Grindr Fined €9.6 Million for Data Sharing GDPR Violation

Grindr, the world’s largest dating and social networking app for gay, bi, trans, and queer people, has been fined €9.6 million ($11.6 million) by the Norwegian data protection authority – Datatilsynet – for violations of the EU’s General Data Protection Regulation (GDPR).

Article 58 requires transparency with the public as to the exact nature of any sharing of the personal information of data subjects. Data subjects must be told in concise, easy to access, and easy to understand language who their personal data will be shared with and for what purpose, and they must give informed consent before any personal data can be shared.

In January 2020, the Norwegian Consumer Council, assisted by the privacy rights group NOYB, filed a complaint against Grindr alleging the Los Angeles-based company had shared the personal data of app users with unexpected third parties and had not clearly informed app users where their personal data would be sent. In addition, the NCC compliant alleged Grindr was sharing user data with far more third parties than the privacy policy for the free version of its app suggested. According to the complaint. Grindr said in its privacy policy that it shares certain user data with its partner, Twitter’s MoPub; however, Twitter’s MoPub has 160 partners.

In order for personal data to be shared, it is first necessary to obtain consent from individuals, and consent should be specific and freely given. Datatilsynet investigated and found that Grindr was in violation of the consent requirement of Article 58 of the GDPR. Grindr did require users to accept its privacy policy before using the service, but they were required to accept the terms and conditions and were not specifically asked if they consented to their personal data being shared with third parties.

Under the GDPR, certain categories of data are considered to be especially sensitive. There are additional requirements under the GDPR for this ‘special category’ data, including stricter requirements for obtaining consent from data subjects prior to personal data being shared. Sexual orientation is one data element classed as special category data. Since it is possible to infer that an individual is either gay, bi, trans, or queer from their usage of the Grindr app, it is especially important to obtain clear, and specific consent from app users prior to any sharing of personal data.

Datatilsynet therefore concluded that in addition to the violation of Article 58, Grindr was also in violation of article 9(1) of the GDPR, as special category data was disclosed without a valid exemption. There are exemptions stated in Article 9(1) that allow special category data to be disclosed without consent, but for advertising purposes is not one of them. Datatilsynet also explained that the personal data of app users could be accessed by 160 partners when there was no legal basis for sharing that data.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

The seriousness of the violations was reflected in the penalty amount. The GDPR allows fines to be imposed up to €20 million or 4% of global annual turnover for the previous fiscal year. The penalty equates to around 10% of Grindr’s global annual turnover.

Grindr has until February 15, 2021 to appeal the financial penalty after which a final determination will be made. A spokesperson for Grindr explained that the alleged privacy policy issues that formed the basis of the case related to 2018 when the GDPR came into effect and do not reflect the company’s current privacy policies and practices.

Grindr changed its mechanism for obtaining consent in April 2020, so the case relates to Grindr’s privacy practices from May 2018 until April 2020.