Grindr, the world’s largest dating and social networking app for gay, bi, trans, and queer people, has been fined €9.6 million ($11.6 million) by the Norwegian data protection authority – Datatilsynet – for violations of the EU’s General Data Protection Regulation (GDPR).
Article 58 requires transparency with the public as to the exact nature of any sharing of the personal information of data subjects. Data subjects must be told in concise, easy to access, and easy to understand language who their personal data will be shared with and for what purpose, and they must give informed consent before any personal data can be shared.
Under the GDPR, certain categories of data are considered to be especially sensitive. There are additional requirements under the GDPR for this ‘special category’ data, including stricter requirements for obtaining consent from data subjects prior to personal data being shared. Sexual orientation is one data element classed as special category data. Since it is possible to infer that an individual is either gay, bi, trans, or queer from their usage of the Grindr app, it is especially important to obtain clear, and specific consent from app users prior to any sharing of personal data.
Datatilsynet therefore concluded that in addition to the violation of Article 58, Grindr was also in violation of article 9(1) of the GDPR, as special category data was disclosed without a valid exemption. There are exemptions stated in Article 9(1) that allow special category data to be disclosed without consent, but for advertising purposes is not one of them. Datatilsynet also explained that the personal data of app users could be accessed by 160 partners when there was no legal basis for sharing that data.
The seriousness of the violations was reflected in the penalty amount. The GDPR allows fines to be imposed up to €20 million or 4% of global annual turnover for the previous fiscal year. The penalty equates to around 10% of Grindr’s global annual turnover.
Grindr changed its mechanism for obtaining consent in April 2020, so the case relates to Grindr’s privacy practices from May 2018 until April 2020.