Grindr, a LGBT dating app is facing fines of £8.5m for allegedly selling its users data to advertisers. Norway Data Protection Authority therefore, plans to fine the company about 10% of its global revenue. The Norwegian Consumer Council had made about 3 complaints against Grindr for breaching privacy policies and sharing user data with its advertisers. Post this data breach was revealed in last January. The data that is shared includes data on users’ gender, age, location and sexuality.
The company has been given time till Feb 15th to respond to the allegation. The company has claimed that it had obtained “valid legal consent from all” of its European users on multiple occasions and was convinced of its “approach to user privacy is first in class” in comparison to other social apps.
The company also added “We continually enhance our privacy practices in consideration of evolving privacy laws and regulations, and look forward to entering into a productive dialogue with the Norwegian Data Protection Authority.” However, the Norwegian agency stated that “Our preliminary conclusion is that the breaches are very severe,”
In this case data is all the more sensitive as homosexuality is illegal in certain countries and exposure of such user data may threaten the safety of the user. The head of The Norwegian Data Protection Authority’s International Department Mr. Tobias Judin explained “If someone finds out that users are gay and knows their movements, they may be harmed.” He also added “We’re trying to make these apps and services understand that this approach – not informing users, not gaining a valid consent to share their data – is completely unacceptable.”
Europe in particular has stringent regulations that protect the data privacy of users. Europe’s General Data Protection Regulation (GDPR) sets guidelines for collecting, processing and sharing of user data in European Union as well as in Norway (Non EU).
Though the company claims that consent was obtained from its users, the European Centre for Digital Rights claims that the consent obtained was invalid as the users were not informed well and also that consent was not specific in nature. The app had just one option – either the users had to provide consent enabling the company to share their personal information or need to pay for the usage of the app. This in Europe means forcing or obtaining unlawful consent, without giving the user any choice. Such process attracts hefty fines.
The issue is all the more complex because it is not just about Grindr following regulations, it also has to ensure that its partners with whom it has shared data have to follow the regulations as well. Now, Grindr needs to ensure that these partners are complying with the privacy law. However, Grindr has previous records of breaching privacy laws. In October, last year it was revealed how user account could be hacked through the email address. In 2018 the company was alleged to have shared HIV status of the users to its two external companies.