Norwegian court upholds record NKr 65m fine on Grindr

Grindr failed to have valid consent from users to share their data and sensitive information with marketing partners.

The Oslo district court in Norway has found that Grindr did not have valid consent from users to hand over personal data to advertising partners – data which also was found to be sensitive information. Therefore, an infringement fee of NKr 65m ($5.9m) will be levied on Grindr, the location-based dating app aimed at gay, bi, trans and queer people.

Line Coll, Datatilsynet.
Line Coll.
Photo: Ilja Hendel

“The Grindr app shares detailed user data with a very large number of third parties, including IP address, GPS location, age, and gender. By using MoPub (a mobile monetization platform) as mediator, the data sharing is highly opaque as neither the third parties nor the information transmitted are not known in advance. We have also seen that MoPub can enrich the data that is shared with other parties dynamically,” the court verdict says.

“The judgment seems thorough, and we are satisfied that the district court agrees with our conclusions and those of the Norwegian Data Protection Board. This is an important decision for privacy,” said Line Coll, Director of the Norwegian Data Protection Authority.

Unlawfully sharing data

Datatilsynet, the Norwegian Data Protection Authority, fined Grindr in 2020 for sharing information about users’ GPS locations, IP addresses, mobile phone advertising ID’s, age and gender with several third parties for marketing purposes. Grindr then appealed the decision, and the case was sent to the Personal Protection Board in 2022 – which upheld the verdict.

The tribunal also found that Gridr had ‘deliberately’ chosen a technical solution which did not make it possible to use the app without “approving” the use of users’ data in behavior-based marketing.

“We are satisfied that the district court agrees with our conclusions and those of the Norwegian Data Protection Board. This is an important decision for privacy.”

Line Coll, Director, Norwegian Data Protection Authority

“Consent is a tool to give users control over their own personal data. If the users are not put in a position to understand the choice they have to make, or are given real freedom of choice, the consents are illusory,” Coll said.

Grindr then took legal action and sued the Norwegian Personal Protection Board’s about the “disproportionately large” fine, and claimed that the consents it obtained were valid. It also said that using Grindr didn’t imply anything about sexual relationship or sexual orientation – claims which the Oslo district court now has overruled.

Record fine by Datatilsynet

The NKr 65m fine on Grindr is the biggest fine to date issued by Datatilsynet.

The authority says that the reason for the high fine was “the severity of the infringements“ – thousands of Norwegian users had their personal data unlawfully shared to an unknown number of companies in order to serve Grindr’s commercial interests. That included location data, and the fact that they were Grindr users, which suggested that they were ”most likely have a sexual orientation that differs from that of the majority”  – which in the Board’s view constituted disclosing special category personal data unlawfully.

“Grindr is used to connect with other people in the LGBTQ+ community, and identifiable information about users and their use of Grindr was shared to an unknown number of third parties for marketing purposes. The European Court of Justice has recently confirmed in several decisions that the notion of special categories of personal data must be interpreted broadly in order to ensure a high level of data protection, “ Coll said earlier.

Note: This case concerns Grindr’s practices in the period from when GDPR became applicable up to April 2020 – when Grindr changed its consent mechanism. The Norwegian Data Protection Authority has not assessed the legality of Grindr’s practices after that date.