The Norwegian Data Protection Authority has said it intends to fine gay dating app Grindr $15 million (AUD) for allegedly sharing user data with third parties for marketing purposes without the expressed consent of its users.
Grindr has 13.7 million active users and is owned by the Chinese company Kunlun Tech. Grindr’s headquarters are in California, United States.
The Norwegian authorities held that Grindr had violated the European Union’s data protection and privacy law – General Data Protection Regulation (GDPR). “Our preliminary conclusion is that Grindr has shared user data to a number of third parties without legal basis,” said Bjørn Erik Thon, Director-General of the Norwegian Data Protection Authority.
“Grindr is seen as a safe space, and many users wish to be discrete. Nonetheless, their data have been shared with an unknown number of third parties, and any information regarding this was hidden away.”
The Norwegian Data Protection Authority has notified Grindr that we intend to issue an administrative fine of NOK 100 000 000 for not complying with the #GDPR rules on consent. https://t.co/b2trQ8RJqQ
— Datatilsynet (@Datatilsynet) January 26, 2021
The Authority said that it had informed Grindr of its intention to fine it almost 10% of its annual revenue and the company had until February 15 to submit its response.
The Authority said that it wants to prevent “take-it-or-leave-it” consent policies that pressure the user. The ruling was made in a complaint filed by the Norwegian Consumer Council, which had investigated around 10 apps, including Grindr in 2020. The council termed the ruling as a “milestone”.
Grindr shared data with third parties, investigation found
“This not only sets limits for Grindr but establishes strict legal requirements on a whole industry that profits from collecting and sharing information about our preferences, location, purchases, physical and mental health, sexual orientation, and political views,” Finn Myrstad, director of digital policy in the Norwegian Consumer Council said in a statement.
Dating app @Grindr will be fined €10 million, 10% of global turnover for sharing personal data with commercial third parties in breach of the #GDPR, as a result of our legal complaint & report. https://t.co/gzZGQkkAWB #privacy #adtech
— Finn Lützow-Holm Myrstad (@finnmyrstad) January 26, 2021
In its investigations, the Council reported that Grindr was not informing consumers as to how their personal data was being collected or shared with third parties. If a consumer wanted to use the app they had to accept this data sharing with third parties.
The Council in its report said that its technical testing revealed that a number of third parties received personal data from Grindr “including users’ IP addresses in combination with the Android Advertising ID and other identifiers, metadata related to sexual preferences, and precise GPS coordinates.”
Violation of User’s Privacy Rights
According to Max Schrems, founder of the European privacy non-profit NGO noyb, everytime some one opened the app, advertisement networks would receive their location, device identifiers and the information that they were using a gay dating app. Scherms in a statement had said that it was “an insane violation of users’ EU privacy rights”.
This is not the first time that Grindr has found itself answering questions about how it uses data. In 2018, it was reported that Grindr was sharing HIV-status of its users with a third party. Grindr subsequently said that it would not share this information with third parties.
In 2019, Star Observer had reported that Australian Grindr users were being targeted by internet scammers. In June 2020, Grindr said it was removing the ethnicity filters on its app after years of being criticised for allowing it.