Skip to main content
https://www.highperformancecpmgate.com/rgeesizw1?key=a9d7b2ab045c91688419e8e18a006621

Grindr on the hook for €10M over GDPR consent violations

Grindr, a gay, bi, trans and queer hook-up app, is on the hook for a penalty of NOK100,000,000 (aka €10M or ~$12.1M) in Europe.

Norway’s data protection agency has announced it’s notified the US-based company of its intention to issue the fine in relation to consent violations under the region’s General Data Protection Regulation (GDPR) which sets out strict conditions for processing people’s data.

The size of the fine is notable. GDPR allows for fines to scale up to 4% of global annual turnover or up to €20M, whichever is higher. In this case Grindr is on the hook for around 10% of its annual revenue, per the DPA. (Although the sanction is not yet final; Grindr has until February 15 to submit a response before the Datatilsynet issues a final decision.)

“We have notified Grindr that we intend to impose a fine of high magnitude as our findings suggest grave violations of the GDPR,” said Bjørn Erik Thon, DG of the agency, in a statement. “Grindr has 13.7 million active users, of which thousands reside in Norway. Our view is that these people have had their personal data shared unlawfully. An important objective of the GDPR is precisely to prevent take-it-or-leave-it ‘consents’. It is imperative that such practices cease.”

Grindr has been contacted for comment.

Last year a report by Norway’s Consumer Council (NCC) delved into the data sharing practices of a number of popular apps in categories such as dating and fertility. It found the majority of apps transmitted data to “unexpected third parties”, with users not clearly informed how their information was being used.

Grindr was one of the apps featured in the NCC report. And the Council went on to file a complaint against the app with the national DPA, claiming unlawful sharing of users’ personal data with third parties for marketing purposes — including GPS location; user profile data; and the fact the user in question is on Grindr.

Under the GDPR, an app user’s personal data may be legally shared if you obtain their consent to do so. However there are a set of clear standards for consent to be legal — meaning it must be informed, specific and freely given. The Datatilsynet found that Grindr had failed to meet this standard. 

It said users of Grindr were forced to accept the privacy policy in its entirety — and were not asked if they wanted to consent with the sharing of their data to third parties.

Additionally, it said sexual orientation could be inferred by a user’s presence on Grindr; and under regional law such sensitive ‘special category’ data carries an even higher standard of explicit consent before it can be shared (which, again, the Datatilsynet said Grindr failed to get from users).

“Our preliminary conclusion is that Grindr needs consent to share these personal data and that Grindr’s consents were not valid. Additionally, we believe that the fact that someone is a Grindr user speaks to their sexual orientation, and therefore this constitutes special category data that merit particular protection,” it writes in a press release.

“The Norwegian Data Protection Authority considers that this is a serious case,” added Thon. “Users were not able to exercise real and effective control over the sharing of their data. Business models where users are pressured into giving consent, and where they are not properly informed about what they are consenting to, are not compliant with the law.”

The decision could have wider significance as a similar ‘forced consent’ complaint against Facebook is still open on the desk of Ireland’s data protection watchdog — despite being filed back in May 2018. For tech giants that have have set up a regional base in Ireland, and made an Irish entity legally responsible for processing EU citizens’ data, GDPR’s one-stop-shop mechanism has led to considerable delays in complaint enforcement.

Grindr, meanwhile, changed how it obtains consent in April 2020 — and the proposed sanction deals with how it was handling this prior to then, from May 2018, when the GDPR came into force.

“We have not to date assessed whether the subsequent changes comply with the GDPR,” the Datatilsynet adds.

After its report last year, the NCC also filed complaints against five of the third parties who it found to be receiving data from Grindr: MoPub (owned by Twitter), Xandr (formerly known as AppNexus), OpenX Software, AdColony, and Smaato. The DPA notes that those cases are ongoing.

