The Norwegian Data Protection Authority (the “Norwegian DPA”) has notified Grindr LLC (“Grindr”) of its intent to issue a €10 million fine (c. 10% of the company’s annual turnover) for “grave violations of the GDPR” for sharing its users’ data without first seeking adequate consent.
Grindr boasts to be the world’s largest social networking platform and online dating app for the LGBTQ+ community. three complaints from The Norwegian Consumer Council (the “NCC”), the Norwegian DPA investigated the way in which Grindr shared its users’ data with third party advertisers for online behavioural marketing purposes without consent.
‘Take-it-or-leave-it’ is not consent
The personal data Grindr shared with its advertising partners included users’ GPS locations, age, gender, and the fact the data subject in question was on Grindr. In order for Grindr to legally share this personal data under the GDPR, it required a lawful basis. The Norwegian DPA stated that “as a general rule, consent is required for intrusive profiling…marketing or advertising purposes, for example those that involve tracking individuals across multiple websites, locations, devices, services or data-brokering.”
The Norwegian DPA’s preliminary conclusion was that Grindr needed consent to share the personal data elements cited above, and that Grindr’s consents were not valid. It is noted that subscription to the Grindr app was conditional on the user agreeing to Grindr’s data sharing practices, but users were not asked to consent to the sharing of their personal data with third parties. However, the user was effectively forced to accept Grindr’s privacy policy and if they didn’t, they faced an annual subscription fee of c. €500 to use the app.
The Norwegian DPA concluded that bundling consent with the app’s full terms of use, did not constitute “freely given” or informed consent, as defined under Article 4(11) and required under Article 7(1) of the GDPR.
Disclosing sexual orientation by inference
The Norwegian DPA also stated in its decision that “the fact that someone is a Grindr user speaks to their sexual orientation, and therefore this constitutes special category data…” requiring particular protection.
Grindr had argued that the sharing of general keywords on sexual orientation such as “gay, bi, trans or queer” related to the general description of the app and did not relate to a specific data subject. Consequently, Grindr’s position was that the disclosures to third parties did not reveal sexual orientation within the scope of Article 9 of the GDPR.
Whilst, the Norwegian DPA agreed that Grindr shares keywords on sexual orientations, which are general and describe the app, not a specific data subject, given the use of “the generic words “gay, bi, trans and queer”, it indicates that the data subject belongs to a sexual minority, and to one of these particular sexual orientations.”
The Norwegian DPA found that “by public perception, a Grindr user is presumably gay” and users consider it to be a safe space trusting that their profile will only be visible to other users, who presumably are also members of the LGBTQ+ community. By sharing the information that an individual is a Grindr user, their sexual orientation was inferred merely by that user’s presence on the app. In conjunction with disclosing data regarding the users’ exact GPS location, there was a significant risk that the user would face prejudice and discrimination as a result. Grindr had breached the prohibition on processing special category data, as set out in Article 9, GDPR.
Conclusion
This is potentially the Norwegian DPA’s largest fine to date and a number of aggravating factors justify this, including the substantial financial benefits Grindr profited from as a result of its infringements.
In these circumstances, it was not sufficient for Grindr to argue that the greater restrictions under Article 9 of the GDPR did not apply because it did not explicitly share users’ special category data. The mere disclosure that an individual was a user of the Grindr app was sufficient to infer their sexual orientation.
The allegations date back to 2018, and last year Grindr changed its Privacy Policy and practices, although these were not considered as part of the Norwegian DPA’s investigation. However, although the regulatory spotlight has this time settled on Grindr, it serves as a warning to other tech giants to review the ways in which they secure their users’ consent.