Norway’s data protection authority claims that Grindr shared user data with a number of third parties without legal basis.
Dating platform Grindr is facing a €10m fine from the Norwegian data protection authority, Datatilsynet, for allegedly violating European privacy laws.
The data protection agency announced that it intends to issue an administrative fine of 100m Norwegian kroner, or almost €10m.
Last year, the Norwegian Consumer Council filed a complaint against Grindr, claiming unlawful sharing of personal data with third parties for marketing purposes. The complaint alleged that the data shared included GPS location, user profile data, and the fact that the user was on Grindr.
“Our preliminary conclusion is that Grindr needs consent to share these personal data and that Grindr’s consents were not valid,” Datatilsynet said in a statement today (26 January).
“Additionally, we believe that the fact that someone is a Grindr user speaks to their sexual orientation, and therefore this constitutes special category data that merit particular protection.”
Previous privacy issues
This is not the first time Grindr has been in hot water over privacy issues. In 2018, it emerged that the app had shared users’ HIV status data with two separate companies, Apptimize and Localytics.
Both companies received some of the data that Grindr users had elected to include in their profiles, including their HIV status, the last date they were tested for HIV and whether they were taking the PrEP, a drug that lowers your risk of contracting HIV. The issue was first spotted by Norwegian non-profit SINTEF.
More recently, a French security researcher spotted a vulnerability within the Grindr app that enabled password resets without access to a user’s inbox. After the vulnerability was made public, Grindr announced plans to launch a bug bounty programme to improve the safety and security of its app.
Largest Norwegian data fine to date
The Norwegian data protection authority’s fine is a draft decision for now. Grindr will have the opportunity to comment on the findings until 15 February 2021, and then Datatilsynet will make its final decision.
However, if the fine remains at its current figure, which is approximately 10pc of the company’s estimated turnover, it will be the largest Norwegian data protection fine issued to date under GDPR.
According to the data protection agency, it intends to impose a fine of this magnitude due to the “grave violations” its findings suggest.
Bjørn Erik Thon, director-general of Norwegian’s data protection authority, said this is considered “a serious case” of not complying with GDPR.
“Users were not able to exercise real and effective control over the sharing of their data. Business models where users are pressured into giving consent, and where they are not properly informed about what they are consenting to, are not compliant with the law.”