The Norwegian Data Protection Authority said it imposed its
highest fine to date because the California-based company didn't comply with
the EU's tough data protection regulations. Norway isn't a member of the
27-nation bloc but closely mirrors EU rules.
Grindr said the agency's findings related to consent
policies from years ago, not its current practices, and that it is considering
its next steps, including an appeal.
The data watchdog “relies on a series of flawed findings,
introduces many untested legal perspectives, and the proposed fine is therefore
still entirely out of proportion with those flawed findings," said
Grindr's chief privacy officer, Shane Wiley.
In 2020, Norway's Consumer Council filed a complaint against
Grindr for disclosing information about its users, including GPS locations, IP
addresses, ages, gender and their use of the app, to several third parties for
marketing purposes. That allowed users to be identified and third parties to
potentially share personal information further.
The data privacy watchdog said users “were forced to accept
the privacy policy in its entirety to use the app” and were not asked
specifically if they wanted to allow their data to be shared with third parties
“for behavioural advertisement.”
“Furthermore, the information about the sharing of personal
data was not properly communicated to users," contrary to EU requirements
for “valid consent,” the agency said.
The Consumer Council's director of digital policy, Finn
Myrstad, said the decision by the Data Protection Authority “sends a strong
signal to all companies involved in commercial surveillance.”
Ala Krinickyte with the nonprofit European Center for
Digital Rights said "it is astonishing that the DPA has to convince Grindr
that its users are LGBT+ and that this fact is not a commodity to be bartered.”
Grindr said in a statement that “protecting users' interests
and ensuring that we put them in control of their personal data have always
been our top priorities."
“We have also been proactive in adopting industry-leading
privacy positions and tools, like detailed consent flows, granular user privacy
controls, and ‘just-in-time' app notifications," Wiley said.