LGBT social networking app reprimanded for ‘take-it-or-leave-it consents’ to sharing sensitive personal data

Grindr fined $10m for 'grave' GDPR violations related to its smartphone app

UPDATED Grindr, the popular LGBT dating app, has been fined €10 million ($12 million) for GDPR violations by Norway’s data privacy regulator because sensitive user data was apparently shared with third parties without valid consent.

The preliminary ruling issued by the Norwegian Data Protection Authority (Datatilsynet) centers on the fact that users had to accept a blanket privacy policy to use the app and were not given a separate opportunity to grant or withhold consent to sharing their data with third parties.

Users were also not properly informed about how the data was shared, said the Datatilsynet. The data shared included GPS location and user profile data such as sexual orientation.

Datatilsynet director-general Bjørn Erik Thon said these were “grave violations” of GDPR requirements around valid consent and added that it was “imperative” that such “take-it-or-leave-it consents” should “cease”.

‘Safe space’

“We believe that the fact that someone is a Grindr user speaks to their sexual orientation, and therefore this constitutes special category data that merit particular protection,” the Datatilsynet said in a press release issued yesterday (January 26).

Grindr is seen as a safe space, and many users wish to be discrete. Nonetheless, their data have been shared with an unknown number of third parties, and any information regarding this was hidden away – Datatilsynet director-general Bjørn Erik Thon

Said Thon: “Users were not able to exercise real and effective control over the sharing of their data.

“Business models where users are pressured into giving consent, and where they are not properly informed about what they are consenting to, are not compliant with the law.”

A Grindr spokesperson told The Daily Swig: “Grindr is confident that our approach to user privacy is first-in-class among social applications with detailed consent flows, transparency, and control provided to all of our users.”

They said “valid legal consent” had been “retained” from all “EEA users on multiple occasions”, most recently “in late 2020 to align with” the GDPR Transparency and Consent Framework v2.0.

The allegations “date back to 2018 and do not reflect Grindr’s current Privacy Policy or practices,” they continued, adding: “We continually enhance our privacy practices in consideration of evolving privacy laws and regulations, and look forward to entering into a productive dialogue with the Norwegian Data Protection Authority.”

Shane Wiley, Grindr's chief privacy officer, also penned a defense of the platform’s privacy policies in a blog post published on Monday (January 25).

Ezat Dayeh, SE manager at data management vendor Cohesity, told The Daily Swig: “It is ironic timing that this matter becomes public 24 hours before Data Privacy Day.

“Organizations of all sizes need to be more accountable and deliver greater trust in how they handle consumer data in exchange for more tailored services or commercial gain. The relationship between consumer and brand only works when trust is in place.

“From a compliance perspective on privacy, GDPR was merely the start, not the end goal.”

Record-breaking fine

Grindr is marketed as the world’s most popular location-based social networking app for gay, bi, trans, and queer people with 13.7 million active users.

The penalty amounts to around 10% of the company’s worldwide revenues and, if confirmed, will be the highest GDPR fine ever levied by the Datatilsynet.

Grindr has until February 15 to respond to the ruling before a final decision is made.

Read more of the latest data privacy news

The investigation, which stems from a complaint filed against Grindr by the Norwegian Consumer Council in 2020, centers on consent mechanisms in place on the app until April 2020.

Datatilsynet said it had not yet assessed whether subsequent changes made to Grindr’s privacy policy were GDPR-compliant.

The Norwegian Consumer Council also filed complaints against five third parties that received data from Grindr for marketing purposes: Twitter-owned MoPub, Xandr, OpenX Software, AdColony, and Smaato.

The Daily Swig has contacted Grindr for comment on the ruling and will update the article accordingly if we receive a response. 

This article was updated on January 27 with comments from Ezat Dayeh of Cohesity, then on January 28 with comments from Grindr

RECOMMENDED Nmap project becomes latest victim of Google’s ‘wrongful blocking’ of cybersecurity resources