The Norwegian Data Protection Authority has announced its intent to fine dating app Grindr €10 million for sharing user data with advertisers for marketing purposes.
The decision came in response to a complaint filed last year by the Norwegian Consumer Council and Austrian privacy activist Max Schrems who accused Grindr of sharing personal details of its users with advertising companies. These details included users' GPS locations, sexual preferences, purchase details, mental health status, and political views.
When announcing the authority's intent to issue a fine of 100,000,000 NOK (£8.45 million) to Grindr, Bjørn Erik Thon, the Director-General of the Norwegian Data Protection Authority (Datatilsynet) said that the company had shared user data to a number of third parties without legal basis and had, therefore, violated the GDPR.
“Our preliminary conclusion is that Grindr needs consent to share these personal data and that Grindr’s consents were not valid. Additionally, we believe that the fact that someone is a Grindr user speaks to their sexual orientation, and therefore this constitutes special category data that merit particular protection.
“The Norwegian Data Protection Authority considers that this is a serious case. Users were not able to exercise real and effective control over the sharing of their data. Business models where users are pressured into giving consent, and where they are not properly informed about what they are consenting to, are not compliant with the law,” Thon added.
“Grindr is seen as a safe space, and many users wish to be discrete. Nonetheless, their data have been shared with an unknown number of third parties, and any information regarding this was hidden away,” Thon added. The fact that Grindr markets itself as a social networking app for gay, bi, trans, and queer people makes its user data more sensitive and worthy of added protections.
Datatilsynet said Grindr committed grave violations of GDPR and that any administrative fine imposed to the company should be "effective, proportionate and dissuasive". Therefore, it decided to issue a fine that amounted to 10% of Grindr's global turnover which exceeds 100 million USD.
Th authority, however, said the notification is still a draft decision and that Grindr has been given time till 15th February to respond to it. Once a reply is reviewed, a final decision on the monetary fine will be taken. The Norwegian Consumer Council also fined complaint against five third parties who bought data from Grindr and the investigation is still ongoing.
This is not the first time that Grindr has faced criticism or regulatory action for monetising the personal data of its users. In 2018, Buzzfeed News revealed that the social networking company was sharing its users' HIV status and when they were last tested to two third-party app-optimisation companies named Apptimize and Localytics.
“The limited information shared with these platforms is done under strict contractual terms that provide for the highest level of confidentiality, data security, and user privacy,” Grindr’s chief technology officer Scott Chen told BuzzFeed News.
At that time, Evgeny Chereshnev, CEO and founder of Biolink.Tech, told TEISS that all practices where a company has access to confidential information such as HIV status, sexual orientation or even information on deadly allergies, should be illegal to share with other parties.
"This type of highly personal information is like gold to hackers and can be used for blackmail, extortion or manipulation, where a lot of damage could be done to a person's life. If this type of information was discovered by a prospective employer, for example, it could cost you the job. In some countries, simply being gay is enough to get you killed, let alone not employed or fired!
"Our personal information needs to be owned by us; and only we should have visibility as to where and how this data is used, and on what basis," he added.
Recently, CNIL, the French data protection commission, also issued a fine of 50 Million euros (£44 million) to Google for failing to adhere to GDPR requirements while obtaining consent from users to process their personal data for delivering personalised advertisements.
CNIL said that Google was guilty of violating GDPR as far as obtaining user consent for the collection of personal data was concerned as the company did not take specific or unambiguous consent for processing personal data for different websites or applications, nor were users sufficiently informed about how or for what purposes their personal data will be processed.
CNIL also fined Google and its subsidiary Google Ireland Ltd a total of €100 million for automatically placing advertising cookies on users' devices without obtaining prior consent, thereby amassing huge advertising income at the expense of users' privacy.
Even though Google changed its policy regarding the placement of cookies after CNIL highlighted the company's data protection failings, CNIL observed that a new information banner put up by Google on google.fr did not allow users to understand the purposes for which the cookies are used and does not let them know that they can refuse these cookies.