Dating app Grindr has been fined $7.1 million (65M NOK) by Norway’s Data Protection Authority (DPA) for illegally passing user data to advertisers.
Reuters reported that the DPA’s initial plan last January was to fine Grindr 100 million crowns, but it said on Wednesday that it had reduced the amount because of new information on the company’s finances and changes Grindr has made “to remedy the deficiencies in their previous consent-management platform”.
The DPA describes the size of the fine as “proportionate both to the severity of the infringement and to Grindr’s financial situation”, asserting that it “does not exceed what is necessary to achieve the objectives pursued by the GDPR in the present case”.
The investigation, which concluded that user consent collected by the gay dating app between July 2018 and April 2020 for the use of private data was not valid, was based on a complaint from the Norwegian Consumer Council.
The data which it found the app had shared with third parties included GPS location, IP address, Advertising ID, age, gender and the fact that the user in question was on Grindr.
“Our conclusion is that Grindr has disclosed user data to third parties for behavioural advertisement without a legal basis,” the head of the DPA’s international department, Tobias Judin, said in a statement.
“The Grind (sic) app is used to connect with other users in the LGBTQ+ community, and we are aware that many users choose not to use their full name or upload a picture of their face in order to be discrete,” said Judin. “Nonetheless, their personal data and the fact that they were on Grindr was disclosed to an unknown number of third parties for marketing purposes, without giving the users accessible information or a genuine choice.”
Ursula Pachl, the deputy DG of the European Consumer Organisation, BEUC, said in a statement: “Grindr illegally exploited and shared its users’ information for targeted advertising, including sensitive information about their sexual orientation. It is high time the behavioural advertising industry stops tracking and profiling consumers 24/7. It is a business model which clearly breaches the EU’s data protection rules and harms consumers. Let’s now hope this is the first domino to fall and that authorities start imposing fines on other companies as the infringements identified in this decision are standard surveillance ad-tech industry practices.”
Grindr has the right to appeal the decision within three weeks.