Our mission to make business better is fueled by readers like you. To enjoy unlimited access to our journalism, subscribe today.
Grindr, the gay social networking and dating app, failed to give its users the privacy that the law—in Europe, at least—demands.
That’s the finding of the Norwegian Data Protection Authority, which upheld complaints by privacy and consumer-protection campaigners over Grindr’s past sharing of sensitive personal data with third parties, including Twitter and various ad-tech companies. The violations took place between 2018 and 2020.
The Norwegian watchdog hit Grindr with a fine of €10 million ($11.6 million), which is astonishingly high when measured against Grindr’s estimated revenues of over $100 million in 2019—it represents around a third of Grindr’s net profit for that year.
The European Union’s 2018 General Data Protection Regulation (GDPR) allows for fines up to 4% of global annual revenues, or up to €20 million, whichever is higher. Norway is not in the EU, but it is in the European Economic Area (EEA), which means the GDPR applies there too.
Why such a heavy fine? Because Grindr’s offenses were so egregious.
Sexual orientation plus location
The company shared data on users’ sexual orientation—an extra-protected form of sensitive data under the GDPR’s terms—with third parties, without the users’ freely-given consent. Specifically, it told these third parties that the Grindr user was a Grindr user; given the app’s focus, the watchdog said that was enough to qualify as information about sexual orientation. (Grindr unsuccessfully tried to argue that some of its users are straight or bi-curious, so the use of Grindr did not reveal their actual orientation.)
Grindr also gave those third parties precise data about users’ locations.
“Data concerning sexual orientation merit special protection under the GDPR, as disclosure of such data could put the data subject’s rights and freedoms at risk and cause grave harm,” the regulator said in a letter to Grindr’s lawyers informing them of the fine. “Combined with exact location data, Grindr puts the data subject at even greater risk.”
Users could avoid having their data shared with advertisers if they upgraded to the paid version of Grindr, but the fact that they would lose the ability to use the free version if they did not consent to the data-sharing meant their consent was invalid under the GDPR.
The violations took place under Grindr’s previous ownership. Last year, the Trump administration forced the Chinese mobile company Kunlun to sell Grindr, though it didn’t explain why. The buyer was a U.S.-based firm called San Vicente Acquisition Partners.
Grindr’s new owners implemented a new consent management platform in April 2020—a few months after the regulator received complaints from the Norwegian Consumer Council and NOYB (“none of your business”), the non-profit run by the Austrian data-protection activist Max Schrems.
“An app for the gay community, that argues that the special protections for exactly that community actually do not apply to them, is rather remarkable. I am not sure if Grindr’s lawyers have really thought this through,” snarked Schrems in a Tuesday statement.
Lessons for many businesses
When calculating the fine, the Norwegian Data Protection Authority noted that Grindr broke the GDPR’s terms as soon as the law came into effect in May 2018, and continued to do so into 2020. What’s more, the GDPR only came into effect after a two-year period, in which companies were supposed to ensure their data policies were ready for the new rules.
According to the complainants, companies of all kinds should take note of how the Norwegian regulator handled the consent question.
“The message is simple: ‘take it or leave it’ is not consent,” said Ala Krinickyté, one of the organization’s lawyers, in the statement. “If you rely on unlawful ‘consent’ you are subject to a hefty fine. This does not only concern Grindr, but many websites and apps.”
“We now expect Grindr to ensure that any personal data that was illegally collected and shared with third party companies is deleted. Other companies and apps that engage in similar activities should ensure that they are operating in accordance with the legal precedence that has now been established,” said Finn Myrstad, the Norwegian Consumer Council’s director of digital policy, in a separate statement.
Grindr now has 21 days in which to object to the Norwegian watchdog’s decision.
“We continually enhance our privacy practices in consideration of evolving privacy laws and regulations, and look forward to entering into a productive dialogue with the Norwegian Data Protection Authority,” the company told the New York Times.