GDPR Violations earn Grindr Dating App $11.7m Penalty

In Norway the data protection body, Datatilsynet, has sanctioned a fine of over $11.7 million for Gay dating app Grindr as it failed to get proper consent from users before sharing their personal information with advertising companies.

The Data Protection Authority kicked off an investigation after registering a complaint by the Norwegian Consumer Council claiming that personal data was shared illegally for marketing reasons. A previous report in 2020 found that Grindr and other dating apps leaked personal information to advertising technology companies for targeted ads and in doing so breached the European Union’s General Data Protection Regulation. Despite the fact that Norway is not currently a member of the EU it’s data protection legislation is almost identical to GDPR rules.

Grindr has until February 15 to submit feedback for consideration in the final decision. The amount of the fine was approximately 10% of the U.S. company’s global revenue for the previous financial year, the highest possible fine for a breach of this nature.

Grindr released a statement to state that it is eager to begin a “productive dialogue” with Norwegian regulators in relation to the allegations, which date back to 2018, which it said are not representative of the group’s current privacy policy or practices. It added that the app’s privacy approach includes “detailed consent flows, transparency, and control” for all users, the company said, going on to say it has “retained valid legal consent” from all its European users “on multiple occasions.”

The statement said: “We continually enhance our privacy practices in consideration of evolving privacy laws and regulations.”

Director-General of the Datatilsynet Bjorn Erik Thon said: “The Norwegian Data Protection Authority considers that this is a serious case. Users were not able to exercise real and effective control over the sharing of their data.”

The preliminary conclusion released by the watchdog stated that Grindr shared user data with a number of third parties in an illegal manner including GPS location, user profile information as well as the fact that users are on Grindr, which could reveal their sexual orientation. The data protection authority said in its notice to Grindr that the consequences of this include putting someone at risk of being targeted. The statement said: “A Grindr user may lead to prejudice and discrimination even without revealing their specific sexual orientation.”

It went on to say that the manner which Grindr requests the permission to use the information of users was not GDPR compliant and could not be termed “valid consent”. Additionally users were not allowed the chance to opt out of sharing data with third parties and had no choice but to agree to Grindr’s privacy policy in its entirety, it said, adding that uhad not been given enough information in relation to the data sharing that was being conducted.

The Norwegian Consumer Council welcomed the fine while the data protection authority is still reviewing five more “ad tech” businesses that were sent data from Grindr, including Twitter’s mobile app advertising platform, MoPub, which has over 160 partners.

The group’s director of digital policy, Finn Myrstad said: “We hope that this marks the starting point for many similar decisions against companies that engage in buying and selling personal data.”

This incident further highlights the importance of all companies, and every member of staff that they employ, is fully aware of everything that must be completed in order to avoid a breach of GDPR occurring.