Norwegian privacy regulators have fined the dating app Grindr more than $7.1 million for sharing users' data with third parties for ad purposes, without first obtaining people's “freely given” consent.
In a 68-page decision issued this week, the Norwegian Data Protection Authority said Grindr violated Europe's broad privacy laws by effectively requiring consumers to share sensitive data with third parties in order to use the dating service.
“For a consent to be 'freely given' ... the data subject must have genuine freedom of choice,” the agency wrote.
The decision grew from an investigation launched by the Norwegian authorities in early 2020, shortly after that country's Consumer Council issued a report stating that popular Android smartphone apps, including Grindr, shared users' sensitive information with third parties.
"The adtech industry is operating with out of control data sharing and processing," the Consumer Council wrote at the time.
The Norwegain Consumer Council also filed a complaint against Grindr -- which bills itself as "the world's largest social networking app for gay, bisexual, transgender and queer people" -- for sharing users' geolocation data, ages, gender and other data to third parties.
The Data Protection Authority's investigation focused only on the period between July of 2018 (when the sweeping General Data Protection Regulation took effect in Norway) and April of 2020 (when Grindr changed some privacy practices).
Grindr's approach to privacy during that time involved showing prospective users the company's data policy, and asking them to accept it in full, according to the Data Protection Authority.
People who didn't want their information used for behavioral advertising could press a “cancel” button, but doing so would end the registration process -- meaning they wouldn't be able to use the app.
That policy left consumers in a “take it or leave it” situation, instead of allowing them to agree to share some data while still rejecting behaviorally-targeted ads, the authorities wrote.
“Gaining access to the Grindr services within the free version of the app was made conditional on 'consenting' to sharing personal data with advertising partners for advertising purposes which was not necessary for the performance of Grindr’s services,” the opinion states. “This indicates that consent was not 'freely given.'”
Grindr countered that it informed users about how to configure their devices to transmit an opt-out signal to ad-tech companies and developers.
But the Norwegian authorities rejected that approach, writing that some ad tech companies could refuse to honor those opt-out signals.
“Grindr failed to control and take responsibility for their own data sharing, and the 'opt-out' mechanism was not necessarily effective,” the regulators wrote.
What's more, according to the Norwegian Data Protection Authority, people who opt out at the device level have to reject all interest-based ads, not just ones based on data collected by Grindr.
“This is something the user may not wish to do, further indicating lack of control and free choice for the data subject,” the opinion states.
Shane Wiley, Grindr's chief privacy officer, stated Thursday that the company “strongly” disagrees with the Norwegian Data Protection Authority's reasoning, adding that the decision “concerns historical consent practices from years ago,” as opposed to its current practices.
“Protecting our users’ interests and ensuring that we put them in control of their personal data have always been our top priorities,” Wiley stated.
He added that Grindr is considering its options, including appealing the findings.