The California based dating app is accused of violating the GDPR rules
The Norwegian Data Protection Authority has imposed an administrative fine of approximately 6.5 million euros (65.000.000 NOK) to the dating app Grindr over allegations of not complying with the GDPR rules on consent.
According to Norway’s data privacy watchdog the very popular dating app is accused of sending sensitive personal data to hundreds of potential advertising companies without users’ consent, a practice which consists of a violation of the European Union privacy rules.
Recently, the Norwegian Consumer Council filed a complaint against the location-based social networking app claiming that Grindr shared personal data, such as GPS location, IP address, advertising ID, age, and gender, with third parties for marketing purposes.
“Our preliminary conclusion is that Grindr needs consent to share these personal data and that Grindr’s consents were not valid. Additionally, we believe that the fact that someone is a Grindr user speaks to their sexual orientation, and therefore this constitutes special category data that merit particular protection” said the Norwegian Data Protection Authority.
As stated by Bjørn Erik Thon, Director-General of the Norwegian Data Protection Authority, “this is a serious case. Users were not able to exercise real and effective control over the sharing of their data. Business models where users are pressured into giving consent, and where they are not properly informed about what they are consenting to, are not compliant with the law”.
Even though Norway isn’t a member of the European Union, it is closely following EU rules and mirroring the EU’s tough data protection regulations. Grindr has 13.7 million active users, of which thousands reside in Norway.
“We conclude that Grindr has disclosed user data to third parties for behavioral advertisement without a legal basis”, said Tobias Judin, head of the Norwegian Data Protection Authority’s international department. “The Norwegian Data Protection Authority has concluded that consent was the applicable legal basis in this case, but that the purported consents Grindr collected for sharing personal data with advertising partners were not valid” he added.
Grindr denies accusations
In response to Norway’s data privacy watchdog accusations, Grindr denied any violation and said the agency’s findings related to consent policies from years ago and not its current practices.
The California-based company said also that it didn’t violate GDPR rules and that Norway’s accusation relies on a series of flawed findings, introduces many untested legal perspectives, and the proposed fine is therefore still entirely out of proportion with those flawed findings.
“Grindr is seen as a safe space, and many users wish to be discrete. Nonetheless, their data have been shared with an unknown number of third parties, and any information regarding this was hidden away” Thon noted. “Our investigation has focused on the consent mechanism in place from the GDPR became applicable in Norway in July 2018, and until April 2020 when Grindr changed how the app asks for consent. We have not assessed whether Grindr’s current consent mechanism complies with the GDPR,” said Judin.
The Norwegian Consumer Council also filed complaints against five of the third parties receiving data from Grindr: MoPub (owned by Twitter Inc.), Xandr Inc. (formerly known as AppNexus Inc.), OpenX Software Ltd., AdColony Inc., and Smaato Inc. These cases are ongoing.