The 100m krone penalty was announced yesterday by the Norwegian Data Protection Authority (NDPA), an agency of the Norwegian Government.
The fine follows an investigation which concluded the service was sharing user information with advertisers with “invalid consent” and without users being able to “exercise real and effective control over the sharing of their data”, according to Bjørn Erik Thon, Director-General of the NDPA.
“It is unacceptable for companies to collect and share personal data without users’ permission”
“Our preliminary conclusion is that Grindr has shared user data to a number of third parties without legal basis,” he continued.
“Business models where users are pressured into giving consent, and where they are not properly informed about what they are consenting to, are not compliant with the law,” added Thon.
According to an NDPA statement, the agency filed a complaint against Grindr last year claiming “unlawful sharing of personal data with third parties for marketing purposes. The data shared include GPS location, user profile data, and the fact that the user in question is on Grindr.”
The statement adds: “Our investigation has focused on the consent mechanism in place from the GDPR became applicable until April 2020, when Grindr changed how the app asks for consent. We have not to date assessed whether the subsequent changes comply with the GDPR.”
The fine is not a final decision and Grindr has until 15 February to comment on the findings.
The figure – which would be the NDPA’s highest to date – is around 10% of the app’s global annual revenue, says the agency.
“If someone finds out that users are gay and knows their movements, they may be harmed,” commented Tobias Judin, head of the NDPA’s international department. “We’re trying to make these apps and services understand that this approach – not informing users, not gaining a valid consent to share their data – is completely unacceptable.”
In a statement to the New York Times, a Grindr rep said it had obtained “valid legal consent from all” European users on multiple occasions and was confident that its “approach to user privacy is first in class”.
“We continually enhance our privacy practices in consideration of evolving privacy laws and regulations, and look forward to entering into a productive dialogue with the Norwegian Data Protection Authority,” the statement continued.
Attitude has approached Grindr for additional comment.
Update: A new statement from a Grindr spokesperson provided to Attitude reads: “Grindr is a social movement and a cultural phenomenon. Our goal is to create the leading social and digital media platform that enables the LGBTQ+ community and other users to discover, share and navigate the world around them. Grindr is confident that our approach to user privacy is first-in-class among social applications with detailed consent flows, transparency, and control provided to all of our users. For example, Grindr has retained valid legal consent from ALL of our EEA users on multiple occasions. We most recently required all users to provide consent (again) in late 2020 to align with the GDPR Transparency and Consent Framework (TCF) version 2 which was developed by the IAB EU in consultation with the UK ICO.
“For more information on Grindr’s industry-leading privacy practices, please read the recent blog post written by Shane Wiley, Grindr’s Chief Privacy Officer.”