The Norwegian Data Protection Authority has notified Grindr LLC (Grindr) that we intend to issue an administrative fine of NOK 100 000 000 for not complying with the GDPR rules on consent.
– Our preliminary conclusion is that Grindr has shared user data to a number of third parties without legal basis, said Bjørn Erik Thon, Director-General of the Norwegian Data Protection Authority.
Grindr is a location-based social networking app for gay, bi, trans, and queer people. In 2020, the Norwegian Consumer Council filed a complaint against Grindr claiming unlawful sharing of personal data with third parties for marketing purposes. The data shared include GPS location, user profile data, and the fact that the user in question is on Grindr.
Our preliminary conclusion is that Grindr needs consent to share these personal data and that Grindr’s consents were not valid. Additionally, we believe that the fact that someone is a Grindr user speaks to their sexual orientation, and therefore this constitutes special category data that merit particular protection.
– The Norwegian Data Protection Authority considers that this is a serious case. Users were not able to exercise real and effective control over the sharing of their data. Business models where users are pressured into giving consent, and where they are not properly informed about what they are consenting to, are not compliant with the law, said Bjørn Erik Thon, Director-General of the Norwegian Data Protection Authority.
The Norwegian Data Protection Authority considers that as a general rule, consent is required for intrusive profiling and tracking practices for marketing or advertising purposes, for example those that involve tracking individuals across multiple websites, locations, devices, services or data-brokering. The same applies where a commercial app wishes to share data concerning users’ sexual orientation.
– Grindr is seen as a safe space, and many users wish to be discrete. Nonetheless, their data have been shared with an unknown number of third parties, and any information regarding this was hidden away, Thon added.
Could result in highest Norwegian DPA fine to date
An administrative fine should be effective, proportionate and dissuasive.
– We have notified Grindr that we intend to impose a fine of high magnitude as our findings suggest grave violations of the GDPR. Grindr has 13.7 million active users, of which thousands reside in Norway. Our view is that these people have had their personal data shared unlawfully. An important objective of the GDPR is precisely to prevent take-it-or-leave-it “consents”. It is imperative that such practices cease, Thon emphasised.
We have based our calculations on a conservative estimate of Grindr’s worldwide annual turnover, according to which the turnover approaches € 100 000 000 M. This means that our proposed fine will constitute approximately 10 % of the company’s turnover.
Applicability of the GDPR
Although Grindr does not have any establishments within the EEA, the company is subject to the GDPR by virtue of its Article 3.2. Pursuant to this provision, the GDPR applies to controllers that offer goods or services to, or that monitor the behaviour of, people in the EEA.
Our investigation has focused on the consent mechanism in place from the GDPR became applicable until April 2020, when Grindr changed how the app asks for consent. We have not to date assessed whether the subsequent changes comply with the GDPR.
Not a final decision
The document we have issued to Grindr is a draft decision. Grindr has been given the opportunity to comment on our findings within 15 February 2021. We will make our final decision once we have assessed any remarks the company may have.
Our draft decision concerns the free version of the Grindr app.
The Norwegian Consumer Council also filed complaints against five of the third parties receiving data from Grindr: MoPub (owned by Twitter Inc.), Xandr Inc. (formerly known as AppNexus Inc.), OpenX Software Ltd., AdColony Inc., and Smaato Inc. These cases are ongoing.
You can read the press release on the Norwwegian DPA’s website here.
For more information, please contact the Norwegian DPA: International@datatilsynet.no
The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA’s website or other channels of communication, the news item is only available in English or in the Member State’s official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.