Grindr hit with £5.4m fine by Norwegian Data Protection Authority for GDPR infringements

LGBTQ+ focused dating app Grindr has been hit with a NOK 65m (£5.3m) fine by the Norwegian Data Protection Authority for failing to comply with the GDPR rules on consent. The fine will constitute approximately 10 per cent of the company’s turnover. The Authority initially proposed a much higher fine of NOK 100m, but said it had reduced it in light of information received from Grindr about the size and financial situation of the company, and the changes Grindr has made with the aim to remedy the deficiencies in its previous consent management platform.

The investigation focused on the consent mechanism in place from when GDPR came into force until April 2020, when Grindr changed how the app asks for consent. The Authority has not to date assessed whether the subsequent changes comply with GDPR.

Our conclusion is that Grindr has disclosed user data to third parties for behavioural advertisement without a legal basis,” said Tobias Judin, Head of the Norwegian Data Protection Authority’s International Department.

In 2020, the Norwegian Consumer Council filed a complaint against Grindr, claiming unlawful sharing of personal data with third parties for marketing purposes. The data shared was GPS location, IP address, Advertising ID, age, gender and the fact that the user in question was on Grindr. Users could be identified through the data shared, and the recipients could potentially further share the data.

Users were forced to accept the privacy policy in its entirety to use the app, and they were not asked specifically if they wanted to consent to the sharing of their data with third parties for behavioural advertisement. Furthermore, the information about the sharing of personal data was not properly communicated to users. The Authority said it considers that this was contrary to the GDPR requirements for valid consent.

It also said it considers that data revealing the fact that someone is a Grindr user strongly indicates that they belong to a sexual minority. Data concerning a person’s sexual orientation constitutes special category data that merit particular protection under the GDPR. As the consents Grindr collected were not valid, Grindr could not lawfully share such data.

“The Grind (sic) app is used to connect with other users in the LGBTQ+ community, and we are aware that many users choose not to use their full name or upload a picture of their face in order to be discrete,” said Judin. “Nonetheless, their personal data and the fact that they were on Grindr was disclosed to an unknown number of third parties for marketing purposes, without giving the users accessible information or a genuine choice.

The Authority said the size of the fine reflected the gravity of the infringement. “Thousands of users in Norway have had their personal data shared unlawfully for the commercial interests of Grindr, including GPS location and the fact that the users in question were on Grindr,” said Judin. “Business models based on behavioural advertisement are common in the digital economy, and it is imperative that administrative fines for GDPR violations are dissuasive in order to foster compliance with the law.”

Grindr has three weeks to appeal the decision. We have asked the company if it intends to do so and will update this post as and when it gets back to us.

Update:
Grindr Chief Privacy Officer Shane Wiley, has issued the following statement to Mobile Marketing:

“Since launching in 2009, Grindr has grown into the preeminent mobile social networking platform for the LGBTQ+ community. We safely connect millions of daily adult users in almost every country in the world and enable them to discover, share, and navigate their community and their world. Protecting our users’ interests and ensuring that we put them in control of their personal data have always been our top priorities. We have also been proactive in adopting industry-leading privacy positions and tools, like detailed consent flows, granular user privacy controls, and ‘just-in-time’ app notifications.

“We strongly disagree with Datatilsynet’s [The Norwegian Data Protection Authority] reasoning, which concerns historical consent practices from years ago, not our current consent practices or Privacy Policy. Even though Datatilsynet has lowered the fine compared to their earlier letter, Datatilsynet relies on a series of flawed findings, introduces many untested legal perspectives, and the proposed fine is therefore still entirely out of proportion with those flawed findings.

“We’ve just received a copy of the letter from Datatilsynet and are analyzing the document. The Company is considering its options including the right to appeal the findings to the Personvernnemnda (PVN – Appeal Board).”