Norwegian DPA imposes €6.5 million GDPR fine to Grindr

Norwegian DPA imposes €6.3 million GDPR fine to Grindr

On December 15, 2021, Norwegian Data Protection Authority imposed a €6.5 million GDPR fine against Grindr– a location-based dating and networking app for gay, bi, trans and queer people.

Grindr shared users’ personal data, including sensitive personal data about their sexuality, with third-party advertising companies for marketing purposes. In doing so, Grinder relied on consent as a legal basis.

However, the basic requirements for compliant consent were not met, so the Norwegian DPA concluded Grindr violated Article 6(1) and Article 9(1) GDPR.

  • Disclosing personal data to third-party advertisers without a legal basis,
  • Disclosing special category personal data to third-party advertisers without a valid exemption from the prohibition set out in  GDPR.

Complaints from the NCC & NYOB

In 2020, the Norwegian DPA received three complaints from the Norwegian Consumer Council (NCC) & NYOB against Grindr claiming unlawful sharing of personal data with third parties for marketing purposes.

The data shared include advertising ID, IP address, GPS location, gender, age, device information, and app name.

The NCC argued that Grindr lacked a legal basis for sharing personal data on its users with third-party companies when providing advertising in the free version of the Grindr app.

Additionally, Grindr was accused of sharing sensitive personal data concerning individuals’ sexual orientation which constitutes as sensitive personal data and is prohibited by the GDPR (unless the exemption applies).

No valid consent

The consent that Grindr based their processing on did not represent a free choice because it did not allow separate consent for different data processing. As the Norwegian DPA explains in their decision:

Grindr’s consent mechanism consisted of a two-layered approach. First, the full privacy policy was displayed, asking the data subject to click on “Proceed”. If the data subject proceeded, a pop-up appeared with the phrase “I accept the Privacy Policy”, where Grindr gave the data subject to option to press “Cancel” or “Accept”. If the data subject pressed “Cancel”, further registration was not possible.

The access to the service in the free version of the app was made conditional on consenting to Grindr sharing personal data with advertising partners and individuals could not refuse or withdraw consent without detriment.

The disclosure of the data without valid consent breached the individuals’ trust. It violated their fundamental rights, and Grindr failed to fulfill requirements of “freely given,” “specific,” “informed,” “unambiguous,” and “easy to withdraw” consent.

Special categories of data

Under the General Data Protection Regulation, processing personal data related to sexual orientation or concerning or revealing sexual life of an individual is prohibited unless one of the exemptions apply.

Grinder claimed that it did not share data concerning a user’s sexual orientation, since the fact that the individual is a Grindr user does not qualify as data about their sexual orientation.

Grindr argued that it is wrong to assume that Grindr’s users are “presumably gay” or that being a Grindr user means that the user belongs to a sexual minority.

However, DPA concluded that being a Grindr user strongly indicates, and appears in most cases to accurately reflect, that the data subject belongs to a sexual minority, and therefore being a Grindr user reveals sexual orientation of an individual.

Aftermath

Taking into consideration all circumstances of the case, the DPA concluded Grindr had breached Articles 6(1) and 9(1) GDPR, which are basic and fundamental.

Infringements of Article 6 and 9 qualifies for the maximum amount for administrative fines of €20 million or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

However, the amount must be “effective, proportionate, and dissuasive” in each individual case. Norwegian DPA elaborated their decision to issue a fine in the amount of approximately 32 % of the maximum amount of €20 million:

“…it is important that the administrative fine is not too low in order to ensure a sufficient financial incentive for the perpetrator and other companies in the market to avoid further violations.”

Additionally, although the DPA did not ask for the sensitive data to be deleted, it is implied that this could change in the future, while the investigation of the third-party advertising companies is ongoing.

Read more

Full decision by the Norwegian Data Protection Authority – Datasilsynet

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges and create seamless cooperation between organizational units.

Scroll to Top