LGBT social networking app reprimanded for ‘take-it-or-leave-it consents’ to sharing sensitive personal data
UPDATED Grindr, the popular LGBT dating app, has been fined €10 million ($12 million) for GDPR violations by Norway’s data privacy regulator because sensitive user data was apparently shared with third parties without valid consent.
Users were also not properly informed about how the data was shared, said the Datatilsynet. The data shared included GPS location and user profile data such as sexual orientation.
Datatilsynet director-general Bjørn Erik Thon said these were “grave violations” of GDPR requirements around valid consent and added that it was “imperative” that such “take-it-or-leave-it consents” should “cease”.
“We believe that the fact that someone is a Grindr user speaks to their sexual orientation, and therefore this constitutes special category data that merit particular protection,” the Datatilsynet said in a press release issued yesterday (January 26).
Grindr is seen as a safe space, and many users wish to be discrete. Nonetheless, their data have been shared with an unknown number of third parties, and any information regarding this was hidden away – Datatilsynet director-general Bjørn Erik Thon
Said Thon: “Users were not able to exercise real and effective control over the sharing of their data.
“Business models where users are pressured into giving consent, and where they are not properly informed about what they are consenting to, are not compliant with the law.”
A Grindr spokesperson told The Daily Swig: “Grindr is confident that our approach to user privacy is first-in-class among social applications with detailed consent flows, transparency, and control provided to all of our users.”
They said “valid legal consent” had been “retained” from all “EEA users on multiple occasions”, most recently “in late 2020 to align with” the GDPR Transparency and Consent Framework v2.0.
Shane Wiley, Grindr's chief privacy officer, also penned a defense of the platform’s privacy policies in a blog post published on Monday (January 25).
Ezat Dayeh, SE manager at data management vendor Cohesity, told The Daily Swig: “It is ironic timing that this matter becomes public 24 hours before Data Privacy Day.
“Organizations of all sizes need to be more accountable and deliver greater trust in how they handle consumer data in exchange for more tailored services or commercial gain. The relationship between consumer and brand only works when trust is in place.
“From a compliance perspective on privacy, GDPR was merely the start, not the end goal.”
Grindr is marketed as the world’s most popular location-based social networking app for gay, bi, trans, and queer people with 13.7 million active users.
The penalty amounts to around 10% of the company’s worldwide revenues and, if confirmed, will be the highest GDPR fine ever levied by the Datatilsynet.
Grindr has until February 15 to respond to the ruling before a final decision is made.
Read more of the latest data privacy news
The investigation, which stems from a complaint filed against Grindr by the Norwegian Consumer Council in 2020, centers on consent mechanisms in place on the app until April 2020.
The Norwegian Consumer Council also filed complaints against five third parties that received data from Grindr for marketing purposes: Twitter-owned MoPub, Xandr, OpenX Software, AdColony, and Smaato.
The Daily Swig has contacted Grindr for comment on the ruling and will update the article accordingly if we receive a response.
This article was updated on January 27 with comments from Ezat Dayeh of Cohesity, then on January 28 with comments from Grindr
RECOMMENDED Nmap project becomes latest victim of Google’s ‘wrongful blocking’ of cybersecurity resources