Following the NCC report in January 2020, Twitter told us it had suspended Grindr’s MoPub account while it investigated the “sufficiency” of its consent mechanism. We’ve reached out to Twitter to ask whether it ever reinstated the account and will update this report with any response.

European privacy campaign group noyb, which was involved in filing the strategic complaints against Grindr and the adtech companies, hailed the DPA’s decision to uphold the complaints — dubbing the size of the fine “enormous” (given Grindr only reported profits of just over $30M in 2019, meaning it’s facing losing about a third of that at one fell swoop).

noyb also argues that Grindr’s switch to trying to claim legitimate interests to continue processing users’ data without obtaining their consent could result in further penalties for the company. 

“This is in conflict with the decision of the Norwegian DPA, as it explicitly held that “any extensive disclosure … for marketing purposes should be based on the data subject’s consent“,” writes Ala Krinickytė, data protection lawyer at noyb, in a statement. The case is clear from the factual and legal side. We do not expect any successful objection by Grindr. However, more fines may be in the pipeline for Grindr as it lately claims an unlawful ‘legitimate interest’ to share user data with third parties — even without consent. Grindr may be bound for a second round.” 

Comments

Popular posts from this blog

Uber co-founder Garrett Camp steps back from board director role

Uber co-founder Garrett Camp is relinquishing his role as a board director and switching to board observer — where he says he’ll focus on product strategy for the ride hailing giant. Camp made the announcement in a short Medium post in which he writes of his decade at Uber: “I’ve learned a lot, and realized that I’m most helpful when focused on product strategy & design, and this is where I’d like to focus going forward.” “I will continue to work with Dara [Khosrowshahi, Uber CEO] and the product and technology leadership teams to brainstorm new ideas, iterate on plans and designs, and continue to innovate at scale,” he adds. “We have a strong and diverse team in place, and I’m confident everyone will navigate well during these turbulent times.” The Canadian billionaire entrepreneur signs off by saying he’s looking forward to helping Uber “brainstorm the next big idea”. Camp hasn’t been short of ideas over his career in tech. He’s the co-founder of the web 2.0 recommendatio...

Leading VCs discuss how COVID-19 has impacted the world of digital health

In December 2019, Extra Crunch spoke to a group of investors leading the charge in health tech to discuss where they saw the most opportunity in the space leading into 2020 . At the time, respondents highlighted startups in digital therapeutics, telehealth and mental health that were improving medical practitioner efficiency or streamlining the distribution of care, amongst a variety of other digital health markets that were garnering the most attention. Where top VCs are investing in digital health In the months since, the COVID-19 crisis has debilitated national healthcare systems and the global economy. Weaknesses in healthcare systems have become clearer than ever, while startups and capital providers have struggled to operate while wide swaths of the market effectively shut down. Given significant volatility and the rapid changes seen in the worlds of healthcare, venture and startups broadly, we wanted to understand which inefficiencies might have been brought to light, w...

News-reading app Flipboard expands local coverage, including coronavirus updates, to 12 more U.S. metros

Earlier this year, personalized news aggregation app Flipboard expanded into local news . The feature brought local news, sports, real estate, weather, transportation news and more to 23 cities across the U.S. Today, Flipboard is bringing local news to 12 more U.S. metros and is adding critical coronavirus local coverage to all of the 35 supported locales. The 12 new metros include the following:  Baltimore, Charlotte, Cleveland, Detroit, Indianapolis, Nashville, Pittsburgh, Orlando, Raleigh, Salt Lake City, St. Louis, and Tampa Bay. They join the 23 cities that were already supported:  Atlanta, Austin, Boston, Chicago, Dallas, Denver, Houston, Las Vegas, Los Angeles, Miami, Minneapolis-St. Paul, New Orleans, New York City, Philadelphia, Phoenix, Portland, Sacramento, San Diego, San Francisco Bay Area, Seattle, Toronto, Vancouver and Washington, D.C. To offer local news in its app, Flipboard works with area partners, big and small, like The Plain Dealer’s Cleveland.com , ...