Norway’s data protection agency is proposing a fine of $11.7 million against Grindr for the alleged improper sharing of users’ data to third-party companies for marketing purposes.
The Norwegian Data Protection Authority (DPA) said Tuesday that Grindr, which bills itself as “the world’s leading LGBTQ+ social application,” had shared, without full consent, users’ GPS locations, profile data and other information with other companies. Grindr has until Feb. 15 to argue against the decision.
The case, which applies to the free version of the app, originated with a 2020 complaint from the Norwegian Consumer Council, and it falls under Europe’s General Data Protection Regulation (GDPR). The DPA said the fine of 100 million Norwegian kroner would represent its largest ever, reflecting that “our findings suggest grave violations of the GDPR.”
“Users were not able to exercise real and effective control over the sharing of their data,” the Norwegian authority says. The regulators noted that the data-sharing also included, by default, “the fact that the user in question is on Grindr.”
“We believe that the fact that someone is a Grindr user speaks to their sexual orientation, and therefore this constitutes special category data that merit particular protection,” the authority said.
The DPA said it notified Grindr of the potential problems in February 2020, and the company replied with an unsatisfactory response in May 2020.
In a blog post dated Jan. 25, a day after the Norwegian authority had notified Grindr about the proposed penalty, Chief Privacy Officer Shane Wiley defended the West Hollywood, California, company’s practices, saying it does not share precise location data or information about a user’s age and gender.
“We share only the most basic information — which users largely control — and nothing about a user’s Grindr account details,” Wiley wrote. “This last point is worth repeating: there is nothing from within a user’s Grindr account details that is shared with an ad partner. Full stop.” The blog post did not directly address the Norwegian case.
The Grindr case is the latest example of European regulators’ willingness to penalize a big U.S. brand. In December, Ireland’s data protection agency fined Twitter about $550,000 for a now-fixed bug that accidentally exposed people’s private tweets.
The DPA said five companies that received the third-party data from Grindr are also the subject of complaints from the Norwegian Consumer Council: MoPub, which is owned by Twitter; Xandr, formerly known as AppNexus; OpenX Software; AdColony; and Smaato.
Those cases are ongoing, the DPA said.