Grindr, a gay, bi, trans and queer hook-up app, is on the hook for a penalty of NOK100,000,000 (aka €10M or ~$12.1M) in Europe.
Norway’s data protection agency has announced it’s notified the US-based company of its intention to issue the fine in relation to consent violations under the region’s General Data Protection Regulation (GDPR) which sets out strict conditions for processing people’s data.
The size of the fine is notable. GDPR allows for fines to scale up to 4% of global annual turnover or up to €20M, whichever is higher. In this case Grindr is on the hook for around 10% of its annual revenue, per the DPA. (Although the sanction is not yet final; Grindr has until February 15 to submit a response before the Datatilsynet issues a final decision.)
“We have notified Grindr that we intend to impose a fine of high magnitude as our findings suggest grave violations of the GDPR,” said Bjørn Erik Thon, DG of the agency, in a statement. “Grindr has 13.7 million active users, of which thousands reside in Norway. Our view is that these people have had their personal data shared unlawfully. An important objective of the GDPR is precisely to prevent take-it-or-leave-it ‘consents’. It is imperative that such practices cease.”
Grindr has been contacted for comment.
Last year a report by Norway’s Consumer Council (NCC) delved into the data sharing practices of a number of popular apps in categories such as dating and fertility. It found the majority of apps transmitted data to “unexpected third parties”, with users not clearly informed how their information was being used.
Grindr was one of the apps featured in the NCC report. And the Council went on to file a complaint against the app with the national DPA, claiming unlawful sharing of users’ personal data with third parties for marketing purposes — including GPS location; user profile data; and the fact the user in question is on Grindr.
Under the GDPR, an app user’s personal data may be legally shared if you obtain their consent to do so. However there are a set of clear standards for consent to be legal — meaning it must be informed, specific and freely given. The Datatilsynet found that Grindr had failed to meet this standard.
It said users of Grindr were forced to accept the privacy policy in its entirety — and were not asked if they wanted to consent with the sharing of their data to third parties.
Additionally, it said sexual orientation could be inferred by a user’s presence on Grindr; and under regional law such sensitive ‘special category’ data carries an even higher standard of explicit consent before it can be shared (which, again, the Datatilsynet said Grindr failed to get from users).
“Our preliminary conclusion is that Grindr needs consent to share these personal data and that Grindr’s consents were not valid. Additionally, we believe that the fact that someone is a Grindr user speaks to their sexual orientation, and therefore this constitutes special category data that merit particular protection,” it writes in a press release.
“The Norwegian Data Protection Authority considers that this is a serious case,” added Thon. “Users were not able to exercise real and effective control over the sharing of their data. Business models where users are pressured into giving consent, and where they are not properly informed about what they are consenting to, are not compliant with the law.”
The decision could have wider significance as a similar ‘forced consent’ complaint against Facebook is still open on the desk of Ireland’s data protection watchdog — despite being filed back in May 2018. For tech giants that have have set up a regional base in Ireland, and made an Irish entity legally responsible for processing EU citizens’ data, GDPR’s one-stop-shop mechanism has led to considerable delays in complaint enforcement.
Grindr, meanwhile, changed how it obtains consent in April 2020 — and the proposed sanction deals with how it was handling this prior to then, from May 2018, when the GDPR came into force.
“We have not to date assessed whether the subsequent changes comply with the GDPR,” the Datatilsynet adds.
After its report last year, the NCC also filed complaints against five of the third parties who it found to be receiving data from Grindr: MoPub (owned by Twitter), Xandr (formerly known as AppNexus), OpenX Software, AdColony, and Smaato. The DPA notes that those cases are ongoing.
Following the NCC report in January 2020, Twitter told us it had suspended Grindr’s MoPub account while it investigated the “sufficiency” of its consent mechanism. We’ve reached out to Twitter to ask whether it ever reinstated the account and will update this report with any response.
European privacy campaign group noyb, which was involved in filing the strategic complaints against Grindr and the adtech companies, hailed the DPA’s decision to uphold the complaints — dubbing the size of the fine “enormous” (given Grindr only reported profits of just over $30M in 2019, meaning it’s facing losing about a third of that at one fell swoop).
noyb also argues that Grindr’s switch to trying to claim legitimate interests to continue processing users’ data without obtaining their consent could result in further penalties for the company.
“This is in conflict with the decision of the Norwegian DPA, as it explicitly held that “any extensive disclosure … for marketing purposes should be based on the data subject’s consent“,” writes Ala Krinickytė, data protection lawyer at noyb, in a statement. “The case is clear from the factual and legal side. We do not expect any successful objection by Grindr. However, more fines may be in the pipeline for Grindr as it lately claims an unlawful ‘legitimate interest’ to share user data with third parties — even without consent. Grindr may be bound for a second round.”