Grindr hit with £8.6 million fine for GDPR consent breach
The Norweigan data watchdog finds the LGBTQ+ dating app shared data with third-party advertisers without sufficient consent
Online dating service Grindr has been fined 100,000,000kr (roughly £8.6 million) by the Norweigan data watchdog for sharing its users’ personal data with third-party advertisers without seeking adequate consent.
Following a lengthy investigation, the Norweigan Data Protection Authority (Datatilsynet) has concluded that Grindr shared user data, including special category personal data, with third parties for marketing purposes. This data included GPS locations, user profile data, and the fact the user in question was on Grindr; information not all users would be willing to disclose.
Based on its preliminary findings, Datatilsynet concluded that Grindr violated Article 6(1) and Article 9(1) of the data protection laws, which relate to illegally sharing user data to third parties without sufficient user consent.
“Our view is that these people have had their personal data shared unlawfully,” said director-general of the Norweigan regulator, Bjørn Erik Thon.
“An important objective of the GDPR is precisely to prevent take-it-or-leave-it “consents”. It is imperative that such practices cease.”
The company was accused of sharing users’ data with advertisers through software development kits (SDKs), with the advertising partners in question including Twitter’s MoPub platform, Xandr, OpenX, AdColony, and Smaato.
The regulator’s provisional fine represents a figure that’s roughly 11% of the company’s annual turnover, based on its calculations. This figure is “effective, proportionate and dissuasive”, according to Datatilsynet, and follows guidance set out under GDPR for how regulators should approach administering financial penalties.
Grindr markets itself as the world’s largest dating app for the LGBTQ+ community and boasts 13.7 million active users across more than 200 countries.
The Norweigan watchdog’s fine follows an official probe sparked following an earlier investigation led by the Norwegian Consumer Council. This initial investigation found the vendors of several widely-used apps were sharing data with third parties without adequate user consent, publishing its findings in January 2020.
The ruling carries huge significance, given a litany of comparable social media and tech companies may be operating data-sharing models similar in nature to that used by Grindr.
The document only represents a draft decision, however, and Grindr has been given the opportunity to respond by 15 February. The regulator will make its final decision once its representations are taken into account.
Datatilsynet is also in the midst of ongoing investigations into the five advertisers name-checked in the report; Twitter’s MoPub, Xandr, OpenX, AdColony, and Smaato.
"Grindr is a social movement and a cultural phenomenon," the company told IT Pro. "Our goal is to create the leading social and digital media platform that enables the LGBTQ+ community and other users to discover, share and navigate the world around them.
"Grindr is confident that our approach to user privacy is first-in-class among social applications with detailed consent flows, transparency, and control provided to all of our users."
Consumer choice and the payment experience
A software provider's guide to getting, growing, and keeping customersDownload now
Prevent fraud and phishing attacks with DMARC
How to use domain-based message authentication, reporting, and conformance for email securityDownload now
Business in the new economy landscape
How we coped with 2020 and looking ahead to a brighter 2021Download now
How to increase cyber resilience within your organisation
Cyber resilience for dummiesDownload now