In Norway the data protection body, Datatilsynet, has sanctioned a fine of over $11.7 million for Gay dating app Grindr as it failed to get proper consent from users before sharing their personal information with advertising companies.
The Data Protection Authority kicked off an investigation after registering a complaint by the Norwegian Consumer Council claiming that personal data was shared illegally for marketing reasons. A previous report in 2020 found that Grindr and other dating apps leaked personal information to advertising technology companies for targeted ads and in doing so breached the European Union’s General Data Protection Regulation. Despite the fact that Norway is not currently a member of the EU it’s data protection legislation is almost identical to GDPR rules.
Grindr has until February 15 to submit feedback for consideration in the final decision. The amount of the fine was approximately 10% of the U.S. company’s global revenue for the previous financial year, the highest possible fine for a breach of this nature.
The statement said: “We continually enhance our privacy practices in consideration of evolving privacy laws and regulations.”
Director-General of the Datatilsynet Bjorn Erik Thon said: “The Norwegian Data Protection Authority considers that this is a serious case. Users were not able to exercise real and effective control over the sharing of their data.”
The preliminary conclusion released by the watchdog stated that Grindr shared user data with a number of third parties in an illegal manner including GPS location, user profile information as well as the fact that users are on Grindr, which could reveal their sexual orientation. The data protection authority said in its notice to Grindr that the consequences of this include putting someone at risk of being targeted. The statement said: “A Grindr user may lead to prejudice and discrimination even without revealing their specific sexual orientation.”
The Norwegian Consumer Council welcomed the fine while the data protection authority is still reviewing five more “ad tech” businesses that were sent data from Grindr, including Twitter’s mobile app advertising platform, MoPub, which has over 160 partners.
The group’s director of digital policy, Finn Myrstad said: “We hope that this marks the starting point for many similar decisions against companies that engage in buying and selling personal data.”
This incident further highlights the importance of all companies, and every member of staff that they employ, is fully aware of everything that must be completed in order to avoid a breach of GDPR occurring.