Norway’s data protection agency is fining LGBTQ+ social app Grindr nearly $7.1 million for unlawfully disclosing personal data to third parties for marketing.
The ruling follows a 2020 complaint by the Norwegian Consumer Council alleging that Grindr shared user device data with third parties that, due to the nature of the app, effectively allowed advertisers to connect those users with information about their sexual orientation.
The Norwegian DPA, known as Datatilsynet, concluded that Grindr did not have proper consent mechanisms in place allowing users to specifically opt-in to the sharing of their data for advertisements by third parties.
“We consider that data revealing the fact that someone is a Grindr user strongly indicates that they belong to a sexual minority,” the DPA wrote. “Data concerning a person’s sexual orientation constitutes special category data that merit particular protection under the GDPR. As the consents Grindr collected were not valid, Grindr could not lawfully share such data.”
The fine is slightly less than the $12 million the Norwegian regulator announced it intended to issue earlier this year. The authority cited additional financial information about Grindr and changes made by the company to address the privacy concerns in its final determination.
Grindr is disputing the findings and is weighing its right to appeal under Europe’s General Data Protection Regulation (GDPR), company chief privacy officer Shane Wiley said in a statement.
The investigation covers the app’s policies in Norway between July 2018 and April 2020, when the company changed how it asked for consent in response to the complaint. The DPA’s investigations into the five advertising partners that received data from Grindr are still ongoing.