Grindr, a gay, bi, trans and queer hook-up app, is on the hook for a penalty of NOK100,000,000 (aka €10M or ~$12.1M) in Europe.
Norway's data protection agency has announced it's notified the US-based company of its intention to issue the fine in relation to consent violations under the region's General Data Protection Regulation (GDPR) which sets out strict conditions for processing people's data.
The size of the fine is notable. GDPR allows for fines to scale up to 4% of global annual turnover or up to €20M, whichever is higher. In this case Grindr is on the hook for around 10% of its annual revenue, per the DPA. (Although the sanction is not yet final; Grindr has until February 15 to submit a response before the Datatilsynet issues a final decision.)
"We have notified Grindr that we intend to impose a fine of high magnitude as our findings suggest grave violations of the GDPR," said Bjørn Erik Thon, DG of the agency, in a statement. "Grindr has 13.7 million active users, of which thousands reside in Norway. Our view is that these people have had their personal data shared unlawfully. An important objective of the GDPR is precisely to prevent take-it-or-leave-it 'consents'. It is imperative that such practices cease."
Grindr has been contacted for comment. Update: The company has sent the below statement. It also pointed us to a recent blog post, written by Shane Wiley, its chief privacy officer, in which he denies it shares "precise" location data with advertisers, nor users' age or gender. But it does share the ad ID of the device they're using, as well as the IP Address, plus additional device details (including make, model and OS version).
Here's Grindr's statement:
Grindr is a social movement and a cultural phenomenon. Our goal is to create the leading social and digital media platform that enables the LGBTQ+ community and other users to discover, share and navigate the world around them. Grindr is confident that our approach to user privacy is first-in-class among social applications with detailed consent flows, transparency, and control provided to all of our users. For example, Grindr has retained valid legal consent from ALL of our EEA users on multiple occasions. We most recently required all users to provide consent (again) in late 2020 to align with the GDPR Transparency and Consent Framework (TCF) version 2 which was developed by the IAB EU in consultation with the UK ICO.
Last year a report by Norway's Consumer Council (NCC) delved into the data sharing practices of a number of popular apps in categories such as dating and fertility. It found the majority of apps transmitted data to “unexpected third parties”, with users not clearly informed how their information was being used.
Grindr was one of the apps featured in the NCC report. And the Council went on to file a complaint against the app with the national DPA, claiming unlawful sharing of users' personal data with third parties for marketing purposes -- including GPS location; user profile data; and the fact the user in question is on Grindr.
Under the GDPR, an app user's personal data may be legally shared if you obtain their consent to do so. However there are a set of clear standards for consent to be legal -- meaning it must be informed, specific and freely given. The Datatilsynet found that Grindr had failed to meet this standard.
Additionally, it said sexual orientation could be inferred by a user's presence on Grindr; and under regional law such sensitive 'special category' data carries an even higher standard of explicit consent before it can be shared (which, again, the Datatilsynet said Grindr failed to get from users).
"Our preliminary conclusion is that Grindr needs consent to share these personal data and that Grindr’s consents were not valid. Additionally, we believe that the fact that someone is a Grindr user speaks to their sexual orientation, and therefore this constitutes special category data that merit particular protection," it writes in a press release.
"The Norwegian Data Protection Authority considers that this is a serious case," added Thon. "Users were not able to exercise real and effective control over the sharing of their data. Business models where users are pressured into giving consent, and where they are not properly informed about what they are consenting to, are not compliant with the law."
The decision could have wider significance as a similar 'forced consent' complaint against Facebook is still open on the desk of Ireland's data protection watchdog -- despite being filed back in May 2018. For tech giants that have have set up a regional base in Ireland, and made an Irish entity legally responsible for processing EU citizens' data, GDPR's one-stop-shop mechanism has led to considerable delays in complaint enforcement.
Grindr, meanwhile, changed how it obtains consent in April 2020 -- and the proposed sanction deals with how it was handling this prior to then, from May 2018, when the GDPR came into force.
"We have not to date assessed whether the subsequent changes comply with the GDPR," the Datatilsynet adds.
Commenting on the Norwegian Data Protection Authority's action in a statement, Monique Goyens, DG of European consumer rights organization Beuc, said: “This is excellent news and sends a clear signal that it’s illegal to monitor consumers 24/7, without their consent, to collect and share their data. The GDPR does have teeth and consumer groups stand ready to act against those who break the law.
“We commend the Norwegian data protection authority for acting swiftly. It is reassuring that GDPR complaints do not have to linger on for years. Too many apps gather and share too much personal data with too many third parties for commercial purposes based on the same flimsy grounds and with no control. This move by the Norwegian authority will reverberate across the entire adtech industry -- and hopefully bring some change."
After its report last year, the NCC also filed complaints against five of the third parties who it found to be receiving data from Grindr: MoPub (owned by Twitter), Xandr (formerly known as AppNexus), OpenX Software, AdColony, and Smaato. The DPA notes that those cases are ongoing.
Following the NCC report in January 2020, Twitter told us it had suspended Grindr’s MoPub account while it investigated the “sufficiency” of its consent mechanism. We've reached out to Twitter to ask whether it ever reinstated the account and will update this report with any response.
Update: A Twitter spokesperson confirmed it had reversed the suspension after Grindr made changes to its processes, telling us: "After a thorough investigation, Grindr made changes in order to meet MoPub's partner requirements that ensure they have the appropriate mechanisms in place to ensure consumer transparency around data collection and use."
European privacy campaign group noyb, which was involved in filing the strategic complaints against Grindr and the adtech companies, hailed the DPA's decision to uphold the complaints -- dubbing the size of the fine "enormous" (given Grindr only reported profits of just over $30M in 2019, meaning it's facing losing about a third of that at one fell swoop).
noyb also argues that Grindr's switch to trying to claim legitimate interests to continue processing users' data without obtaining their consent could result in further penalties for the company.
"This is in conflict with the decision of the Norwegian DPA, as it explicitly held that "any extensive disclosure ... for marketing purposes should be based on the data subject’s consent"," writes Ala Krinickytė, data protection lawyer at noyb, in a statement. "The case is clear from the factual and legal side. We do not expect any successful objection by Grindr. However, more fines may be in the pipeline for Grindr as it lately claims an unlawful 'legitimate interest' to share user data with third parties -- even without consent. Grindr may be bound for a second round."
While Grindr has sought to dismiss the DPA's "allegations", as out of date, the reference in its statement to obtaining consent under the IAB Europe's Transparency and Consent Framework (TCF) does not look entirely risk-free either -- given the mechanism is itself subject to GDPR complaint proceedings.
Last year a preliminary finding by the Belgian DPA concluded that the TCF did not meet the required GDPR standard. A final decision is pending after a hearing in front of its litigation chamber.
This report was updated with comment from Beuc and Twitter, and with a statement from Grindr plus some additional related context