad_storage consent signal is set to granted. With Google Consent Mode v2, your CMP pushes consent state updates to the dataLayer, and GTM handles the conditional firing.
Set the LinkedIn tag's built-in consent checks to require ad_storage. When a visitor rejects marketing cookies, the tag never loads, and no LinkedIn cookies appear on the device.
Using Script Blocking via Your CMP
If you do not use GTM, most consent management platforms can block scripts conditionally. The standard technique involves changing the script's type attribute from text/javascript to text/plain and adding a data attribute that maps to the marketing cookie category. Your CMP then swaps the type back to text/javascript only after consent is received.
The LinkedIn Conversions API as a Privacy-Resilient Alternative
LinkedIn's Conversions API (CAPI) sends conversion events from your server to LinkedIn's servers, bypassing the browser entirely. This server-side approach gives you more control over exactly what data is shared and when.
CAPI does not eliminate the need for consent. You are still sending personal data to LinkedIn for advertising purposes, which requires a lawful basis under GDPR Article 6. The practical difference is that CAPI lets you enforce consent logic on your server before any data leaves, rather than relying on client-side JavaScript to behave correctly.
Each CAPI conversion event accepts consent parameters that tell LinkedIn how the data may be used. Including these parameters is not optional if you operate in the EEA.
Combining the Insight Tag with CAPI
LinkedIn recommends running both the Insight Tag and CAPI together for higher match rates. In a consent-compliant setup, this means the Insight Tag fires only after consent, passing the li_fat_id click ID to your server. Your server then includes that ID in CAPI events, improving attribution accuracy for consented visitors.
For visitors who decline marketing cookies, the Insight Tag stays blocked, and no CAPI event should be sent with personally identifiable parameters. You can still send anonymised, aggregated conversion data where no individual is identifiable.
Updating Your Cookie Policy and Banner
Your cookie policy must disclose the LinkedIn Insight Tag, its cookies, their purposes, and their durations. List each cookie by name - vague references to "analytics partners" do not satisfy GDPR transparency requirements under Article 13.
In your cookie banner, classify all LinkedIn cookies under the marketing or advertising category. Kukie.io's cookie scanner automatically detects and categorises LinkedIn tracking cookies when it scans your site, saving you from maintaining the list manually.
Your privacy policy should also name LinkedIn Ireland Unlimited Company as a data recipient and describe the cross-border data transfer safeguards in place, given that LinkedIn is a Microsoft subsidiary with servers outside the EEA.
Data Controller Responsibilities and the Joint Controller Question
When you install the Insight Tag, LinkedIn processes visitor data for its own purposes (ad optimisation, audience network building) as well as yours (conversion tracking, remarketing). The CJEU's ruling on Facebook fan pages (Case C-210/16) established that this type of arrangement creates a joint controllership.
LinkedIn provides a Pages Joint Controller Addendum that addresses this relationship. You should review and accept this addendum, as it outlines each party's obligations under GDPR Article 26. Without it, you bear full responsibility for any processing LinkedIn carries out through your Insight Tag installation.
Testing and Verification
After configuring consent-based loading, verify that it works. Open your browser's developer tools, clear all cookies, and visit your site without accepting the cookie banner. Check the Application tab for any li_fat_id, li_sugr, or bcookie entries. If they appear before consent, your blocking mechanism has failed.
Repeat the test after accepting marketing cookies. The LinkedIn cookies should now appear, and the snap.licdn.com requests should be visible in the Network tab. You can also use a free cookie scanner to audit your site without manual checks.
Run this test after every tag or CMP update. A single GTM container change can inadvertently re-enable scripts that should be blocked.
Frequently Asked Questions
Does the LinkedIn Insight Tag require cookie consent under GDPR?
Yes. The Insight Tag sets non-essential tracking cookies used for advertising and analytics. Under GDPR and the ePrivacy Directive, you must obtain explicit opt-in consent before the tag fires on your website.
What happens to LinkedIn ad tracking if a visitor rejects cookies?
If a visitor declines marketing cookies, the Insight Tag should not load at all. LinkedIn will not receive any browsing data from that visitor, and you will not be able to attribute conversions or build retargeting audiences from their session.
Can I use the LinkedIn Conversions API without the Insight Tag?
Yes. The Conversions API works independently by sending server-side events directly to LinkedIn. You still need a lawful basis for processing the personal data you send, but CAPI gives you tighter control over what data is shared and when.
Is LinkedIn a data controller or data processor for Insight Tag data?
LinkedIn acts as a joint controller alongside you. LinkedIn processes visitor data for its own advertising purposes, not solely on your instructions, which means both parties share GDPR obligations under Article 26.
How do I block the LinkedIn Insight Tag in Google Tag Manager?
Set the LinkedIn tag's consent requirement to ad_storage in GTM's consent settings. The tag will only fire when your consent management platform signals that the visitor has granted marketing cookie consent.
What is the li_fat_id cookie used for?
The li_fat_id cookie is a first-party cookie that stores LinkedIn's click ID. It persists for 30 days from the last LinkedIn ad click and is used for conversion attribution and audience matching through the Conversions API.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
