Datatilsynet, the Norwegian Data Protection Authority, has issued LGBTQ+ dating app Grindr an advanced notification of a NOK100m (€9.6m/£8.5m) fine – or 10% of turnover as per the General Data Protection Regulation (GDPR) – over its alleged collection and sharing of sensitive user data with third-party advertisers without appropriate consent.
The fine came about as the result of a legal complaint filed last year by Forbrukerrådet, the Norwegian Consumer Council, highlighting how advertising technology companies receive personal data about the interests, habits and behaviour of their users for use in targeted advertising, which can also potentially lead to discrimination, manipulation and exploitation.
Such concerns are amplified when it comes to Grindr, a social networking app that over the years has supplanted traditional cruising for gay men by making casual sexual encounters much easier, because many of its users live in jurisdictions where LGBTQ+ people can be legally discriminated against, making a data leak that would be merely embarrassing to a citizen of a more liberal country potentially devastating to a user in institutionally homophobic countries such as Russia or the UAE.
The data collected by Grindr included chat texts, potentially explicit images, email addresses, display names, physical characteristics such as height, weight and ethnicity, HIV status, details of sexual preferences, location and device data, and linked social media data.
Bjørn Erik Thon, Datatilsynet director-general, said: “The Norwegian Data Protection Authority considers that this is a serious case. Users were not able to exercise real and effective control over the sharing of their data. Business models where users are pressured into giving consent, and where they are not properly informed about what they are consenting to, are not compliant with the law.”
In its findings, Datastilsynet said it had concluded Grindr needed consent to share such personal data with advertisers and that it had not obtained valid consent from its users to do so – particularly with regard to special category data on sexual orientation, which merits particular protection under GDPR.
“Grindr is seen as a safe space, and many users wish to be discreet. Nonetheless, their data has been shared with an unknown number of third parties, and any information regarding this was hidden away,” Thon added.
“We have notified Grindr that we intend to impose a fine of high magnitude as our findings suggest grave violations of the GDPR. Grindr has 13.7 million active users, of which thousands reside in Norway. Our view is that these people have had their personal data shared unlawfully. An important objective of the GDPR is precisely to prevent ‘take-it-or-leave-it consents’. It is imperative that such practices cease.”
Bjørn Erik Thon, Datatilsynet
Finn Myrstad, Forbrukerrådet director of digital policy, hailed the decision as a vindication of the joint complaint, which also included the European Consumer Organisation (BEUC) and noyb, an Austria-based digital rights non-profit established by Max Schrems.
“This is a milestone in the ongoing work to ensure that consumers’ privacy is protected online. Datatilsynet has clearly established that it is unacceptable for companies to collect and share personal data without users’ permission,” said Myrstad.
“This not only sets limits for Grindr but establishes strict legal requirements on a whole industry that profits from collecting and sharing information about our preferences, location, purchases, physical and mental health, sexual orientation and political views,” he added.
Myrstad said he expected Grindr to ensure any personal data that was unlawfully collected and shared with third-party advertisers was deleted, and warned that other companies and apps that engage in similar profiling activities to take steps to ensure they are compliant with the precedent now established in Norway.
“There are many examples of how personal data is used to manipulate everything from elections to targeting gambling ads against individuals struggling with addiction,” said Myrstad.
“Information about us is often used in completely different contexts from where and when it was collected. For example, health data may be used to determine insurance offers, or to discriminate against groups or individuals on the basis of ethnicity or sexual identity.”
In a statement shared with media, Grindr said it was confident its approach to user privacy was “first-in-class” among social applications, “with detailed consent flows, transparency and control provided to all our users”. It insisted it had retained valid legal consent from all European users whose data falls under GDPR, and re-sought this consent again at the end of 2020 to align with a new version of the GDPR Transparency and Consent Framework.
The collection of personal data to share with third-party advertisers is currently the subject of a wide-ranging investigation by the UK’s Information Commissioner’s Office (ICO), which resumed earlier in January after a lengthy break.