The Norwegian data privacy watchdog Datatilsynet wants to impose a fine of 100 million Norwegian kroner on Grindr, which equals to approximately $11.7 million. The dating app allegedly shared user’s private information with advertisers, including information about their sexual orientation, health and location. The company has until February 15 to respond to the allegations, after which the regulator will make a final decision.
Grindr Sells Private Information to Advertisers
Last year, the Norwegian regulator Datatilsynet started an investigation into a number of popular dating applications, including Grindr, Tinder and OKCupid. It found that they all sell sensitive user data to advertisers on a large scale.
Grindr, a widely used dating app in the LGBTI community, collected and shared data such as gender, age, sexual and political preference, location, IP address, physical and mental health, and third-party purchases. With this information, advertisers can target users with more personalized advertisements. However, this all happened without explicit permission from Grindr’s users.
Clear Violation of the GDPR
The discovery obviously did not sit well with Forbrukerrådet, the Norwegian Consumer Council. Sharing sensitive information without users’ consent is a gross violation of the General Data Protection Regulation (GDPR). Therefore, the Consumer Council submitted the case to the Norwegian regulator Datatilsynet. They also informed various international stakeholders, including Noyb and the European Center for Digital Rights.
$11.7 Million Fine
The watchdog notified Grindr that they intend to impose a fine “of great magnitude”. Grindr has some 27 million registered users worldwide, with thousands of them residing in Norway. The Norwegian Data Protection Authority is proposing a fine of 10% of Grindr’s turnover. As Grindr’s annual worldwide turnover amounts to over $100,000,000, such a fine would be in the millions.
“This is a milestone in the ongoing work to ensure that consumers’ privacy is protected online”, said Finn Myrstad, director of digital policy of Forbrukerrådet, in a press statement. “The Data Protection Authority, Datatilsynet, has clearly established that it is unacceptable for companies to collect and share personal data without user´s permission.”
Grindr Has Until Mid-February to Appeal
The document issued by the Consumer Council is a draft decision. This means Grindr has until February 15 to appeal the decision and have their comments taken into account. If the dating app does not respond before this deadline, the regulator will convert the provisional fine into a final penalty. The Norwegian watchdog also filed complaints against “ad tech” companies receiving data from Grindr, including Twitter’s mobile app advertising platform, MoPub. These cases are ongoing.
Late last year, Grindr was confronted with yet another privacy issue. A security vulnerability in the dating app permitted account takeover. A French security researcher discovered the vulnerability. He reported the issue to Grindr via a helpdesk ticket. When Grindr closed the ticket and ignored the issue, he contacted the well-known independent security expert Troy Hunt. Grindr only resolved the issue after Troy Hunt escalated his findings to Grindr’s security team.