Norwegian regulators have threatened the makers of a popular smartphone dating app with a huge fine for not giving users enough control over their data.
The popular dating app Grindr is facing a NOK 100 million fine in Norway.
Equivalent to about $12m or 10% of revenues, the preliminary fine comes as the Norwegian Data Protection Authority (Datatilsynet) concluded the company had broken European GDPR regulations and shared user data without consent.
If confirmed, the preliminary decision will be the largest ever penalty handed out by Datatilsynet to date.
Sharing personal information “without legal basis”
Grindr is a location-based social networking app for gay, bi, trans, and queer people. In 2020, the Norwegian Consumer Council filed a complaint against Grindr claiming unlawful sharing of personal data with third parties for marketing purposes.
The data in question includes GPS location and user profile data for users of the free version of the app. Datatilsynet's preliminary conclusion is that Grindr needs consent to share these personal data and that Grindr’s consents were not valid.
The Datatilsynet ruling also stated that “the fact someone is a Grindr user speaks to their sexual orientation, and therefore this constitutes special category data that merit particular protection.”
“Datatilsynet considers that this is a serious case. Users were not able to exercise real and effective control over the sharing of their data. Business models where users are pressured into giving consent, and where they are not properly informed about what they are consenting to, are not compliant with the law, said Bjørn Erik Thon, Director-General of Datatilsynet.
Breaking European data protection rules
Datatilsynet considered that contrary to the EU's GDPR requirements. While Norway is not an EU member, it does abide by the GDPR requirements as part of its close relationship with the bloc and membership of the EEA.
Implemented in 2018, GDPR's primary aim is to give individuals control over their personal data. An important objective is “to prevent take-it-or-leave-it consents,” said Thon.
“Grindr is seen as a safe space, and many users wish to be discrete. Nonetheless, their data have been shared with an unknown number of third parties, and any information regarding this was hidden away,” he added.
Grindr can respond
The notice to Grindr is a draft decision. According to Datatilsynet, the company has been given an opportunity to comment, but they only have until mid-February. A finally decision will be made following a review of any input from Grindr.
Datatilsynet also filed complaints against five of the third parties receiving data from Grindr: MoPub (owned by Twitter Inc.), Xandr Inc. (formerly known as AppNexus Inc.), OpenX Software Ltd., AdColony Inc., and Smaato Inc. These cases are ongoing.
It is not the first time the company finds itself in hot water over data sharing. In 2018, a report by Norwegian research institute Sintef claimed Grindr had shared data including HIV status with two third parties. At the time, the company said it had not sold personal user information to third parties or advertisers.