Norwegian Data Protection Authority imposes record fine on Grindr

Dating app shared personal data without users’ consent in case that establishes standards for international players in Norwegian market.

Dating app Grindr has received the biggest fine yet issued by Datatilsynet, the Norwegian Data Protection Authority. The fine of Nkr 65m ($5.9m) was agreed after an appeal to the Privacy Appeals Board.

Grindr, a location-based dating app aimed at gay, bi, trans and queer people, was found sharing information about the users’ GPS locations, IP addresses, mobile phone advertising ID’s, age and gender – to several third parties for marketing purposes.

Grindr changed its consent mechanism in April 2020 to enable it to share personal data and, according to the Data Protection Authority, users were not given a chance to consent.

The Privacy Appeal Board backed the findings, and said that Grindr’s ‘consent’ was neither voluntary, specific or informed, and that users were not given a free choice to consent to the disclosure of personal data when they signed up to the app. The Board also said that the registration lacked the relevant information about data sharing – that information only was included in the privacy policy.

“Consent is a tool for giving users control over their own personal data. If users are not made able to understand what they have consented to, or if they are not granted real freedom of choice, the consents are illusory,” Line Coll, Director General of the Data Protection Authority, said.

Disclosed personal data unlawfully

The case started in 2020, when the Norwegian Consumer Council lodged a complaint against Grindr with Datatilsynet. The regulator imposed the fine in December 2021. Grindr then appealed the decision, and the case was sent to the Privacy Appeals Board in 2022.

“We are very pleased that the Privacy Appeals Board agrees with our conclusions and has upheld our decision. This has been an important and prioritized case for the Norwegian Data Protection Authority and of course for consumers’ data protection,” said Coll.

“If users are not made able to understand what they have consented to, or if they are not granted real freedom of choice, the consents are illusory.”

Line Coll, Director General, Datatilsynet

Even though Grindr didn’t disclose the users’ sexual orientation, just sharing the fact that they were Grindr users suggested that they were ”most likely have a sexual orientation that differs from that of the majority”  – which in the Board’s view constituted disclosing special category personal data unlawfully.

“Grindr is used to connect with other people in the LGBTQ+ community, and identifiable information about users and their use of Grindr was shared to an unknown number of third parties for marketing purposes. The European Court of Justice has recently confirmed in several decisions that the notion of special categories of personal data must be interpreted broadly in order to ensure a high level of data protection, “ Coll continued.

Location and user data

The Data Protection Authority says that the reason for the high fine is “the severity of the infringements“ where thousands of Norwegian users had their personal data unlawfully shared to an unknown number of companies in order to serve Grindr’s commercial interests. Which included location data and that they were Grindr users.

The Privacy Appeals Board says that the fine highlights the seriousness of the infringement, which went on for almost two years. The Board also points out that the company consciously chose a technical solution that makes it impossible to register without “approving” the disclosure of information for behavioral advertizing.

“Our consumers are entitled to data protection in applications delivered from international players. The decision creates an expectation and shows that international players in the Norwegian market must provide services that safeguard Norwegian users and their data protection rights,” Coll added.

This case concerns Grindr’s practices in the period from when GDPR became applicable up to April 2020 – when Grindr changed its consent mechanism. The Norwegian Data Protection Authority has not assessed the legality of Grindr’s practices after that date.