Norway’s data regulator has issued a €10m fine to gay dating app Grindr for breaching data protection laws.
The Norwegian Data Protection Authority said the location-based dating app for gay, bi, trans and queer people failed to comply with consent rules outlined by the General Data Protection Regulation (GDPR).
Following an investigation, it determined that Grindr did not get sufficient consent to share the personal data of its users to third parties for marketing purposes. This data included GPS location and user profile data.
The regulator went further and said a person simply being on Grindr “constitutes special category data that merits particular protection”.
Under GDPR, organisations can face a fine of up to €20m or 4% of global annual turnover. The proposed penalty would represent around 10% of US-based Grindr’s revenue, making it a comparatively high fine compared to other fines that have been issued under GDPR.
In a statement, Norwegian Data Protection Authority Bjørn Erik Thon described it as a “serious case”.
“Users were not able to exercise real and effective control over the sharing of their data,” he added.
“Business models where users are pressured into giving consent, and where they are not properly informed about what they are consenting to, are not compliant with the law.”
The €10m fine is not final and Grindr has until 15 February 2021 to respond.
In a statement, Grindr said:
“Grindr is confident that our approach to user privacy is first-in-class among social applications with detailed consent flows, transparency, and control provided to all of our users. For example, Grindr has retained valid legal consent from ALL of our EEA users on multiple occasions. We most recently required all users to provide consent (again) in late 2020 to align with the GDPR Transparency and Consent Framework (TCF) version 2 which was developed by the IAB EU in consultation with the UK ICO.
Jake Moore, cybersecurity specialist at ESET, said: “When you join a high profile site such as Grindr, you expect to have your data protected and dealt with sensitively. Sadly, data on people is a lucrative currency, and so it can be tempting to share when given the opportunity.
“I always recommend that people limit the amount of personal data shared on these sites due to the possibility that the data could be targeted with a cyberattack. The less data you put out on the internet, the less data that can be stolen or shared without your knowledge.”