Logo and page links

Main menu

The NO DPA imposes fine against Grindr LLC

The Norwegian Data Protection Authority has imposed an administrative fine of NOK 65 000 000 – approximately € 6.5 million – for not complying with the GDPR rules on consent.

- Our conclusion is that Grindr has disclosed user data to third parties for behavioural advertisement without a legal basis, said Tobias Judin, head of the Norwegian Data Protection Authority’s international department.

Grindr is a location-based social networking app marketed towards gay, bi, trans, and queer people. In 2020, the Norwegian Consumer Council filed a complaint against Grindr claiming unlawful sharing of personal data with third parties for marketing purposes. The data shared was GPS location, IP address, Advertising ID, age, gender and the fact that the user in question was on Grindr. Users could be identified through the data shared, and the recipients could potentially further share the data.

Invalid consents

- The Norwegian Data Protection Authority has concluded that consent was the applicable legal basis in this case, but that the purported consents Grindr collected for sharing personal data with advertising partners were not valid, said Judin.

Users were forced to accept the privacy policy in its entirety to use the app, and they were not asked specifically if they wanted to consent to the sharing of their data with third parties for behavioural advertisement. Furthermore, the information about the sharing of personal data was not properly communicated to users. We consider that this was contrary to the GDPR requirements for valid consent.

Our investigation has focused on the consent mechanism in place from the GDPR became applicable in Norway in July 2018, and until April 2020 when Grindr changed how the app asks for consent. We have not assessed whether Grindr’s current consent mechanism complies with the GDPR.

Special categories of data disclosed

We consider that data revealing the fact that someone is a Grindr user strongly indicates that they belong to a sexual minority. Data concerning a person’s sexual orientation constitutes special category data that merit particular protection under the GDPR. As the consents Grindr collected were not valid, Grindr could not lawfully share such data.

- The Grind app is used to connect with other users in the LGBTQ+ community, and we are aware that many users choose not to use their full name or upload a picture of their face in order to be discrete. Nonetheless, their personal data and the fact that they were on Grindr was disclosed to an unknown number of third parties for marketing purposes, without giving the users accessible information or a genuine choice, Judin added.

While it not defined as special categories of personal data in itself, location data is sensitive and personal. The fact that Grindr has also shared this data unlawfully adds to the severity of the case.

Highest Norwegian DPA fine to date

An administrative fine should be effective, proportionate and dissuasive.

- We have imposed a fine of a high amount against Grindr as we consider the infringements of the GDPR in this case to grave. Thousands of users in Norway have had their personal data shared unlawfully for the commercial interests of Grindr, including GPS location and the fact that the users in question were on Grindr. Business models based on behavioural advertisement are common in the digital economy, and it is imperative that administrative fines for GDPR violations are dissuasive in order to foster compliance with the law, Judin emphasised.

However, we have found that a reduction of the NOK 100 000 000 fine previously notified is justified. Since our advance notification, we have received further information from Grindr about the size and financial situation of the company, and we have also considered the changes Grindr has made with the aim to remedy the deficiencies in their previous consent management platform to be a mitigating factor.

Since the advance notification, the Norwegian Consumer Council has argued that Grindr has infringed additional provisions of the GDPR. The Consumer Council has also asked the Norwegian Data Protection Authority to order Grindr to erase the illegally processed personal data insofar that Grindr still processes said data. Therefore, we do not rule out further orders being issued by the Norwegian DPA at a later stage.

Grindr may lodge an appeal against this decision within three weeks after having received it. Depending on the circumstances, this deadline may be extended.