Grindr Potentially Faces $12 Million GDPR Privacy FineRegulator Finds Dating Service Violated Users' Rights
Norway's privacy watchdog has proposed fining location-based dating app Grindr 9.6 million euros ($11.6 million) after finding that it violated Europeans' privacy rights by sharing data with many more third parties than it had disclosed.
Norway's data protection authority, known as Datatilsynet, announced the proposed fine against Los Angeles-based Grindr, which bills itself as being "the world's largest social networking app for gay, bi, trans, and queer people."
The privacy regulator found that Grindr violated article 58 of the General Data Protection Regulation by:
- "Having disclosed personal data to third party advertisers without a legal basis";
- "Having disclosed special category personal data to third party advertisers without a valid exemption from the prohibition in article 9(1) GDPR," which provides exemptions for certain types of data, none of which are for advertising purposes.
Complaint Against Grindr
The case against Grindr was initiated in January 2020 by the Norwegian Consumer Council, a government agency that works to protect consumers' rights, with legal help from the privacy rights group NOYB - short for "none of your business" - founded by Austrian lawyer and privacy advocate Max Schrems. The complaint was also based on technical tests conducted by security firm Mnemonic, advertising technology analysis by researcher Wolfie Christl of Cracked Labs and audits of the Grindr app by Zach Edwards of MetaX.
With the proposed fine, "the data protection authority has clearly established that it is unacceptable for companies to collect and share personal data without users' permission," says Finn Myrstad, director of digital policy for the Norwegian Consumer Council.
The council's complaint alleged that Grindr was failing to properly protect sexual orientation information, which is protected data under GDPR, by sharing it with advertisers in the form of keywords. It alleged that simply disclosing the identity of an app user could reveal that they were using an app being targeted to the “gay, bi, trans and queer” community.
In response, Grindr argued that using the app in no way revealed a user's sexual orientation, and that users "could also be a heterosexual, but curious about other sexual orientations - often referred to as 'bi-curious,'" Norway's data protection agency says.
But the regulator notes: "The fact that a data subject is a Grindr user may lead to prejudice and discrimination even without revealing their specific sexual orientation. Accordingly, spreading the information could put the data subject’s fundamental rights and freedoms at risk."
NOYB''s Schrems says: "An app for the gay community, that argues that the special protections for exactly that community actually do not apply to them, is rather remarkable. I am not sure if Grindr's lawyers have really thought this through."
Based on their technical teardown of how Grindr operates, the Norwegian Consumer Council also alleged that Grindr was sharing users' personal information with many more third parties than it had disclosed.
"According to the complaints, Grindr lacked a legal basis for sharing personal data on its users with third-party companies when providing advertising in its free version of the Grindr application," Norway's DPA says. "NCC stated that Grindr shared such data through software development kits. The complaints addressed concerns on the data sharing between Grindr" and advertising partners, including Twitter's MoPub, OpenX Software, AdColony, Smaato and AT&T's Xandr, which was previously known as AppNexus.
"This means that over 160 partners could access personal data from Grindr without a legal basis," the regulator says. "We consider that the scope of the infringements adds to the gravity of them."
'Cancel' or 'Accept' Everything
Norway's DPA says its proposed fine is based on the consent management platform being used by Grindr at the time of the complaints. The company updated that consent management platform in April 2020. Grindr's spokeswoman says its "approach to user privacy is first-in-class among social applications with detailed consent flows, transparency and control provided to all of our users."
But the regulator says Grindr was running afoul of GDPR's requirement that users "freely consent" to any processing of their personal information because the app required users to accept all terms and conditions and data processing whenever they clicked to "proceed" through the signup process.
4 'Free Consent' Requirements
The European Data Protection Board, which comprises all nations that enforce GDPR, has previously issued guidance stating that meeting the "free consent" test requires satisfying four requirements: granularity, meaning every type of data processing request must be freely stated; that the "data subject must be able to refuse or withdraw consent without detriment"; that there's no conditionality, meaning that unnecessary data processing has been bundled with necessary processing; and "that there's no imbalance of power."
To the last point, the EDPB has stated: "Consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences."
Norway's DPA says that in the case of Grindr, all choices being offered to users should have been "intuitive and fair," but they were not.
"Tech companies such as Grindr process personal data of data subjects on a large scale," the regulator says. "The Grindr app collected personal data from thousands of data subjects in Norway and it shared data on their sexual orientation. This enhances Grindr’s responsibility to exercise processing with conscience and due knowledge of the requirements for the application of the legal basis on which it relies upon."
Ala Krinickyte, a data protection lawyer at NOYB, says: "The message is simple: 'Take it or leave it’ is not consent. If you rely on unlawful ‘consent,’ you are subject to a hefty fine. This does not only concern Grindr, but many websites and apps."
Regulators can fine organizations that violate GDPR up to 4% of their annual revenue, or 20 million euros ($24 million), whichever is greater.
Norway's DPA says its proposed fine of nearly $12 million is based on calculating Grindr's annual revenue to be at least $100 million and is also based on Grindr having profited from its illegal handling of people's personal data. "Grindr users who did not want - or did not have the opportunity - to enroll in the paid version had their personal data shared and re-shared with a potentially vast amount of advertisers without a legal basis, while Grindr and advertising partners presumably profited," it says.
The DPA says that its findings against Grindr are based on the complaint involving its app, and it may probe potential additional violations.
"Although we have chosen to focus our investigation on the legitimacy of the previous consents in the Grindr application, there might be additional issues regarding, e.g., data minimization in the previous and/or in the current consent mechanism platform," the regulator says in its notice of intent to fine.
Final Fine Not Yet Set
Grindr has until Feb. 15 to respond to the proposed fine as well as to make any case for how the COVID-19 pandemic might have affected its business, which the regulator could take into account before setting a final fine amount.
Previously, multiple large fines proposed by DPAs in a "notice of intent" to fine have not come to pass.
In November 2020, for example, a German court cut by 90% the fine imposed on 1&1 Telecom by the country's federal privacy regulator over call center data protection shortcomings.
Last October, Britain's ICO announced final fines of 20 million pounds ($27 million) against British Airways, for a 2018 data breach, and 18.4 million pounds ($25 million) against Marriott, for the four-year breach of its Starwood customer database. While those fines remain the largest two GDPR sanctions imposed in Britain, they were respectively 90% and 80% lower than the fines the ICO had originally proposed. The regulator said that the COVID-19 pandemic's ongoing impact on both businesses was a factor in its decision.
Legal experts say the regulator was also attempting to find a final amount that would stand up in court, because any organization facing a GDPR fine has a right to appeal.