Grindr Faces NOK 65-Million Fine in Norway Over Privacy Breach

Norway's data privacy watchdog on Wednesday fined dating app Grindr NOK 65 million (roughly Rs. 55 crore) for sending sensitive personal data to hundreds of potential advertising partners without users' consent — a breach of strict European Union privacy rules.

The Norwegian Data Protection Authority said it imposed its highest fine to date because the California-based company didn't comply with the EU's tough data protection regulations. Norway isn't a member of the 27-nation bloc but closely mirrors EU rules.

Grindr said the agency's findings related to consent policies from years ago, not its current practices, and that it is considering its next steps, including an appeal.

The data watchdog “relies on a series of flawed findings, introduces many untested legal perspectives, and the proposed fine is therefore still entirely out of proportion with those flawed findings," said Grindr's chief privacy officer, Shane Wiley.

In 2020, Norway's Consumer Council filed a complaint against Grindr for disclosing information about its users, including GPS locations, IP addresses, ages, gender and their use of the app, to several third parties for marketing purposes. That allowed users to be identified and third parties to potentially share personal information further.

The data privacy watchdog said users “were forced to accept the privacy policy in its entirety to use the app” and were not asked specifically if they wanted to allow their data to be shared with third parties “for behavioural advertisement.”

“Furthermore, the information about the sharing of personal data was not properly communicated to users," contrary to EU requirements for “valid consent,” the agency said.

The Consumer Council's director of digital policy, Finn Myrstad, said the decision by the Data Protection Authority “sends a strong signal to all companies involved in commercial surveillance.”

Ala Krinickyte with the nonprofit European Center for Digital Rights said "it is astonishing that the DPA has to convince Grindr that its users are LGBT+ and that this fact is not a commodity to be bartered.”

Grindr said in a statement that “protecting users' interests and ensuring that we put them in control of their personal data have always been our top priorities."

“We have also been proactive in adopting industry-leading privacy positions and tools, like detailed consent flows, granular user privacy controls, and ‘just-in-time' app notifications," Wiley said.