Datatilsynet Decision Says Grindr Shared User Data Without Consent
Dating app Grindr is facing a €9.6 million from Datatilsynet, the Norwegian Data Protection Authority.
In 2020, the Norwegian Consumer Council filed the complaint against Grindr claiming that Grindr has violated the General Data Protection Data Regulation (GDPR) rules on data privacy.
“Our preliminary conclusion is that Grindr has shared user data to a number of third parties without legal basis, said Bjørn Erik Thon, Director-General of the Norwegian Data Protection Authority,” Datatilsynet stated in the announcement.
READ Dating Site Data Breach Exposes 2.3M Users
The violation alleges that Grindr shared users’ data with a third-party service – including GPS location, user profile data, and the person is on Grindr – for marketing.
The GDPR violation fine is about 10 % of the company’s annual revenue which is NOK 100 000 000 (€ 10 million or about $12M USD.)
Grindr is an app for gay, bisexual, transsexual, and queer people to connect.
Grindr users fall into a category that warrants is “special category data that merit particular protection.” According to Norway’s Datatilsynet.
- “Having disclosed personal data to third party advertisers without a legal basis”;
- “Having disclosed special category personal data to third party advertisers without a valid exemption from the prohibition in article 9(1) GDPR,” which provides exemptions for certain types of data, none of which are for advertising purposes.
READ Marriott Fined £18.4 M for GDPR Privacy Data Breach
“Users were forced to accept the privacy policy in its entirety to use the app, and they were not asked specifically if they wanted to consent to the sharing of their data with third parties.”
User data was shared with an unknown number of third-party services.
The information that was shared was not disclosed to Grindr’s users. Users were not clear on which data could be shared and what could be withheld.
