According to investigations by the Norwegian data protection authorities, sensitive user data was passed on to advertising partners by the dating app Grindr. As a result, the authorities have imposed a fine of 100,000,000 Norwegian kroner (approximately 9.6 million euros).
Sharing data without consent
Grindr is a very successful dating portal for bisexual, homosexual and transsexual. After complaints last year by the data protection association noyb and the Norwegian Consumer Council to the data protection authorities, the authorities took action. According to reports, the dating app’s operators were sharing data without the consent of the portal’s users. Since the data of users is particularly sensitive, the breach of trust is great. Among other things, the portal passed on the location and IP addresses of users to many advertising partners. Among the partners were, for example, Smaato, AdColony, OpenX, Adtech companies such as MoPub from Twitter and AppNexus from Xandr.
Especially with such personal data that a dating app receives, something like this should not happen. The disclosure of data occurred whenever users opened the Grindr app. This was followed by the message about the location and also that the app was currently being used. Since the data was passed on without the customers’ consent, the Norwegian Consumer Council filed a total of three complaints with the Norwegian data protection authorities together with the data protection association noyb. The third complaint has now been upheld. This confirmed the actions of the dating portal. The operators passed on user data without the necessary consent. In addition, customers were also not extensively informed about the use of their data. Only the consent to the privacy statement is possible, but there are no options to agree only to individual processing activities of data processing. Thereupon, the Norwegian data protection authorities demanded a fine of the equivalent of 9.6 million euros on Tuesday.
A sign set
The Consumer Council and also the data protection association noyb are very pleased with the decision of the Norwegian authorities. Thus, a signal was also set for other companies, which want to get with consent without options to the user data. The problem with the dating app Grindr is not an isolated case, there are a large number of apps and websites that proceed in this way, according to one of the data protection lawyers (Ala Krinickytė) from noyb. After this decision, it should also be clear to the other companies that a valid consent does not exist if the user has no real choice. In these cases, there is always unlawful consent, which can also result in a proper fine.
Further penalties possible
The consumer protection association noyb considers it rather unlikely that Grindr can successfully proceed against the ruling. Since it is, according to noyb, rather conceivable that further penalties for Grindr will be added. The operators of the dating app have been passing on user data under the cloak of “legitimate interest” since recently. Accordingly, again, a disclosure of user data without their consent. A “legitimate interest” for passing on data to hundreds of third parties is certainly not present here.