Grindr, which claims to be the world’s largest social networking app for gay, bi, trans, and queer people, is facing a battering for sharing personal data with third parties through adtech systems, in what could be a landmark ruling under the GDPR regime.
The Norwegian Data Protection Authority (Datatilsynet) has notified Grindr that it intends to issue a fine of 100m krona (£8.5m) – equivalent to 10% of its annual turnover – for sharing users’ data without adequate consent.
The move follows a complaint registered by the Norwegian Consumer Council (NCC) which claimed Grindr had been handing out sensitive user information willy-nilly to ad companies, in what it branded an “insane violation” of GDPR.
The data shared included GPS location and user profile data, and the regulator’s preliminary conclusion is that Grindr needs consent to share these personal data and that these consents were not valid. Additionally, the DPA believes that the fact that someone is a Grindr user speaks to their sexual orientation, and this data is “special category” information that requires tougher protection as it could reveal details about someone’s sexual orientation.
Bjørn Erik Thon, director-general of the Norwegian Data Protection Authority, said: “We have notified Grindr that we intend to impose a fine of high magnitude as our findings suggest grave violations of the GDPR.
“Users were not able to exercise real and effective control over the sharing of their data. Business models where users are pressured into giving consent, and where they are not properly informed about what they are consenting to, are not compliant with the law.”
Grindr, which has yet to respond to the proposed fine, has until February 15 to challenge the ruling before the regulator makes its final decision.
Although not a member of the EU, Norway is a member of the European Economic Area (EEA) and GDPR became applicable in Norway on July 20 2018. If confirmed, the fine will be the Norwegian Data Protection Authority’s largest penalty to date.
Investigations into complaints filed against the five advertising companies that received the data – Twitter-owned MoPub, Xandr (formerly AppNexus), OpenX Software, AdColony, and Smaato – continue.
Grindr faces privacy probe as Chinese owners jump
Swipe left: Top apps accused of ‘insane’ GDPR violation
Faking it: Match Group hit by legal action over false ads
Gay dating app Jack’d slapped with $240,000 payout
Casual dating giant spanked over shoddy data practices
Match jumps into bed with Mediacom for data-led task
eHarmony ‘lasting love’ ad dumped over data mismatch
Ashley Madison offers $11.2m to clean up messy breach