An investigation by the Norwegian Data Protection Authority revealed troubling news, and Grindr was fined 65 million kroner, €6.5m, as a consequence.
Grindr, the popular location-based dating app, was found to have sold sensitive personal data to hundreds of potential advertising partners without its users’ consent. With a history of privacy leaks and security flaws, this is the latest case of Grindr being found to have exposed users information.
The Norwegian Data Protection Authority said that sharing such data without seeking explicit consent broke GDPR, General Data Protection Regulation, rules.
“Our conclusion is that Grindr has disclosed user data to third parties for behavioural advertisement without a legal basis,” declared the head of the Norwegian Data Protection Authority’s international department, Tobias Judin.
The investigation began with a complaint made by the Norwegian Consumer Council in 2020 that Grindr was actively disclosing information about its users, including GPS locations, IP addresses, ages, gender and their use of the app, to several third parties.
“Furthermore, the information about the sharing of personal data was not properly communicated to users,” contrary to EU requirements for “valid consent,” said the agency.
The Norwegian DPA found the verified infringements to be “grave”, saying that this was particularly intrusive because data about a person’s sexual orientation constitutes special category data that merits particular protection under GDPR rules.
Although Norway isn’t a member-state, it closely mirrors EU policies. Consequently, the Norwegian DPA imposed its highest fine to date because of the California-based company’s significant violations.
“It is astonishing that the DPA has to convince Grindr that its users are LGBT+ and that this fact is not a commodity to be bartered,” declared Ala Krinickyte, of the nonprofit European Center for Digital Rights.
Grindr was fined less than the original sum after the company provided further details regarding its financial situation and changed the permissions on the app. However, the regulator said it had not assessed whether the current consent mechanism complied with GDPR and did not eliminate the possibility of ordering Grindr to erase the illegally processed data.
The data protection agency’s decision “sends a strong signal to all companies involved in commercial surveillance” said Finn Myrstad, the Consumer Council’s director of digital policy.
With rising concerns over data privacy, this fine serves as a reminder that companies can be held accountable when users do not consent to their personal information being sold to advertisers.
© 2021 GCN (Gay Community News). All rights reserved.
GCN has been a vital, free-of-charge information service for Ireland’s LGBTQ+ community since 1988.
During this global COVID pandemic, we like many other organisations have been impacted greatly in the way we can do business and produce. This means a temporary pause to our print publication and live events and so now more than ever we need your help to continue providing this community resource digitally.
GCN is a registered charity with a not-for-profit business model and we need your support. If you value having an independent LGBTQ+ media in Ireland, you can help from as little as €1.99 per month. Support Ireland’s free, independent LGBTQ+ media.