Norwegian regulator plans $12 million reprimand for dating app Grindr

Norway’s Data Protection Authority plans to fine dating app Grindr 100 million Norwegian crowns (almost $12 million) for what the regulator alleges was an illegal disclosure of user data to advertising firms.

US-based Grindr describes itself as the world’s largest social networking app for gay, bisexual, transgender and queer people.

The decision is preliminary, but if the fine is confirmed, it will be the largest penalty considered by the Norwegian Data Protection Authority (DPA) to date.

The DPA said that Grindr’s users were forced to accept its privacy policy and that the app did not inform them that their data would be shared with third parties, or ask for their consent.

As a result, sensitive personal information was shared with advertising companies.

In a statement Grindr said:

“Grindr is a social movement and a cultural phenomenon. Our goal is to create the leading social and digital media platform that enables the LGBTQ+ community and other users to discover, share and navigate the world around them.”

“Grindr is confident that our approach to user privacy is first-in-class among social applications with detailed consent flows, transparency, and control provided to all of our users.  For example, Grindr has retained valid legal consent from ALL of our EEA users on multiple occasions.  We most recently required all users to provide consent (again) in late 2020 to align with the GDPR Transparency and Consent Framework (TCF) version 2 which was developed by the IAB EU in consultation with the UK ICO.”

“The allegations from the Norwegian Data Protection Authority date back to 2018 and do not reflect Grindr’s current Privacy Policy or practices.  We continually enhance our privacy practices in consideration of evolving privacy laws and regulations, and look forward to entering into a productive dialogue with the Norwegian Data Protection Authority.”

“Our preliminary conclusion is that the breaches are very severe,” the Norwegian agency said in a statement announcing what it said was a record fine corresponding to around 10% of Grindr’s estimated global annual revenue.

Grindr has until 15 February to respond to the claims, after which the Data Protection Authority will make its final decision in the case, the agency said.

Europe’s General Data Protection Regulation (GDPR) sets guidelines for the collection, processing and sharing of personal information in the European Union as well as in non-EU Norway.

The Norwegian Consumer Council (NCC), a watchdog, said in a January 2020 report that Grindr shared detailed user data with third parties involved in advertising and profiling, such as a user’s IP address, advertising ID, GPS location, age and gender.

In some cases, widespread sharing of personal data can become a matter of physical safety if users are located and targeted in countries where homosexuality is illegal, the NCC said at the time.

In a statement on Tuesday (26 January), the NCC hailed the decision to fine Grindr as a historic victory for privacy.