Grindr, the gay dating app, will be fined with €10 million for GDPR breaches

The Norwegian authorities have notified Grindr LLC of its intention to impose a fine of approximately €10 million on account of the multiple infringements of the European Union’s General Data Protection Regulation (GDPR). After an investigation, the Norwegian Data Protection Authority concluded that this application shared its users’ data with third parties without prior consent or any defined legal basis.

Grindr is a dating app specially designed for the gay, bisexual and transgender community that connects its users based on their approximate location and similar interests. A few months ago the Consumer Protection Council in Norway filed a complaint against the app over the alleged misuse of personal information for advertising purposes; compromised information included location data, personal information and Grindr account status.

The authorities argue that Grindr requires the express consent of its users to share this information with third parties, since its policies at no time mention such practice, not to mention that by sharing details about the sexual preferences of its users, Grindr is exposing particularly sensitive information. It should be noted that the research is only related to the information of Grinder’s free version users.

Bjørn Erik Thon, General Director of the Data Protection Agency in Norway, considers that this is a very serious problem: “Users cannot exercise real control over the information Grindr shares with other platforms; these companies get consent in a blurry way, so the law has to take matters into terms.”

European law states that explicit consent is an essential element in the handling of sensitive personal data, so it is necessary for companies to simply inform users about the information they will collect and their possible uses (mainly associated with marketing). The authorities mention that, in many cases, users are simply forced to accept the policies of these platforms, completely ignoring explicit consent, which is a violation of the GDPR.

Grindr received a draft fine project, so the company has about 15 days to issue any comments or nonconformities about it. Once this period has expired, the European data protection authority shall issue its final decision. 

Norway authorities also filed complaints against five third-party companies that received data from Grindr, including MoPub (owned by Twitter), and OpenX Software.