Grindr Sells Private Information to Advertisers
Last year, the Norwegian regulator Datatilsynet started an investigation into a number of popular dating applications, including Grindr, Tinder and OKCupid. It found that they all sell sensitive user data to advertisers on a large scale. Grindr, a widely used dating app in the LGBTI community, collected and shared data such as gender, age, sexual and political preference, location, IP address, physical and mental health, and third-party purchases. With this information, advertisers can target users with more personalized advertisements. However, this all happened without explicit permission from Grindr’s users.
Clear Violation of the GDPR
The discovery obviously did not sit well with Forbrukerrådet, the Norwegian Consumer Council. Sharing sensitive information without users’ consent is a gross violation of the General Data Protection Regulation (GDPR). Therefore, the Consumer Council submitted the case to the Norwegian regulator Datatilsynet. They also informed various international stakeholders, including Noyb and the European Center for Digital Rights. The privacy watchdog provisionally agrees with Forbrukerrådet. Their preliminary conclusion is that Grindr has indeed shared user data with a number of third parties without a legal basis. “Users were not able to exercise real and effective control […] and were forced to accept the privacy policy to use the app”, said Bjørn Erik Thon, Director-General of the Norwegian Data Protection Authority. “Our findings suggest gross violations of the GDPR.”
$11.7 Million Fine
The watchdog notified Grindr that they intend to impose a fine “of great magnitude”. Grindr has some 27 million registered users worldwide, with thousands of them residing in Norway. The Norwegian Data Protection Authority is proposing a fine of 10% of Grindr’s turnover. As Grindr’s annual worldwide turnover amounts to over $100,000,000, such a fine would be in the millions. “This is a milestone in the ongoing work to ensure that consumers’ privacy is protected online”, said Finn Myrstad, director of digital policy of Forbrukerrådet, in a press statement. “The Data Protection Authority, Datatilsynet, has clearly established that it is unacceptable for companies to collect and share personal data without user´s permission.”
Grindr Has Until Mid-February to Appeal
The document issued by the Consumer Council is a draft decision. This means Grindr has until February 15 to appeal the decision and have their comments taken into account. If the dating app does not respond before this deadline, the regulator will convert the provisional fine into a final penalty. The Norwegian watchdog also filed complaints against “ad tech” companies receiving data from Grindr, including Twitter’s mobile app advertising platform, MoPub. These cases are ongoing. Late last year, Grindr was confronted with yet another privacy issue. A security vulnerability in the dating app permitted account takeover. A French security researcher discovered the vulnerability. He reported the issue to Grindr via a helpdesk ticket. When Grindr closed the ticket and ignored the issue, he contacted the well-known independent security expert Troy Hunt. Grindr only resolved the issue after Troy Hunt escalated his findings to Grindr’s security team.