The world’s largest social networking app for gay, bi, trans and queer people – Grindr – faces a possible €10 million fine for illegally disclosing private details about its users to advertising companies and for failing to obtain valid consent to collecting personal data.
According to the Norwegian Data Protection Authority (Datatilsynet) this is a clear violation to the rules on consent under the General Data Protection Regulation (GDPR).
Our preliminary conclusion is that Grindr has shared user data to a number of third parties without legal basis.
Sharing users’ private details and locations without consent
In 2020, the Norwegian Consumer Council filed a complaint against the popular app Grindr for unlawfully sharing users’ personal data with third parties for marketing purposes. The data shared included user profile data, user location data (GPS), and the fact that the user in question was on Grindr.
Datatilsynet found that the app had shared this data with at least five advertising companies basically tagging individuals as LGBTQ.
This not only violated the principles for consent under the GDPR, but also put users at risk in countries where consensual same-sex acts are not legal.
According to the authority, Grindr failed to obtain users’ freely given, specific, unambiguous and informed consent for the sharing of data.
Obtaining consent required for collecting and sharing app data
The Norwegian Datatilsynet considers it a general rule that consent is required for user profiling and tracking for marketing purposes, especially when it involves tracking individuals across multiple websites, locations, devices and services.
This of course is even more important when a commercial app wishes to collect, use and share sensitive personal data such as sexual orientation.
Could result in highest Norwegian DPA fine to date
Grindr is now notified that the Norwegian DPA intends to impose a fine of 100 million Norwegian kroner (approx. €10M) based on the grave violations to the GDPR.
Grindr has 13.7 million active users, of which thousands reside in Norway. Our view is that these people have had their personal data shared unlawfully. An important objective of the GDPR is precisely to prevent take-it-or-leave-it “consents”. It is imperative that such practices cease
Datatilsynet has given Grindr until February 15, 2021 to respond to the notification. If the fine is imposed, it will be the highest fine to data by the Norwegian authorities.
Obtain valid consent on your mobile app – how to!
Cookie Information has recently launched its Mobile App Universal Consent for obtaining valid consent to cookies, trackers and a variety of other data collection methods on mobile apps.
It is a new way of ensuring user privacy and compliance with national and international privacy laws like the GDPR.
Be one of the first to try out our Mobile App Universal Consent Solution for your company app and make your users’ privacy a priority.
