1. Business
  2. Politics and policy
December 15, 2021updated 03 Feb 2022 10:15am

Analysis: CIOs should be worried by Grindr’s Norwegian dating data fine

By Eric Johansson

The Norwegian data regulator has slammed Grindr with a $7.14m fine for violating privacy rules: and such fines are set to become a common problem for almost any company holding personal data, according to analysts. Data privacy will increasingly become an issue that keeps CEOs and their CIOs up at night.

Datatilsynet, Norway’s Data Protection Authority, originally levied a NOK 100m fine ($10.99m) against Grindr in January 2021 for breaching data privacy regulations, accusing the online dating platform of illegally disclosing user data to advertising firms.

“The Grindr app is used to connect with other users in the LGBTQ+ community, and we are aware that many users choose not to use their full name or upload a picture of their face in order to be discreet,” says Tobias Judin, head of Datatilsynet’s international department. “Nonetheless, their personal data and the fact that they were on Grindr was disclosed to an unknown number of third parties for marketing purposes, without giving the users accessible information or a genuine choice.”

The regulator said Grindr had breached data privacy laws by sharing information with third parties. The information included IP addresses, advertising ID, GPD location, age and gender. The data had been collected in Norway from July 2018 and until April 2020 when Grindr changed how the app asks for consent. Previously, Grindr had forced users to accept its privacy policy in its entirety. Users had not been specifically asked about their data being shared with advertisers.

However, Datatilsynet has now reduced the fine to NOK 65m ($7.14m) after Grindr provided additional information about the size and financial situation of the company. The regulator also cut down the fine to reflect the changes Grindr has made with the aim of remedying the deficiencies in the previous consent management policy.

Datatilsynet has not assessed whether Grindr’s current consent mechanism complies with the General Data Protection Regulation (GDPR). While Norway isn’t a member of the European Union, it is a member of the European Economic Area, which is why the GDPR is enforced in the country.

Grindr has told Norwegian broadcaster NRK that it disagrees with the fine.

“We’ve just received the letter from Datatilsynet and are currently going through the document,” Shane Wiley, chief privacy officer at Grindr, told NRK. “The company is evaluating the issue, including the right to appeal the decision to the Norwegian Privacy Appeals Board.”

Grindr data privacy fine won’t be the last

Grindr may be the latest tech company forced to cough up millions of dollars for violating data privacy rules, but it’s not the first and it certainly won’t be the last.

In Amazon’s July earnings report, the ecommerce giant revealed that officials in Luxembourg have levied a €746m fine against the company for breaching GDPR – the biggest GDPR fine so far.

In September, the Irish data protection regulator also fined Facebook/Meta-owned WhatsApp €225m for violating EU privacy rules.

In January 2019, French regulator CNIL similarly slammed Google with a €50m fine.

According to market researchers, such fines will become more common. Analysts also highlight a shift in data watchdogs’ and the general public’s attitude towards Big Tech.

“Once deemed consumer champions, Big Tech now appears to be the new dark side of capitalism, arguably seen as presenting a bigger risk to society than bankers were in 2007,” GlobalData researchers wrote in a recent thematic research report. “Public outrage at their actions is now forcing regulators to act.”

The GDPR is one clear indication of this changing attitude. California has introduced similar legislation, and politicians in the US Senate have renewed their calls for stronger data protection legislation countrywide following the explosive testimony of Facebook/Meta whistleblower Frances Haugen.

China is another example of a country that has introduced sweeping new regulations to better control how businesses collect and handle private data.

Big Tech firms have taken notice. Over the past few years, there has been a noticeable effort by major Silicon Valley companies to position themselves as champions of data privacy protection. Google and Apple stand out in particular in this regard, having both introduced initiatives over the years to make it trickier for companies to track users’ digital journeys.

To some degree, this could also explain why companies like Facebook are trying to launch super-apps. Facebook famously rebranded itself as Meta to highlight its new focus on becoming a metaverse company, which Verdict has noted in the past is just another term for a super-app.

“Social media companies will increasingly diversify away from their ad-funded business model, which regulators have attacked,” GlobalData researchers wrote in a June report. “Companies like Facebook and Google stand accused of using ad-targeting techniques that prioritize profit over respect for user’s privacy and content quality. They are also accused of acting as gatekeepers around access to personal data to the detriment of smaller players in the online advertising sector.”