Gay Dating App Grindr Faces a Huge Fine for Illegally Sharing User Data

Man holding smartphone wants to install Gay Chat app Grindr

The Norwegian data privacy watchdog Datatilsynet wants to impose a fine of 100 million Norwegian kroner on Grindr, which equals to approximately $11.7 million. The dating app allegedly shared user’s private information with advertisers, including information about their sexual orientation, health and location. The company has until February 15 to respond to the allegations, after which the regulator will make a final decision.

Grindr Sells Private Information to Advertisers

Last year, the Norwegian regulator Datatilsynet started an investigation into a number of popular dating applications, including Grindr, Tinder and OKCupid. It found that they all sell sensitive user data to advertisers on a large scale.

Grindr, a widely used dating app in the LGBTI community, collected and shared data such as gender, age, sexual and political preference, location, IP address, physical and mental health, and third-party purchases. With this information, advertisers can target users with more personalized advertisements. However, this all happened without explicit permission from Grindr’s users.

Clear Violation of the GDPR

The discovery obviously did not sit well with Forbrukerrådet, the Norwegian Consumer Council. Sharing sensitive information without users’ consent is a gross violation of the General Data Protection Regulation (GDPR). Therefore, the Consumer Council submitted the case to the Norwegian regulator Datatilsynet. They also informed various international stakeholders, including Noyb and the European Center for Digital Rights.

The privacy watchdog provisionally agrees with Forbrukerrådet. Their preliminary conclusion is that Grindr has indeed shared user data with a number of third parties without a legal basis. “Users were not able to exercise real and effective control […] and were forced to accept the privacy policy to use the app”, said Bjørn Erik Thon, Director-General of the Norwegian Data Protection Authority. “Our findings suggest gross violations of the GDPR.”

$11.7 Million Fine

The watchdog notified Grindr that they intend to impose a fine “of great magnitude”. Grindr has some 27 million registered users worldwide, with thousands of them residing in Norway. The Norwegian Data Protection Authority is proposing a fine of 10% of Grindr’s turnover. As Grindr’s annual worldwide turnover amounts to over $100,000,000, such a fine would be in the millions.

“This is a milestone in the ongoing work to ensure that consumers’ privacy is protected online”, said Finn Myrstad, director of digital policy of Forbrukerrådet, in a press statement. “The Data Protection Authority, Datatilsynet, has clearly established that it is unacceptable for companies to collect and share personal data without user´s permission.”

Grindr Has Until Mid-February to Appeal

The document issued by the Consumer Council is a draft decision. This means Grindr has until February 15 to appeal the decision and have their comments taken into account. If the dating app does not respond before this deadline, the regulator will convert the provisional fine into a final penalty. The Norwegian watchdog also filed complaints against “ad tech” companies receiving data from Grindr, including Twitter’s mobile app advertising platform, MoPub. These cases are ongoing.

Late last year, Grindr was confronted with yet another privacy issue. A security vulnerability in the dating app permitted account takeover. A French security researcher discovered the vulnerability. He reported the issue to Grindr via a helpdesk ticket. When Grindr closed the ticket and ignored the issue, he contacted the well-known independent security expert Troy Hunt. Grindr only resolved the issue after Troy Hunt escalated his findings to Grindr’s security team.

IT communication specialist
Sandra has many years of experience in the IT and tech sector as a communication specialist. She's also been co-director of a company specializing in IT, editorial services and communications project management. For VPNoverview.com she follows relevant cybercrime and online privacy developments.