Grindr, a location-based dating app aimed at the LGBTQ community, has been fined €6.5m (£5.5m) for selling user data to advertisers.
The Norwegian Data Protection Authority said that sharing such data without seeking explicit consent broke GDPR rules.
The fine was reduced from £8.6m after Grindr provided details about its financial situation, and made changes to its app.
Grindr was contacted for comment.
“Our conclusion is that Grindr has disclosed user data to third parties for behavioural advertisement without a legal basis,” said Tobias Judin, head of the Norwegian Data Protection Authority’s (DPA) international department.
Its investigation was based on a complaint from the Norwegian Consumer Council.
The fine, the largest the Norwegian DPA has issued, is large because the regulator considered the infringements to be “grave”.
Data which it found the app had shared with third parties included GPS location, IP address, advertising ID, age, gender and the fact that the user was on Grindr.
This was particularly intrusive because data about a person’s sexual orientation constitutes special category data that merits particular protection under GDPR rules, it added.
The fine had originally been higher, but was reduced after Grindr provided information about its size and financial situation. The fact that the firm has now changed the permissions on the app was also taken into account.
The regulator said it had not assessed whether the current consent mechanism complied with GDPR.
And it did not rule out the possibility of ordering Grindr to erase the illegally processed personal data.
Grindr has three weeks to lodge an appeal.