UPDATED Grindr, the popular LGBT dating app, has been fined €10 million ($12 million) for GDPR violations by Norway’s data privacy regulator because sensitive user data was apparently shared with third parties without valid consent.
The preliminary ruling issued by the Norwegian Data Protection Authority (Datatilsynet) centers on the fact that users had to accept a blanket privacy policy to use the app and were not given a separate opportunity to grant or withhold consent to sharing their data with third parties.
Users were also not properly informed about how the data was shared, said the Datatilsynet. The data shared included GPS location and user profile data such as sexual orientation.
Datatilsynet director-general Bjørn Erik Thon said these were “grave violations” of GDPR requirements around valid consent and added that it was “imperative” that such “take-it-or-leave-it consents” should “cease”.
‘Safe space’
“We believe that the fact that someone is a Grindr user speaks to their sexual orientation, and therefore this constitutes special category data that merit particular protection,” the Datatilsynet said in a press release issued yesterday (January 26).
Grindr is seen as a safe space, and many users wish to be discrete. Nonetheless, their data have been shared with an unknown number of third parties, and any information regarding this was hidden away – Datatilsynet director-general Bjørn Erik Thon
Said Thon: “Users were not able to exercise real and effective control over the sharing of their data.
“Business models where users are pressured into giving consent, and where they are not properly informed about what they are consenting to, are not compliant with the law.”
Ezat Dayeh, SE manager at data management vendor Cohesity, told The Daily Swig: “It is ironic timing that this matter becomes public 24 hours before Data Privacy Day.
“Organizations of all sizes need to be more accountable and deliver greater trust in how they handle consumer data in exchange for more tailored services or commercial gain. The relationship between consumer and brand only works when trust is in place,” he adds.
“From a compliance perspective on privacy, GDPR was merely the start, not the end goal.”
Record-breaking fine
Grindr is marketed as the world’s most popular location-based social networking app for gay, bi, trans, and queer people with 13.7 million active users.
The penalty amounts to around 10% of the company’s worldwide revenues and, if confirmed, will be the highest GDPR fine ever levied by the Datatilsynet.
Grindr has until February 15 to respond to the ruling before a final decision is made.
The investigation, which stems from a complaint filed against Grindr by the Norwegian Consumer Council in 2020, centers on consent mechanisms in place on the app until April 2020.
Datatilsynet said it had not yet assessed whether subsequent changes made to Grindr’s privacy policy were GDPR-compliant.
The Norwegian Consumer Council also filed complaints against five third parties that received data from Grindr for marketing purposes: Twitter-owned MoPub, Xandr, OpenX Software, AdColony, and Smaato.
The Daily Swig has contacted Grindr for comment on the ruling and will update the article accordingly if we receive a response.
This article was updated on January 27 with comments from Ezat Dayeh of Cohesity
