Grindr hit with £8.6 million fine for GDPR consent breach

The Grindr app on a smartphone in front of a background of its logo
(Image credit: Shutterstock)

Online dating service Grindr has been fined 100,000,000kr (roughly £8.6 million) by the Norweigan data watchdog for sharing its users’ personal data with third-party advertisers without seeking adequate consent.

Following a lengthy investigation, the Norweigan Data Protection Authority (Datatilsynet) has concluded that Grindr shared user data, including special category personal data, with third parties for marketing purposes. This data included GPS locations, user profile data, and the fact the user in question was on Grindr; information not all users would be willing to disclose.

Based on its preliminary findings, Datatilsynet concluded that Grindr violated Article 6(1) and Article 9(1) of the data protection laws, which relate to illegally sharing user data to third parties without sufficient user consent.

“Our view is that these people have had their personal data shared unlawfully,” said director-general of the Norweigan regulator, Bjørn Erik Thon.

“An important objective of the GDPR is precisely to prevent take-it-or-leave-it “consents”. It is imperative that such practices cease.”

The company was accused of sharing users’ data with advertisers through software development kits (SDKs), with the advertising partners in question including Twitter’s MoPub platform, Xandr, OpenX, AdColony, and Smaato.

The regulator’s provisional fine represents a figure that’s roughly 11% of the company’s annual turnover, based on its calculations. This figure is “effective, proportionate and dissuasive”, according to Datatilsynet, and follows guidance set out under GDPR for how regulators should approach administering financial penalties.

Grindr markets itself as the world’s largest dating app for the LGBTQ+ community and boasts 13.7 million active users across more than 200 countries.

The Norweigan watchdog’s fine follows an official probe sparked following an earlier investigation led by the Norwegian Consumer Council. This initial investigation found the vendors of several widely-used apps were sharing data with third parties without adequate user consent, publishing its findings in January 2020.

The ruling carries huge significance, given a litany of comparable social media and tech companies may be operating data-sharing models similar in nature to that used by Grindr.

The document only represents a draft decision, however, and Grindr has been given the opportunity to respond by 15 February. The regulator will make its final decision once its representations are taken into account.

Datatilsynet is also in the midst of ongoing investigations into the five advertisers name-checked in the report; Twitter’s MoPub, Xandr, OpenX, AdColony, and Smaato.

"Grindr is a social movement and a cultural phenomenon," the company told IT Pro. "Our goal is to create the leading social and digital media platform that enables the LGBTQ+ community and other users to discover, share and navigate the world around them.

"Grindr is confident that our approach to user privacy is first-in-class among social applications with detailed consent flows, transparency, and control provided to all of our users."

"The allegations from the Norwegian Data Protection Authority date back to 2018 and do not reflect Grindr's current Privacy Policy or practices. We continually enhance our privacy practices in consideration of evolving privacy laws and regulations, and look forward to entering into a productive dialogue with the Norwegian Data Protection Authority."

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.