Grindr, a social networking application geared towards gay, bisexual, transgender, and queer individuals, is facing a potential penalty of NOK100,000,000 (equivalent to approximately €10M or $12.1M) within Europe.

Norway’s data protection authority has announced its intent to impose this fine on the US-based company due to breaches of consent regulations under the region’s General Data Protection Regulation (GDPR). This regulation establishes stringent requirements for the handling of personal data.

The magnitude of the proposed fine is significant. GDPR allows for penalties of up to 4% of a company’s global annual revenue or a maximum of €20M, whichever figure is greater. In this instance, Grindr could be liable for around 10% of its yearly income, according to the data protection authority. (However, this sanction is not yet finalized; Grindr has until February 15th to provide a response before the Datatilsynet renders a conclusive ruling.)

“We have informed Grindr of our intention to levy a substantial fine, as our investigations indicate serious infringements of the GDPR,” stated Bjørn Erik Thon, Director-General of the agency, in an official statement. “Grindr has 13.7 million active users, a significant number of whom are located in Norway. Our assessment is that these individuals have had their personal data shared in an unlawful manner. A key aim of the GDPR is to specifically prevent non-negotiable ‘consents’. It is essential that these practices are discontinued.”

Grindr has been approached for a statement. Update: The company has provided the following statement. It also directed attention to a recent blog post authored by Shane Wiley, its Chief Privacy Officer, in which he asserts that it does not share “precise” location data with advertisers, nor does it share users’ age or gender. However, it does share the advertising identifier of the device being used, along with the IP Address, and further device specifications (including manufacturer, model, and operating system version).

Here is Grindr’s statement:

A report released last year by Norway’s Consumer Council (NCC) examined the data sharing practices of several popular applications in categories such as dating and fertility. The report revealed that the majority of these apps transmitted data to “unexpected third parties,” and users were not adequately informed about how their information was being utilized.

Grindr was one of the applications analyzed in the NCC report. Subsequently, the Council filed a complaint with the national data protection authority, alleging unlawful sharing of users’ personal data with third parties for marketing purposes—including GPS location; user profile information; and the fact that the user is a Grindr user.

Under the GDPR, an application user’s personal data can be legally shared if their consent is obtained. However, there are specific criteria for consent to be considered lawful—meaning it must be informed, specific, and freely given. The Datatilsynet determined that Grindr did not meet these standards. 

The authority stated that Grindr users were required to accept the privacy policy in its entirety—and were not given the option to consent specifically to the sharing of their data with third parties.

Furthermore, it noted that a user’s sexual orientation could be inferred from their use of Grindr; and under regional legislation, such sensitive ‘special category’ data requires an even higher standard of explicit consent before it can be shared (which, again, the Datatilsynet said Grindr failed to obtain from users).

“Our initial finding is that Grindr requires consent to share this personal data and that Grindr’s consents were not valid. Additionally, we believe that an individual’s use of Grindr reveals information about their sexual orientation, which constitutes special category data deserving of particular protection,” it explained in a press release.

“The Norwegian Data Protection Authority views this as a serious matter,” added Thon. “Users were unable to exercise genuine and effective control over the sharing of their data. Business models that pressure users into providing consent, and where they are not sufficiently informed about what they are consenting to, are not in compliance with the law.”

This decision may have broader implications, as a similar ‘forced consent’ complaint against Facebook remains under review by Ireland’s data protection authority—despite being filed in May 2018. For technology companies that have established a regional base in Ireland, and designated an Irish entity as legally responsible for processing the data of EU citizens, GDPR’s one-stop-shop mechanism has resulted in considerable delays in the enforcement of complaints.

Grindr, in the meantime, modified its consent procedures in April 2020—and the proposed sanction pertains to its data handling practices prior to that point, from May 2018, when the GDPR took effect.

“We have not yet evaluated whether the subsequent changes comply with the GDPR,” the Datatilsynet adds.

Commenting on the Norwegian Data Protection Authority’s action in a statement, Monique Goyens, Director-General of European consumer rights organization Beuc, said: “This is a positive development and sends a clear message that it is unlawful to monitor consumers continuously, without their consent, to collect and share their data. The GDPR does have enforcement power and consumer groups are prepared to take action against those who violate the law.”

“We commend the Norwegian data protection authority for acting promptly. It is encouraging that GDPR complaints do not have to remain unresolved for years. Too many apps collect and share excessive personal data with numerous third parties for commercial purposes based on the same weak justifications and without user control. This action by the Norwegian authority will have a ripple effect throughout the adtech industry—and hopefully lead to positive change.”

Following its report last year, the NCC also filed complaints against five of the third parties that it identified as receiving data from Grindr: MoPub (owned by Twitter), Xandr (formerly known as AppNexus), OpenX Software, AdColony, and Smaato. The DPA notes that these cases are still ongoing.

After the NCC report in January 2020, Twitter informed us that it had suspended Grindr’s MoPub account while it investigated the “adequacy” of its consent mechanism. We have contacted Twitter to inquire whether it ever reinstated the account and will update this report with any response.

Update: A Twitter spokesperson confirmed that it had reversed the suspension after Grindr implemented changes to its processes, stating: “After a comprehensive investigation, Grindr made modifications to meet MoPub’s partner requirements that ensure they have the appropriate mechanisms in place to ensure consumer transparency regarding data collection and use.” 

European privacy advocacy group noyb, which participated in filing the strategic complaints against Grindr and the adtech companies, praised the DPA’s decision to uphold the complaints—describing the size of the fine as “substantial” (considering Grindr reported profits of just over $30M in 2019, meaning it is potentially facing the loss of approximately a third of that amount).

noyb also contends that Grindr’s attempt to justify continued data processing by claiming legitimate interests could result in further penalties for the company. 

“This is inconsistent with the decision of the Norwegian DPA, which explicitly stated that “any extensive disclosure … for marketing purposes should be based on the data subject’s consent“,” writes Ala Krinickytė, data protection lawyer at noyb, in a statement. “The case is clear from both a factual and legal perspective. We do not anticipate any successful objection by Grindr. However, additional fines may be forthcoming for Grindr as it recently claims a lawful ‘legitimate interest’ to share user data with third parties—even without consent. Grindr may face a second round of penalties.”” 

While Grindr has sought to characterize the DPA’s “allegations” as outdated, its reference in its statement to obtaining consent under the IAB Europe’s Transparency and Consent Framework (TCF) may not be entirely without risk—given that the mechanism itself is subject to GDPR complaint proceedings.

Last year, a preliminary finding by the Belgian DPA concluded that the TCF did not meet the required GDPR standard. A final decision is pending after a hearing before its litigation chamber.

This report was updated with comments from Beuc and Twitter, and with a statement from Grindr, along with some additional related context