Dating app Grindr has been fined €6.5m (£5.5m) for selling user data to advertisers without their explicit consent.
The fine was issued by the Norwegian Data Protection Authority (DPA) for “grave” infringements of GDPR rules. This was because Grindr shared highly sensitive ‘special category’ data with third parties without users' explicit consent, which is a requirement under the regulation. This includes GPS location, IP address, advertising ID, age and gender. Additionally, the third parties knew the user was on Grindr, a dating app for gay, bi, trans and queer people, meaning their sexual orientation data was exposed.
Users were forced to agree to the company’s privacy policy without being asked specifically if they consented to the sharing of their data for behavioral purposes.
Tobias Judin, head of the Norwegian DPA’s international department, explained: "Our conclusion is that Grindr has disclosed user data to third parties for behavioral advertisement without a legal basis."
The €6.5m penalty is the largest fine issued by the Norwegian data protection authority. However, this figure was reduced from £8.6m after Grindr provided details about its financial situation and had changed permissions on its app. However, the regulator added that it has not assessed whether this new consent mechanism complied with GDPR.
Grindr now has three weeks to decide whether to launch an appeal.
The Norwegian DPA’s decision was welcomed by consumer rights group the European Consumer Organisation (BEUC). Ursula Pachl, deputy director general of the BEUC, outlined: “Grindr illegally exploited and shared its users’ information for targeted advertising, including sensitive information about their sexual orientation. It is high time the behavioral advertising industry stops tracking and profiling consumers 24/7. It is a business model which clearly breaches the EU’s data protection rules and harms consumers. Let’s now hope this is the first domino to fall and that authorities start imposing fines on other companies as the infringements identified in this decision are standard surveillance ad-tech industry practices.”
The case is another example of the stricter approach regulators are taking to GDPR enforcement in the past year or so. In September, WhatsApp was fined €225m by Ireland’s Data Protection Commission (DPC) for failing to discharge GDPR transparency obligations, while Amazon was hit with a $886.6m fine for allegedly failing to process personal data in accordance with the law in July.
Commenting on the story, Jamie Akhtar, CEO and co-founder of CyberSmart, said: “Although GDPR has been around for a while now, it’s only in the last few years that we’ve seen regulators take a hard-line approach. With legislators all over the world beginning to follow the EU’s lead and draft their own regulations, there’s never been a better time to make sure your business is processing data responsibly.”
Reflecting on the case in the context of current trends around GDPR enforcement, Jonathan Armstrong, partner at legal firm Cordery Compliance stated: "I think the case confirms a couple of trends we are seeing. Firstly, regulators are getting more aggressive in enforcing data protection laws. GDPR fines alone are now over €1.3bn and we know there is at least another €100m coming through the system in the next few weeks. Secondly, transparency is a key theme of data protection enforcement. When GDPR was coming in some people said it was all about security – this proves that that’s just wrong. Organizations need to be clear about the data they are collecting, how they are using it and who they are sharing it with. Thirdly, it also shows the power of the activist. One of the people behind the original complaint, Max Schrems has a real track record of privacy campaigns that get results. Activists and litigants are becoming more prominent and this trend will continue too."