Grindr Faces $11.7m Data Privacy Fine

The world's largest social networking and dating app for gay, bisexual and trans people is facing a hefty fine in Norway over an alleged breach of data privacy. 

On Tuesday, Norway’s Data Protection Authority (NDPA) announced its intention to fine Grindr 100 million Norwegian crowns ($11.7m) for illegally disclosing user data to advertising firms.

The American company, which launched back in 2009, said that the allegations made by the Norwegian regulator hark back to 2018, when Grindr had different privacy policies and practices in place.

The large financial penalty corresponds to approximately 10% of Grindr’s estimated global annual revenue.

"Our preliminary conclusion is that Grindr has shared user data to a number of third parties without legal basis," said Bjørn Erik Thon, data protection commissioner of the NDPA.

The Norwegian Consumer Council filed a complaint against Grindr last year, accusing the company of unlawfully sharing the personal data of app users with third parties for marketing purposes. User information allegedly shared included user profile data, GPS location, and the fact that the user was on Grindr.

In the advance notification of an administrative fine issued to Grindr, Thon wrote that the NDPA had received three complaints from the Norwegian Consumer Council (NCC) in January 2020 regarding the company's data practices.

The complaints addressed concerns on the data sharing between Grindr and its advertising partners Twitter, Xandr, OpenX Software, AdColony, and Smaato.

An investigation into the complaints found that to use the app, users were forced to accept Grindr's privacy policy in its entirety and were not asked specifically if they wanted to consent to the sharing of their data with third parties. 

"Grindr is seen as a safe space, and many users wish to be discrete. Nonetheless, their data have been shared with an unknown number of third parties, and any information regarding this was hidden away," said Thon.

Grindr has 13.7 million active users, of which thousands reside in Norway. The company has been given until February 15, 2021, to comment on the NDPA's findings.

The NCC also filed complaints against five of the third parties receiving data from Grindr: MoPub (owned by Twitter), Xandr, OpenX Software, AdColony, and Smaato. These cases are ongoing.

What’s Hot on Infosecurity Magazine?