Grindr issued £8.5 million fine for selling user data

Grindr, a widely-used LGBT dating app, has been slapped with an £8.5 million fine for selling information about its users to advertisers. 

The sum has been demanded by Norway’s Data Protection Authority and equates to approximately one-tenth of the app’s global revenue.

[[post-object type=”divider” /]]

What did Grindr do wrong?

Last January, the Norwegian Consumer Council revealed Grindr had been selling off the data of people who use their app, including locations, ages, genders, and indicators that could be used to determine their sexual orientation without obtaining explicit consent.

At the time, the council made three complaints to Grindr and has since highlighted the dangers of revealing such data, particularly in countries where homosexuality is illegal and carries barbaric, medieval punishments. 

[[post-object type=”blockquote” author=”Norwegian Data Protection Authority”]]Our preliminary conclusion is that the breaches are very severe[[/post-object]]

They have until February 15 to respond to the hearing and appeal it if they believe such action would be worthwhile – if they choose not to, they’ll be forced to pay up. 

What did Grindr say?

In a statement issued to the New York Times, a Grindr spokesperson said: 

[[post-object type=”blockquote” author=”Grindr]]”We continually enhance our privacy practices in consideration of evolving privacy laws and regulations, and look forward to entering into a productive dialogue with the Norwegian Data Protection Authority[[/post-object]]

They also claimed that the app had “valid legal consent from all users” in Europe to share their data in this way, something an agreement they claim all those who downloaded the app have consented to on more than one occasion.

So… what’s the problem?

Grindr’s public response seems to completely repudiate the accusations coming from Oslo – so why has Data Protection Authority reacted so strongly?

As it stands, still Grindr. The type of consent Grindr has allegedly obtained is not considered ‘valid’ consent in legal and political circles, nor in the eyes of the EU’s stringent data protection laws.

Grindr draws user consent from the initial sign-up process, where you can either consent to your data being shared or bay subscription fees. Questions over Grindr’s consent mechanism previously caused Twitter to drop the app from its ad network in January of last year. 

Checkered history 

One of the problems with Grindr’s defense is the fact this isn’t the first time they’ve been caught out for playing fast and loose with user data.

In 2018, they were found to have shared data about their users’ HIV status with advertising companies as part of a bundle with other data. The company’s security boss said they’d been singled out ‘unfairly’ in this investigation. 

Then, in January 2020, a New York Times reporter found that Grindr’s location GPS was so hyper-specific that it could track which side of a building a user was on. 

More recently, in October of last year, A researcher showed that simply knowing a user’s email address could allow you to reset their password and, in turn, take full control of their account. However, it was picked up on before a major breach had taken place. 

For Grindr’s active users, of which approximately 3 million are tuning into the app every day, it won’t have done much to assure them that their personal information is safe.