LGBT dating app Grindr fined £8.6 million by Norway’s Data Protection Authority
In January 2020, the Norwegian Consumer Council made multiple complaints against Grindr for sharing users’ personal information with its advertisers which led to an investigation carried out by the Norwegian Data Protection Authority. The personal information subject to the breach is said to include users’ locations, age, gender and information that could reveal an individual’s sexuality. Grindr has alleged that it obtained valid consent from all its users and remains confident that it maintains good privacy practices throughout the app whilst the Norwegian Data Protection Authority has commented that the breaches are very severe.
On investigation by the Norwegian Data Protection Authority, the consent obtained from users was found not to have met the high threshold under the EU GDPR. Under the EU GDPR, consent must be freely given, specific, informed and unambiguous. Users must also be able to revoke their consent should they so wish. The use of the app being conditional on users consenting to data sharing or by paying a subscription fee was held to contravene these requirements. In addition, it was decided that users were not properly informed and the consent obtained was not sufficiently specific.
This is not the first time Grindr has been the subject of data protection concerns. In October 2020, it was revealed that the business had a vulnerability where accounts could easily be hacked and in 2018, it shared the HIV status of users with two external companies.
