The LGBTQ+ dating app Grindr in Norway was issued an £8.5m penalty for the alleged sharing of users’ sensitive personal data with third-party advertisers without obtaining appropriate consent.
The fine is the result of a legal complaint by the Norwegian Consumer Council (Forbrukerrådet) last year, where it expressed concern that users of the app may not have been in control of their data and that the sharing of personal data (for targeted advertising purposes) was putting them at risk of discrimination, manipulation, or exploitation.
The kind of data that Grindr collects includes chat texts and images, physical characteristics, HIV status, and details of sexual preferences, as well as email addresses and location and device data.
In addition to the matter of data protection law, this case involved concerns about the safety of those users whose data was being shared because many may live in areas where they can still be legally discriminated against e.g., Russia, the UAE or Pakistan.
The Norwegian Data Protection Authority, known as Datastilsynet, concluded in the case of Grindr that valid consent to share personal data with advertisers, particularly data that needs special protection such as sexual orientation had not been obtained from users by Grindr.
The app has been given until 15 February to respond to the case.
In a statement in the New York Times, a Grindr spokesperson said that the company had obtained “valid legal consent from all” of its users in Europe on multiple occasions and was confident that its “approach to user privacy is first in class” among social apps. Also, the spokesperson said that “We continually enhance our privacy practices in consideration of evolving privacy laws and regulations and look forward to entering into a productive dialogue with the Norwegian Data Protection Authority”.
Nevertheless, Norway’s data regulator thought that Grindr’s actions had been severe enough to warrant a major fine.
Not The First Time
This is not the first time that Grindr’s data protection has been called into question. For example, last January, its Android app was found to have been sharing very accurate location information about users, and in October 2020 an email hacking vulnerability was found in the app. Also, in April 2018, the UK’s Information Commissioner’s Office (ICO) said it was investigating Grindr after it was discovered that the app had shared data with two external companies, including information on HIV status and date last tested.
What Does This Mean For Your Business?
This is a reminder to businesses everywhere that specific consent and being clear about data practices is very important and that relying on unlawful ‘consent’ could lead to huge fines. In this case there also a clear element of danger and threat to the users of the app if their information is shared because in some countries, users may face legal discrimination, violence and more. Grindr has been in the spotlight before over its data practices and it is a shame that lessons don’t appear to have been learned. This story also highlights how the practices of advertising technology companies may also warrant some scrutiny as although targeted advertising may be good for businesses, it should not be at the expense of the potential safety and wellbeing of those whose data has been used.