Grindr shared users’ personal data, including sensitive personal data about their sexuality, with third-party advertising companies for marketing purposes. In doing so, Grinder relied on consent as a legal basis.
- Disclosing personal data to third-party advertisers without a legal basis,
- Disclosing special category personal data to third-party advertisers without a valid exemption from the prohibition set out in GDPR.
Complaints from the NCC & NYOB
In 2020, the Norwegian DPA received three complaints from the Norwegian Consumer Council (NCC) & NYOB against Grindr claiming unlawful sharing of personal data with third parties for marketing purposes.
The data shared include advertising ID, IP address, GPS location, gender, age, device information, and app name.
The NCC argued that Grindr lacked a legal basis for sharing personal data on its users with third-party companies when providing advertising in the free version of the Grindr app.
Additionally, Grindr was accused of sharing sensitive personal data concerning individuals’ sexual orientation which constitutes as sensitive personal data and is prohibited by the GDPR (unless the exemption applies).
No valid consent
The consent that Grindr based their processing on did not represent a free choice because it did not allow separate consent for different data processing. As the Norwegian DPA explains in their decision:
The access to the service in the free version of the app was made conditional on consenting to Grindr sharing personal data with advertising partners and individuals could not refuse or withdraw consent without detriment.
The disclosure of the data without valid consent breached the individuals’ trust. It violated their fundamental rights, and Grindr failed to fulfill requirements of “freely given,” “specific,” “informed,” “unambiguous,” and “easy to withdraw” consent.
Special categories of data
Under the General Data Protection Regulation, processing personal data related to sexual orientation or concerning or revealing sexual life of an individual is prohibited unless one of the exemptions apply.
Grinder claimed that it did not share data concerning a user’s sexual orientation, since the fact that the individual is a Grindr user does not qualify as data about their sexual orientation.
Grindr argued that it is wrong to assume that Grindr’s users are “presumably gay” or that being a Grindr user means that the user belongs to a sexual minority.
However, DPA concluded that being a Grindr user strongly indicates, and appears in most cases to accurately reflect, that the data subject belongs to a sexual minority, and therefore being a Grindr user reveals sexual orientation of an individual.
Infringements of Article 6 and 9 qualifies for the maximum amount for administrative fines of €20 million or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
However, the amount must be “effective, proportionate, and dissuasive” in each individual case. Norwegian DPA elaborated their decision to issue a fine in the amount of approximately 32 % of the maximum amount of €20 million:
“…it is important that the administrative fine is not too low in order to ensure a sufficient financial incentive for the perpetrator and other companies in the market to avoid further violations.”
Additionally, although the DPA did not ask for the sensitive data to be deleted, it is implied that this could change in the future, while the investigation of the third-party advertising companies is ongoing.