Grindr’s gay dating app faces a fine of more than $10 million from Norwegian authorities for failing to get customer permission before sharing their personal information with advertisement agencies, in violation of strict privacy laws of the European Union.
On Tuesday, the Norwegian data protection watchdog said it told Grindr LLC of its draught decision to issue a fine of 100 million Norwegian crowns ($11.7 million), equivalent to 10 percent of the global sales of the U.S. firm.
Following a lawsuit by the Norwegian Consumer Council arguing that personal data was exchanged inappropriately for marketing purposes, the Data Protection Authority took action. Last year, the council outlined in a study how Grindr and other dating apps leaked personal information for targeted advertisements to advertising technology firms in ways that the council claimed breached the tough EU GDPR privacy laws.
Norway is not an EU member, but it closely mirrors the laws and regulations of the bloc.
“This is a serious case for the Norwegian Data Protection Authority,” said Director-General Bjorn Erik Thon. “Users were not in a position to exercise real and effective control over their data sharing.”
The group has until Feb. 15 to provide comments, which the watchdog will take into consideration for its final decision.
Grindr said it was looking forward to having a “productive dialogue” on the accusations with Norwegian authorities, which it said date back to 2018 and do not represent existing privacy policies or procedures.
The privacy strategy of the app requires “detailed consent flows, transparency, and control” given to all customers, the company said, noting that “on several occasions” it has “retained valid legal consent” from all of its European users.
In view of changing privacy laws and legislation, we constantly strengthen our privacy policies,” the company said in a statement.”
The tentative finding of the watchdog is that Grindr exchanged consumer data without any legitimate justification with a variety of third parties. GPS location, user profile details and the fact that users are on Grindr is included in the results, which may suggest their sexual orientation.
In its note to Grindr, disclosing such information could place anyone at risk of being attacked, the authority said.
“Even without revealing their specific sexual orientation, the fact that a person is a Grindr user can lead to prejudice and discrimination,” it said.
The Data Protection Authority said that the way Grindr requested users for permission to use their data went against the “valid consent” provisions of the GDPR. Users were not given the option to opt out of sharing data with third parties and were required to embrace the privacy policy of Grindr in its entirety, it said, adding that users were not sufficiently told about the sharing of data.
The watchdog is also probing five “ad tech” firms that have acquired data from Grindr, including MoPub, which has more than 160 partners, the smartphone app advertisement site of Twitter.
The fine was welcomed by the Norwegian Consumer Council.
“We hope that this will mark the starting point of many similar decisions against companies engaged in the purchase and sale of personal data,” said Finn Myrstad, the Group’s Digital Policy Officer.
