Norway slaps Grindr with €10m fine for sharing client data, abusive 'consents'
Meet-up app Grindr has been fined €10m by Norway’s data protection agency after it found it had violated consent regulations.
The app had failed to comply with the General Data Protection Regulation of the region which sets out strict rules for processing people’s data.
GDPR allows for fines to amount to 4% of global annual turnover or up to €20M, whichever is higher.
In this case Grindr has been sanctioned for around 10% of its annual revenue.
“We have notified Grindr that we intend to impose a fine of high magnitude as our findings suggest grave violations of the GDPR,” said Bjørn Erik Thon, Director General of the Norwegian agency, in a statement.
“Grindr has 13.7 million active users, of which thousands reside in Norway. Our view is that these people have had their personal data shared unlawfully. An important objective of the GDPR is precisely to prevent take-it-or-leave-it ‘consents’. It is imperative that such practices cease.”
In 2020, the Norwegian Consumer Council opened an investigation into different data sharing practices by companies that had business in the country. It found that the majority of apps transmitted data to “unexpected third parties” without correctly informing users.
Grindr was one of the apps featured in the NCC report.
After its report last year, the NCC also filed complaints against five of the third parties who it found to be receiving data from Grindr: MoPub (owned by Twitter), Xandr (formerly known as AppNexus), OpenX Software, AdColony, and Smaato.
“The Norwegian Data Protection Authority considers that this is a serious case,” added Thon. “Users were not able to exercise real and effective control over the sharing of their data. Business models where users are pressured into giving consent, and where they are not properly informed about what they are consenting to, are not compliant with the law."