Grindr was fined heavily for sharing user data without consent


Grindr, a dating app, has been fined €6.3 million by Norwegian authority Datatilsynet for exchanging user data with marketers without their agreement.

The fine was imposed on December 13 after Datatilsynet filed a complaint against Grindr in 2020, alleging that the business was improperly exchanging user data with third parties. GPS, IP address, age, and gender are among the information collected.

Users have to accept Grindr’s data rules in order to access the app, according to Tobias Judin, the head of Norway’s Data Protection Authority, making appropriate consent impossible.

Following an initial judgement in January 2021, Datatilsynet penalised Grindr roughly €10 million, although this sum was later reduced after evaluating Grindr’s revenue figures. Despite the fact that the amount has been reconsidered, Norway still deems Grindr’s offence to be “severe” – most likely because the data acquired, including gender, is subject to the EU’s GDPR standards.

The penalties, according to Finn Myrstad, who runs the organisation that filed the original complaint, “sends a strong signal to all companies involved in commercial surveillance.” Sharing personal data without a legal basis can have severe repercussions. We urge that digital advertising industry make fundamental changes in order to uphold the consumer rights.”

In a statement, Grindr strongly pushed back: “We strongly disagree with Datatilsynet’s reasoning, which concerns historical consent practices from years ago, not our current consent practices or Privacy Policy. Even though Datatilsynet has lowered the fine compared to their earlier letter, Datatilsynet relies on a series of flawed findings, introduces many untested legal perspectives, and the proposed fine is therefore still entirely out of proportion with those flawed findings.”

Grindr has three weeks to file a formal appeal against the ruling.

The agency decided that Grindr’s user consent for the use of private data obtained between July 2018 and April 2020 was invalid, he added.

Grindr informed Reuters in January that its data consent policies had changed. On Wednesday, a corporate spokesperson was not immediately available for comment.

The General Data Protection Regulation (GDPR) establishes rules for the collecting, processing, and exchange of personal data in the European Union and Norway, which is not a member of the EU.

In a January 2020 investigation, the Norwegian Consumer Council (NCC) revealed Grindr shared sensitive user data with third parties interested in advertising and profiling. Users’ IP addresses, GPS locations, age, and gender were among the information collected.

When users are found and targeted in countries where homosexuality is banned, broad sharing of personal data can become an issue of physical safety, according to the NCC at the time.