Norway fines Grindr £5.5 million for personal data sharing

The GDPR protects sexual orientation as a special category of data

Image:
The GDPR protects sexual orientation as a special category of data

Norway's Data Protection Authority has handed Grindr, the location-based dating app for the LGBTQ+ community, a 65 million krone (£5.5 million) fine for breaching GDPR rules.

The fine is a reduction from the 100 million krone (£8.6 million) charge the DPA had levied in January. It said it lowered the amount due to changes Grindr had made to the app and new information about the company's financial situation.

It is still the largest fine Norway's data regulator has ever handed down, however, because of the seriousness of the situation.

Tobias Judin, head of the DPA's international department, said, "Our conclusion is that Grindr has disclosed user data to third parties for behavioural advertisement without a legal basis."

The Authority says Grindr shared users' private data with advertisers without their explicit consent. That included GPS location, IP address, advertising ID, age, gender and the fact that the user was on Grindr.

That is particularly troublesome because information about a person's sexual orientation is known as special category data, which has a higher level of protection under the GDPR.

For its part, Grindr disagrees that it did not have explicit consent. Between 2018 and 2020, users were forced to agree to the app's privacy policy to continue using it - without specifically being asked if they wanted to consent to their data being shared with advertisers. The DPA says this consent was not valid.

The GDPR itself says consent must be 'freely given', which means 'people must be able to refuse consent without detriment'. It adds, 'If the individual has no real choice, consent is not freely given and it will be invalid.' Under this wording, making service delivery reliant on consent is most likely a GDPR breach.

Grindr has three weeks to lodge an appeal against the ruling.