A government agency in Norway has fined gay app Grindr 65 million Norwegian kroner ($AU10 million) for sharing data with advertisers without users’ consent.
The Norwegian Data Protection Authority (DPA) issued the fine, the largest in the agency’s history.
It came after Norway’s Consumer Council filed a complaint against Grindr for sharing users data with third-party advertisers.
That information included GPS locations, IP addresses, ages, gender and their use of the app to several third parties for marketing purposes.
The data allowed users to be identified and third parties to potentially share personal information further, the watchdog warned.
The DPA, known locally as Datatilsynet, later found Grindr’s users had not provided valid consent for this. As a result the data sharing broke EU rules.
Grindr did not explicitly ask users if they wanted to allow their data to be shared with third parties.
“Furthermore, the information about the sharing of personal data was not properly communicated to users,” the DPA said.
Users didn’t have “real and effective” control over Grindr’s sharing of their data, the DPA said. Moreover, any information regarding the policy was “hidden away,” the agency claimed.
The agency said it was particularly intrusive for Grindr’s users because data about a person’s sexual orientation constitutes “special category” data and has particular legal protection.
The DPA said the record-breaking fine was because the infringements were “grave”.
The fine was initially even larger but was reduced after Grindr gave information about its finances and made changes last year “to remedy the deficiencies in their previous consent-management platform”.
Grindr strongly disagrees with verdict
A spokesperson for Grindr said the company strongly disagrees with the verdict.
“Even though Datatilsynet has lowered the fine compared to their earlier letter, Datatilsynet relies on a series of flawed findings, introduces many untested legal perspectives, and the proposed fine is therefore still entirely out of proportion with those flawed findings.”
They said “protecting users’ interests and ensuring we put them in control of their personal data” is always Grindr’s “top priority.”
Grindr has three weeks to submit an appeal against the fine.
However Finn Myrstad, digital policy director at the Norwegian Consumer Council, said the decision sends a strong message.
“This sends a strong signal to all companies involved in commercial surveillance,” Myrstad said.
“There are serious repercussions to sharing personal data without a legal basis.
“We call for the digital advertising industry to make fundamental changes to respect consumers’ rights.”
What information does the app share with advertisers?
In a blog post in January, Grindr’s Chief Privacy Officer Shane Wiley addressed the ad data scandal.
Wiley said the app “shares only the most basic information — which users largely control — and nothing about a user’s Grindr account details.”
“There is nothing from within a user’s account details that is shared with an ad partner. Full stop,” he said.
He added, “We do NOT share precise location data with advertisers.
“Grindr’s ad partners can leverage a device’s IP Address to get a general sense of where the user is in the world.
“But accuracy drops sharply below city level detail.”
Wiley also explained, “We share the basics and only the basics. The mobile advertising ID (MAID) of the device, IP Address, and device details.
“[We use] MAIDs to track which ads are seen and clicked on in a way not associated with a user’s personal information.
“We approach advertising policy globally. Any Grindr user across the planet can rest assured that the details above are the same for them.”
For the latest lesbian, gay, bisexual, transgender, intersex and queer (LGBTIQ) news in Australia, visit qnews.com.au. Check out our latest magazines or find us on Facebook, Twitter, Instagram and YouTube.