Top

Norway fines dating app Grindr €6.5M over privacy breach

The California based dating app is accused of violating the GDPR rules

The Norwegian Data Protection Authority has imposed an administrative fine of approximately 6.5 million euros (65.000.000 NOK) to the dating app Grindr over allegations of not complying with the GDPR rules on consent.

According to Norway’s data privacy watchdog the very popular dating app is accused of sending sensitive personal data to hundreds of potential advertising companies without users’ consent, a practice which consists of a violation of the European Union privacy rules.

Recently, the Norwegian Consumer Council filed a complaint against the location-based social networking app claiming that Grindr shared personal data, such as GPS location, IP address, advertising ID, age, and gender, with third parties for marketing purposes.

“Our preliminary conclusion is that Grindr needs consent to share these personal data and that Grindr’s consents were not valid. Additionally, we believe that the fact that someone is a Grindr user speaks to their sexual orientation, and therefore this constitutes special category data that merit particular protection” said the Norwegian Data Protection Authority.

As stated by Bjørn Erik Thon, Director-General of the Norwegian Data Protection Authority, “this is a serious case. Users were not able to exercise real and effective control over the sharing of their data. Business models where users are pressured into giving consent, and where they are not properly informed about what they are consenting to, are not compliant with the law”.

Even though Norway isn’t a member of the European Union, it is closely following EU rules and mirroring the EU’s tough data protection regulations. Grindr has 13.7 million active users, of which thousands reside in Norway.

“We conclude that Grindr has disclosed user data to third parties for behavioral advertisement without a legal basis”, said Tobias Judin, head of the Norwegian Data Protection Authority’s international department. “The Norwegian Data Protection Authority has concluded that consent was the applicable legal basis in this case, but that the purported consents Grindr collected for sharing personal data with advertising partners were not valid” he added.

Grindr denies accusations

In response to Norway’s data privacy watchdog accusations, Grindr denied any violation and said the agency’s findings related to consent policies from years ago and not its current practices.

The California-based company said also that it didn’t violate GDPR rules and that Norway’s accusation relies on a series of flawed findings, introduces many untested legal perspectives, and the proposed fine is therefore still entirely out of proportion with those flawed findings.

“Users were forced to accept the privacy policy in its entirety to use the app, and they were not asked specifically if they wanted to consent to the sharing of their data with third parties. Furthermore, the information about the sharing of personal data was not properly communicated to users. We consider that this was contrary to the GDPR requirements for valid consent” said the Norwegian Data Protection Authority.

“Grindr is seen as a safe space, and many users wish to be discrete. Nonetheless, their data have been shared with an unknown number of third parties, and any information regarding this was hidden away” Thon noted. “Our investigation has focused on the consent mechanism in place from the GDPR became applicable in Norway in July 2018, and until April 2020 when Grindr changed how the app asks for consent. We have not assessed whether Grindr’s current consent mechanism complies with the GDPR,” said Judin.

The Norwegian Consumer Council also filed complaints against five of the third parties receiving data from Grindr: MoPub (owned by Twitter Inc.), Xandr Inc. (formerly known as AppNexus Inc.), OpenX Software Ltd., AdColony Inc., and Smaato Inc. These cases are ongoing.

George Mavridis is a journalist currently conducting his doctoral research at the Department of Journalism and Mass Media at Aristotle University of Thessaloniki (AUTH). He holds a degree from the same department, as well as a Master’s degree in Media and Communication Studies from Malmö University, Sweden, and a second Master’s degree in Digital Humanities from Linnaeus University, Sweden. In 2024, he completed his third Master’s degree in Information and Communication Technologies: Law and Policy at AUTH. Since 2010, he has been professionally involved in journalism and communication, and in recent years, he has also turned to book writing.