Norway’s data regulator has issued a €10m fine to gay dating app Grindr for breaching data protection laws.

The Norwegian Data Protection Authority said the location-based dating app for gay, bi, trans and queer people failed to comply with consent rules outlined by the General Data Protection Regulation (GDPR).

Following an investigation, it determined that Grindr did not get sufficient consent to share the personal data of its users to third parties for marketing purposes. This data included GPS location and user profile data.

The regulator went further and said a person simply being on Grindr “constitutes special category data that merits particular protection”.

Under GDPR, organisations can face a fine of up to €20m or 4% of global annual turnover. The proposed penalty would represent around 10% of US-based Grindr’s revenue, making it a comparatively high fine compared to other fines that have been issued under GDPR.

In a statement, Norwegian Data Protection Authority Bjørn Erik Thon described it as a “serious case”.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

“Users were not able to exercise real and effective control over the sharing of their data,” he added.

“Business models where users are pressured into giving consent, and where they are not properly informed about what they are consenting to, are not compliant with the law.”

The €10m fine is not final and Grindr has until 15 February 2021 to respond.

In a statement, Grindr said:

“Grindr is confident that our approach to user privacy is first-in-class among social applications with detailed consent flows, transparency, and control provided to all of our users. For example, Grindr has retained valid legal consent from ALL of our EEA users on multiple occasions. We most recently required all users to provide consent (again) in late 2020 to align with the GDPR Transparency and Consent Framework (TCF) version 2 which was developed by the IAB EU in consultation with the UK ICO.

“The allegations from the Norwegian Data Protection Authority date back to 2018 and do not reflect Grindr’s current Privacy Policy or practices. We continually enhance our privacy practices in consideration of evolving privacy laws and regulations, and look forward to entering into a productive dialogue with the Norwegian Data Protection Authority.”

Jake Moore, cybersecurity specialist at ESET, said: “When you join a high profile site such as Grindr, you expect to have your data protected and dealt with sensitively. Sadly, data on people is a lucrative currency, and so it can be tempting to share when given the opportunity.

“I always recommend that people limit the amount of personal data shared on these sites due to the possibility that the data could be targeted with a cyberattack. The less data you put out on the internet, the less data that can be stolen or shared without your knowledge.”

Read more:  How Grindr took over the gay scene and changed dating for everyone