The Norwegian Data Protection Authority (DPA) Monday fined the popular queer dating app Grindr for sharing users’ personal data with third parties, including ad tech companies MoPub, Xandr, OpenX, AdColony and Smaato.
The decision stems from a complaint filed by the Norwegian Consumer Council (NCC), a nonprofit organization, in January 2020 alleging that the app shares location, IP address, gender, age and device information with several different companies and advertising partners.
The DPA found that Grindr violated Articles 6(1) and 9(1) of the General Data Protection Regulation (GDPR) for disclosing personal data without legal basis and disclosing special category personal data without valid exemptions. Grindr argued it had the consent of its users as a legal basis for sharing personal data, but the DPA disagreed and found that users were not properly informed about the company’s privacy policy and consent was not properly given.
Further, access to the app was conditional on consenting to data-sharing with third-party advertising even though it was unrelated to the performance of Grindr’s dating services. Users were only given the option to withdraw their consent upon paying a subscription fee, which could unduly affect their decision on granting and revoking consent.
The NCC welcomed this decision as a victory for the movement against surveillance-based advertising:
This sends a strong signal to all companies involved in commercial surveillance. There are serious repercussions to sharing personal data without a legal basis. We call for the digital advertising industry, which is responsible for tracking and profiling consumers on a massive scale, to make fundamental changes to respect consumers’ rights.
The DPA has imposed a fine of 65 million NOK (€6.42 million), subject to appeal before the Norwegian Privacy Appeals Board. The European Center for Digital Rights (Noyb) filed a similar complaint against Grindr before the Austrian DPA last month.