Dating app Grindr is facing a fine of up to $15m after the company was found to be selling its user data to advertisers, in a potentially severe violation of the EU’s GDPR legislation.
Grindr is a popular dating app that is marketed toward the lesbian, gay, bisexual and transexual communities.
The charges have been levelled against Grindr by Norway’s Data Protection Authority, who has announced plans to fine Grindr for around 100-million Norwegian Crowns (AUD $15 million), or around 10% of its global revenue.
The Norwegian Data Protection Authority has said in a statement that “our preliminary conclusion is that the breaches are very severe,” in relation to the potential breaches of the General Data Protection Regulation (GDPR) act.
It said that it has made three separate complaints against Grindr’s data sharing behaviour with advertisers, that the authorities allege was done without prior consent of their users.
The NCC says that the data being sold to advertisers included age, gender, location and sexual preference information. This, according to the NCC, could be used against Grindr users if they live somewhere that homosexuality is illegal.
“If someone finds out that users are gay and knows their movements, they may be harmed,” Tobias Judin, chief of the Norwegian Data Protection Authority’s international arm said.
“We’re trying to make these apps and services understand that this approach – not informing users, not gaining a valid consent to share their data – is completely unacceptable.”
Grab Your Free ISO Gap Analysis Checklist
Grindr Facing $15m Fine For Selling User Data
This is not the first time that Grindr has faced criticism for a lack of security measures, as well as questionable data-sharing practices. A BBC report states that just a few months ago, Grindr was alerted to a vulnerability that enabled hackers to take control of user accounts with ease.
This is in addition to the 2018 case that saw Grindr share the HIV-status of its users with two third-party companies.
Grindr has responded to the New York Times, with a spokesperson saying that the company had indeed received “valid legal consent from all” of its European users. The company added that it takes pride in its “approach to user privacy, [which] is first in class.”
“We continually enhance our privacy practices in consideration of evolving privacy laws and regulations, and look forward to entering into a productive dialogue with the Norwegian Data Protection Authority,’ the spokesperson said.
The European Centre for Digital Rights says that the purported “consent” that Grindr refers to isn’t acceptable in this case, saying the company did not fully inform consumers of their decision.
Data Protection lawyer with the European Centre for Digital Rights, Ala Krinickyte has said that “‘take it or leave it’ is not consent… if you rely on unlawful ‘consent,’ you are subject to a hefty fine.”
“Grindr forwarded user data to potentially hundreds of third-parties – it now also has to ensure these ‘partners’ comply with the law.”
Grindr has been given until February 15 to respond to the case; we’ll be sure to keep you updated.
