The Norwegian Data Protection Authority (NDPA announced Monday the gay dating app Grindr would be fined 100 million Norwegian Kroenr (approximately $11.6 million) for illegally selling users' personal private information to third party advertisers. The fine represents an estimated ten percent of the company’s European revenue, and an estimated third of their net profits.
“Our preliminary conclusion is that Grindr has shared user data to a number of third parties without legal basis,” Bjørn Erik Thon, director-general of the NDPA, said in a statement noting that users of the free version of the app had to upgrade to the paid version to obtain privacy protections guaranteed to all users by law. “Business models where users are pressured into giving consent, and where they are not properly informed about what they are consenting to, are not compliant with the law.”
“This is a milestone in the ongoing work to ensure that consumers’ privacy is protected online,” Finn Myrstad, director of digital policy in the Norwegian Consumer Council, said in a statement about the ruling “The Data Protection Authority has clearly established that it is unacceptable for companies to collect and share personal data without user´s permission.”
The NDPA investigation found Grindr illegally provided precise user location and other personal information without their consent to multiple companies, who in turn could share that personal data with other buyers. Their actions violated the European Union’s 2018 General Data Protection Regulation (GDPR). While not a member of the EU, Norway is a part of the European Economic Area (EEA) where the GDPR is applicable.
The proposed fine is large because of the seriousness of the violations. Sexual orientation is given extra protections under the GDPR, and cannot be provided to third parties without the users’ freely-given consent. The NDPA found that since Grindr is a gay dating app, any data associating a user with the app would reveal their sexual orientation and is therefore subject to these special protections.
The company has had many issues around privacy and user data in the past. In 2018 they notably apologized for sharing users' HIV status with third-party companies. That same year a site was launched to help expose major security flaws in the app.
Grindr was sold for over $600 million last year. The privacy violations in question took place under the watch of the previous owner, Beijing Kunlun Tech Co Ltd. The U.S. government was concerned at the time about possible data harvesting by China, and demanded the sale. Grindr also announced last year it would disable its ethnicity filter in solidarity with the Black Lives Matter movement and has since followed through with the promise.