The Dating App “Grindr” to be fined almost € 10 Mio
On 26 January, the Norwegian Data Protection Authority upheld the complaints, confirming that Grindr did not recive valid consent from users in an advance notification. The Authority imposes a fine of 100 Mio NOK (€ 9.63 Mio or $ 11.69 Mio) on Grindr. An enormous fine, as Grindr only reported a profit of $ 31 Mio in 2019 - a third of which is now gone. EDRi member noyb assisted with writing the legal analysis and formal complaints.
In January 2020, the Norwegian Consumer Council and the European privacy NGO noyb.eu filed three strategic complaints against Grindr and several adtech companies over illegal sharing of users’ data. Like many other apps, Grindr shared personal data (like location data or the fact that someone uses Grindr) to potentially hundreds of third parties for advertisment.
Background of the case. On 14 January 2020, the Norwegian Consumer Council (Forbrukerrådet; NCC) filed three strategic GDPR complaints in cooperation with noyb. The complaints were filed with the Norwegian Data Protection Authority (DPA) against the gay dating app Grindr and five adtech companies that were receiving personal data through the app: Twitter`s MoPub, AT&T’s AppNexus (now Xandr), OpenX, AdColony, and Smaato.
Grindr was directly and indirectly sending highly personal data to potentially hundreds of advertising partners. The ‘Out of Control’ report by the NCC described in detail how a large number of third parties constantly receive personal data about Grindr’s users. Every time a user opens Grindr, information like the current location, or the fact that a person uses Grindr is broadcasted to advertisers. This information is also used to create comprehensive profiles about users, which can be used for targeted advertising and other purposes.
Consent must be unambiguous, informed, specific and freely given. The Norwegian DPA held that the alleged “consent” Grindr tried to rely on was invalid. Users were neither properly informed, nor was the consent specific enough, as users had to agree to the entire privacy policy and not to a specific processing operation, such as the sharing of data with other companies.
Consent must also be freely given. The DPA highlighted that users should have a real choice not to consent without any negative consequences. Grindr made use of the app conditional on consenting to data sharing or to paying a subscription fee.
“The message is simple: ‘take it or leave it’ is not consent. If you rely on unlawful ‘consent’ you are subject to a hefty fine. This does not only concern Grindr, but many websites and apps.” – Ala Krinickytė, Data protection lawyer at noyb
”This not only sets limits for Grindr, but establishes strict legal requirements on a whole industry that profits from collecting and sharing information about our preferences, location, purchases, physical and mental health, sexual orientation, and political views” – Finn Myrstad, Director of digital policy in the Norwegian Consumer Council (NCC).
Grindr must police external “Partners”. Moreover, the Norwegian DPA concluded that “Grindr failed to control and take responsibility” for their data sharing with third parties. Grindr shared data with potentially hundreds of thrid parties, by including tracking codes into its app. It then blindly trusted these adtech companies to comply with an ‘opt-out’ signal that is sent to the recipients of the data. The DPA noted that companies could easily ignore the signal and continue to process personal data of users. The lack of any factual control and responsibility over the sharing of users’ data from Grindr is not in line with the accountability principle of Article 5(2) GDPR. Many companies in the industry use such signal, mainly the TCF framework by the Interactive Advertising Bureau (IAB).
“Companies cannot just include external software into their products and then hope that they comply with the law. Grindr included the tracking code of external partners and forwarded user data to potentially hundreds of third parties – it now also has to ensure that these ‘partners’ comply with the law.” – Ala Krinickytė, Data protection lawyer at noyb
Grindr: Users may be “bi-curious”, but not gay? The GDPR specially protects information about sexual orientation. Grindr however took the view, that such protections do not apply to its users, as the use of Grindr would not reveal the sexual orientation of its customers. The company argued that users may be straight or “bi-curious” and still use the app. The Norwegian DPA did not buy this argument from an app that identifies itself as being ‘exclusively for the gay/bi community’. The additional questionable argument by Grindr that users made their sexual orientation “manifestly public” and it is therefore not protected was equally rejected by the DPA.
“An app for the gay community, that argues that the special protections for exactly that community actually do not apply to them, is rather remarkable. I am not sure if Grindr’s lawyers have really thought this through.” – Max Schrems, Honorary Chairman at noyb
Successful objection unlikely. The Norwegian DPA issued an “advanced notice” after hearing Grindr in a procedure. Grindr can still object to the decision within 21 days, which will be reviewed by the DPA. However it is unlikely that the outcome could be changed in any material way. However further fines may be upcoming as Grindr is now relying on a new consent system and alleged “legitimate interest” to use data without user consent. This is in conflict with the decision of the Norwegian DPA, as it explicitly held that “any extensive disclosure … for marketing purposes should be based on the data subject’s consent“.
“The case is clear from the factual and legal side. We do not expect any successful objection by Grindr. However, more fines may be in the pipeline for Grindr as it lately claims an unlawful ‘legitimate interest’ to share user data with third parties – even without consent. Grindr may be bound for a second round.” – Ala Krinickytė, Data protection lawyer at noyb
Acknowledgements
- The project was led by the Norwegian Consumer Council
- The technical tests were carried out by the security company mnemonic.
- The research on the adtech industry and specific data brokers was performed with assistance from the researcher Wolfie Christl of Cracked Labs.
- Additional auditing of the Grindr app was performed by the researcher Zach Edwards of MetaX.
- The legal analysis and formal complaints were written with assistance from noyb.
This article was first published here.