NCC & noyb GDPR complaint: "Grindr" fined € 6.3 Mio over illegal data sharing

Identification & Authentication
 /  15 December 2021
Three GDPR Complaints filed against Grindr, Twitter and the AdTech companies Smaato, OpenX, AdColony and AT&T’s AppNexus

NCC & noyb GDPR complaint: "Grindr" fined € 6.3 Mio over illegal data sharing

Today, the Norwegian Data Protection Authority imposed a fine of 65 Mio NOK (€ 6.34 Mio or $ 7.17 Mio) on Grindr. The LGBTQI dating app had not received valid consent from users, but had been sharing sensitive personal data nonetheless.

Background of the case. On 14 January 2020, the Norwegian Consumer Council (Forbrukerrådet; NCC) filed three strategic GDPR complaints in cooperation with noyb. The complaints were filed with the Norwegian Data Protection Authority (DPA) against the queer dating app Grindr and five adtech companies that were receiving personal data through the app: Twitter`s MoPub, AT&T’s AppNexus (now Xandr), OpenX, AdColony, and Smaato.

Grindr had been sending sensitive personal data to hundreds of potential advertising partners. The ‘Out of Control’ report by the NCC described in detail how a large number of third parties constantly received personal data about Grindr's users, such as the fact that they use Grindr and their location data.

On 26 January 2021, the Norwegian authority announced its intention to impose a fine of 100 Mio NOK (about 10 Mio EUR) on Grindr for the violation of Articles 4(11), 6, 7 and 9(2)(a) GDPR in a “draft decision”. Today’s fine of 65 Mio NOK in the final decision was ultimately adjusted based on Grindr’s actual revenue and the fact that it undertook measures to revise its previous Consent Management Platform.

“This sends a strong signal to all companies involved in commercial surveillance. There are serious repercussions to sharing personal data without a legal basis. We call for the digital advertising industry to make fundamental changes to respect consumers’ rights.” – Finn Myrstad, Director of digital policy in the Norwegian Consumer Council (NCC).

Consent must be unambiguous, informed, specific and freely given. The Norwegian DPA decided that the alleged “consent” Grindr tried to rely on was invalid. Users were neither properly informed, nor was the consent specific enough: users had to agree to the entire privacy policy and not to a specific processing operation, such as the sharing of data with other companies.
Moreover, the DPA highlighted that users must have the choice
not to consent, without any negative consequences. Grindr, however, made the use of the app dependent on consent; users must either consent to data sharing or pay a subscription fee.

To conclude with, the DPA stated that “Grindr failed to control and take responsibility for their own data sharing and the “opt-out” mechanism was not necessarily effective”.

“ - and that’s the crux, in addition to the lack of consent. You cannot share personal data with a potentially unlimited number of partners without being able to control what happens to that data.” – Ala Krinickytė, data protection lawyer at noyb

Personal data is not a currency. The Norwegian DPA took a clear stance, saying that personal data may not be used to pay for digital services, even though Grindr relied on ‘behavioural advertisement’ as a ‘core-activity’ to finance itself. This decision plays a vital role in the European market, as many online services try to make profits by presenting user data as means of payment.

Ultimately, the Norwegian DPA found the financial benefits Grindr enjoyed as a result of its illegal sharing to be an aggravating factor in assessing the fine, as well as the fact that Grindr shared special category data, protected under Article 9, with its partners. The DPA expressed its view that spreading the data in question could put the data subject’s fundamental rights and freedoms at risk, such as the right to privacy and non-discrimination.

“It’s astonishing that the DPA has to convince Grindr that its users are LGBT+ and that this fact is not a commodity to be bartered.” – Ala Krinickytė, data protection lawyer at noyb

Appeal to the Privacy Board. The case can now be appealed to the Norwegian Privacy Appeals Board (Personvernnemda) within three weeks. The complaints against the adtech companies that received the data from Grindr are ongoing.

Acknowledgements

  • The project was led by the Norwegian Consumer Council.

  • The technical tests were carried out by the security company mnemonic.

  • The research on the adtech industry and specific data brokers was performed with assistance from the researcher Wolfie Christl of Cracked Labs.

  • Additional auditing of the Grindr app was performed by the researcher Zach Edwards of MetaX.

  • The legal analysis and formal complaints were written with assistance from noyb.