Skip to main content
https://www.highperformancecpmgate.com/rgeesizw1?key=a9d7b2ab045c91688419e8e18a006621

Grindr on the hook for €10M over GDPR consent violations

Grindr, a gay, bi, trans and queer hook-up app, is on the hook for a penalty of NOK100,000,000 (aka €10M or ~$12.1M) in Europe.

Norway’s data protection agency has announced it’s notified the US-based company of its intention to issue the fine in relation to consent violations under the region’s General Data Protection Regulation (GDPR) which sets out strict conditions for processing people’s data.

The size of the fine is notable. GDPR allows for fines to scale up to 4% of global annual turnover or up to €20M, whichever is higher. In this case Grindr is on the hook for around 10% of its annual revenue, per the DPA. (Although the sanction is not yet final; Grindr has until February 15 to submit a response before the Datatilsynet issues a final decision.)

“We have notified Grindr that we intend to impose a fine of high magnitude as our findings suggest grave violations of the GDPR,” said Bjørn Erik Thon, DG of the agency, in a statement. “Grindr has 13.7 million active users, of which thousands reside in Norway. Our view is that these people have had their personal data shared unlawfully. An important objective of the GDPR is precisely to prevent take-it-or-leave-it ‘consents’. It is imperative that such practices cease.”

Grindr has been contacted for comment.

Last year a report by Norway’s Consumer Council (NCC) delved into the data sharing practices of a number of popular apps in categories such as dating and fertility. It found the majority of apps transmitted data to “unexpected third parties”, with users not clearly informed how their information was being used.

Grindr was one of the apps featured in the NCC report. And the Council went on to file a complaint against the app with the national DPA, claiming unlawful sharing of users’ personal data with third parties for marketing purposes — including GPS location; user profile data; and the fact the user in question is on Grindr.

Under the GDPR, an app user’s personal data may be legally shared if you obtain their consent to do so. However there are a set of clear standards for consent to be legal — meaning it must be informed, specific and freely given. The Datatilsynet found that Grindr had failed to meet this standard. 

It said users of Grindr were forced to accept the privacy policy in its entirety — and were not asked if they wanted to consent with the sharing of their data to third parties.

Additionally, it said sexual orientation could be inferred by a user’s presence on Grindr; and under regional law such sensitive ‘special category’ data carries an even higher standard of explicit consent before it can be shared (which, again, the Datatilsynet said Grindr failed to get from users).

“Our preliminary conclusion is that Grindr needs consent to share these personal data and that Grindr’s consents were not valid. Additionally, we believe that the fact that someone is a Grindr user speaks to their sexual orientation, and therefore this constitutes special category data that merit particular protection,” it writes in a press release.

“The Norwegian Data Protection Authority considers that this is a serious case,” added Thon. “Users were not able to exercise real and effective control over the sharing of their data. Business models where users are pressured into giving consent, and where they are not properly informed about what they are consenting to, are not compliant with the law.”

The decision could have wider significance as a similar ‘forced consent’ complaint against Facebook is still open on the desk of Ireland’s data protection watchdog — despite being filed back in May 2018. For tech giants that have have set up a regional base in Ireland, and made an Irish entity legally responsible for processing EU citizens’ data, GDPR’s one-stop-shop mechanism has led to considerable delays in complaint enforcement.

Grindr, meanwhile, changed how it obtains consent in April 2020 — and the proposed sanction deals with how it was handling this prior to then, from May 2018, when the GDPR came into force.

“We have not to date assessed whether the subsequent changes comply with the GDPR,” the Datatilsynet adds.

After its report last year, the NCC also filed complaints against five of the third parties who it found to be receiving data from Grindr: MoPub (owned by Twitter), Xandr (formerly known as AppNexus), OpenX Software, AdColony, and Smaato. The DPA notes that those cases are ongoing.

Following the NCC report in January 2020, Twitter told us it had suspended Grindr’s MoPub account while it investigated the “sufficiency” of its consent mechanism. We’ve reached out to Twitter to ask whether it ever reinstated the account and will update this report with any response.

European privacy campaign group noyb, which was involved in filing the strategic complaints against Grindr and the adtech companies, hailed the DPA’s decision to uphold the complaints — dubbing the size of the fine “enormous” (given Grindr only reported profits of just over $30M in 2019, meaning it’s facing losing about a third of that at one fell swoop).

noyb also argues that Grindr’s switch to trying to claim legitimate interests to continue processing users’ data without obtaining their consent could result in further penalties for the company. 

“This is in conflict with the decision of the Norwegian DPA, as it explicitly held that “any extensive disclosure … for marketing purposes should be based on the data subject’s consent“,” writes Ala Krinickytė, data protection lawyer at noyb, in a statement. The case is clear from the factual and legal side. We do not expect any successful objection by Grindr. However, more fines may be in the pipeline for Grindr as it lately claims an unlawful ‘legitimate interest’ to share user data with third parties — even without consent. Grindr may be bound for a second round.” 

Comments

Popular posts from this blog

Uber co-founder Garrett Camp steps back from board director role

Uber co-founder Garrett Camp is relinquishing his role as a board director and switching to board observer — where he says he’ll focus on product strategy for the ride hailing giant. Camp made the announcement in a short Medium post in which he writes of his decade at Uber: “I’ve learned a lot, and realized that I’m most helpful when focused on product strategy & design, and this is where I’d like to focus going forward.” “I will continue to work with Dara [Khosrowshahi, Uber CEO] and the product and technology leadership teams to brainstorm new ideas, iterate on plans and designs, and continue to innovate at scale,” he adds. “We have a strong and diverse team in place, and I’m confident everyone will navigate well during these turbulent times.” The Canadian billionaire entrepreneur signs off by saying he’s looking forward to helping Uber “brainstorm the next big idea”. Camp hasn’t been short of ideas over his career in tech. He’s the co-founder of the web 2.0 recommendatio...

Drone crash near kids leads Swiss Post and Matternet to suspend autonomous deliveries

A serious crash by a delivery drone in Switzerland have grounded the fleet and put a partnership on ice. Within a stone’s throw of a school, the incident raised grim possibilities for the possibilities of catastrophic failure of payload-bearing autonomous aerial vehicles. The drones were operated by Matternet as part of a partnership with the Swiss Post (i.e. the postal service), which was using the craft to dispatch lab samples from one medical center for priority cases. As far as potential applications of drone delivery, it’s a home run — but twice now the craft have crashed, first with a soft landing and the second time a very hard one. The first incident, in January, was the result of a GPS hardware error; the drone entered a planned failback state and deployed its emergency parachute, falling slowly to the ground. Measures were taken to improve the GPS systems. The second failure in May, however, led to the drone attempting to deploy its parachute again, only to sever the line...

How the world’s largest cannabis dispensary avoids social media restrictions

Planet 13 is the world’s largest cannabis dispensary. Located in Las Vegas, blocks off the Strip, the facility is the size of a small Walmart. By design, it’s hard to miss. Planet 13 is upending the dispensary model. It’s big, loud and visitors are encouraged to photograph everything. As part of the cannabis industry, Planet 13 is heavily restricted on the type of content it can publish on Instagram, Facebook and other social media platforms. It’s not allowed to post pictures of buds or vapes on some sites. It can’t talk about pricing or product selection on others.   View this post on Instagram   A post shared by Morgan Celeste SF Blogger (@bayareabeautyblogger) on Jan 25, 2020 at 7:54pm PST Instead, Planet 13 encourages its thousands of visitors to take photos and videos. Starting with the entrance, the facility is full of surprises tailored for the ‘gram. As a business, Planet 13’s social media content is heavily restricted a...