Grindr fined for selling user data to advertisers

Dating network Grindr has been slapped with a US$7.7 million fine by Norwegian regulator Datatilsynet for sharing data with advertisers.

Grindr—which call itself the world’s largest social networking app for gay, bi, trans, and queer people—sold data which includes GPS, IP address, age, and gender.

No consent, no app

The Norwegian Data Protection Authority (Datatilsynet), ruled that the way in which Grindr collected user consent did not meet with the regulations stipulated in the EU GDPR. And, as such, the disclosure of personal data was in breach of the Privacy Ordinance.

Users had to accept the privacy statement in its entirety to use the app, and they were not specifically asked if they would consent to disclosure to third parties for marketing purposes. In addition, information about the disclosure of personal information was not clear or accessible enough to users.

The fine covers the period from July 2018, when the “Law on the Processing of Personal Data (Personal Data Act)” was established, until April 2020, when Grindr changed the consent solution. Whether Grindr’s current consent solution meets with the legal demands has not been established yet.

Shared data

Grindr disclosed information about a user’s GPS location, IP address, mobile phone advertising ID, age and gender to several third parties for marketing purposes. With this information, users could be identified, and third parties could potentially share this data further.

According to GDPR, the personal data that companies must protect includes any information that can “directly or indirectly” identify a person—or subject—to whom the data belongs or describes. Included are names, identification numbers, location data, online identifiers like screen names or account names, and even characteristics that describe the “physical, physiological, genetic, mental, commercial, cultural, or social identity of a person.”

The authority emphasized that the information that a person is a Grindr user establishes a special category of personal information, because it strongly indicates that they belong to a sexual minority. Information about someone’s sexual orientation has a special protection in the Privacy Ordinance. And since the consent Grindr collected was invalid, Grindr was not legally entitled to share such information.

It is customary in dating apps to be very careful about the information you share. Many users choose not to enter their full name or upload photos of their face so that they can be discreet. Nevertheless, identifiable information about them and their use of Grindr was passed on to an unknown number of companies for marketing purposes.

High fine

Datatilsynet initially fined Grindr around US$12.2 million following an initial ruling in January 2021, but later revised this amount down to 7.7 million, after reviewing Grindr’s turnover figures. Nevertheless, this is the highest fee to date from the Norwegian Data Protection Authority.

Despite reconsidering the amount, Norway considers the offence by Grindr to be “grave” – most likely because the data collected, including gender, falls under the GDPR rules. According to Datatilsynet:

“Because thousands of users in Norway have had their personal information illegally disclosed for Grindr’s commercial interests, including location data and that they are Grindr users. Business models based on behavior-based marketing are common in the digital economy, and it is important that the infringement fee for offenses acts as a deterrent and contributes to compliance with the privacy regulations.“

Grindr has not responded to the fine and now has three weeks to appeal the verdict. The app has previously confirmed that the fined offenses were committed before April 2020, when its terms of use were updated.

Previous concerns

It is not the first time Grindr has raised privacy concerns. Earlier action against the app was sparked by an NPR news report exposing Grindr’s practice of sharing the most personal and sensitive information of its users with third-party analytics firms, without their informed consent. That data included personally identifiable and sensitive user information such as HIV status, email address, telephone number, precise geolocation, sexuality, relationship status, ethnicity and “last HIV tested date.”