An investigation by the Norwegian Data Protection Authority revealed troubling news, and Grindr was fined 65 million kroner, €6.5m, as a consequence.

Grindr, the popular location-based dating app, was found to have sold sensitive personal data to hundreds of potential advertising partners without its users’ consent. With a history of privacy leaks and security flaws, this is the latest case of Grindr being found to have exposed users information.

The Norwegian Data Protection Authority said that sharing such data without seeking explicit consent broke GDPR, General Data Protection Regulation, rules.

“Our conclusion is that Grindr has disclosed user data to third parties for behavioural advertisement without a legal basis,” declared the head of the Norwegian Data Protection Authority’s international department, Tobias Judin.

The investigation began with a complaint made by the Norwegian Consumer Council in 2020 that Grindr was actively disclosing information about its users, including GPS locations, IP addresses, ages, gender and their use of the app, to several third parties.

The data privacy watchdog said users “were forced to accept the privacy policy in its entirety to use the app” and were not asked specifically if they wanted to allow their data to be shared with third parties “for behavioural advertisement.”

“Furthermore, the information about the sharing of personal data was not properly communicated to users,” contrary to EU requirements for “valid consent,” said the agency.

The Norwegian DPA found the verified infringements to be “grave”, saying that this was particularly intrusive because data about a person’s sexual orientation constitutes special category data that merits particular protection under GDPR rules.

Although Norway isn’t a member-state, it closely mirrors EU policies. Consequently, the Norwegian DPA imposed its highest fine to date because of the California-based company’s significant violations.

“It is astonishing that the DPA has to convince Grindr that its users are LGBT+ and that this fact is not a commodity to be bartered,” declared Ala Krinickyte, of the nonprofit European Center for Digital Rights.

Grindr was fined less than the original sum after the company provided further details regarding its financial situation and changed the permissions on the app. However, the regulator said it had not assessed whether the current consent mechanism complied with GDPR and did not eliminate the possibility of ordering Grindr to erase the illegally processed data.

The data protection agency’s decision “sends a strong signal to all companies involved in commercial surveillance” said Finn Myrstad, the Consumer Council’s director of digital policy.

With rising concerns over data privacy, this fine serves as a reminder that companies can be held accountable when users do not consent to their personal information being sold to advertisers.