Greetings from Brussels!
The big news for me this week came out of Oslo, Norway. Datatilsynet, the nation's data protection authority, issued a draft decision with advance notification to issue a fine of 100,000,000 kroner, equivalent to 9.6 million euros, against the U.S.-based company Grindr, a dating app for the LGTBQ+ community. This is not an insignificant fine by the numbers, and it also represents 10% of Grindr's estimated annual turnover. When you look at it from that perspective, you have say that Grindr just got walloped.
The "notification of intent" by the DPA comes as a result of a legal complaint received by the Norwegian Consumer Council back in January 2020. The NCC filed the complaint citing unlawful sharing of personal data with third parties for marketing purposes. The complaint alleged the data shared with third parties included GPS location and user profile data, as well as the fact that individuals were identified as app users. Incidentally, this is not the first time the NCC has gone after a U.S.-based dating app. Back in March 2016 in the pre-GDPR days, I wrote about a similar case concerning Tinder. In that instance, the consumer group complaint claimed that Tinder’s sweeping terms and conditions were illegal under the then-Norwegian and EU privacy and consumer laws. Claims not too dissimilar to the present case.
A recent statement to the Norwegian DPA lays out the case. In its preliminary findings, the DPA concludes Grindr did not have the necessary consent to share such data. Moreover, as you might have already inferred, the DPA considers that being a Grindr user speaks to one’s sexual orientation and therefore constitutes special category data status requiring an even higher standard of explicit consent before sharing data. The regulator’s position seems abundantly clear: It sees obtaining informed consent as the rule of thumb when engaging or sharing in intrusive profiling or tracking activity for marketing or advertising purposes.
In the words of Datatilsynet, Grindr users were "forced" to accept the company’s privacy policy lock, stock and barrel. Forced consent does not sound like informed unambiguous consent with real choice. Furthermore, the policy information concerning the sharing of personal data was not properly communicated to users, giving rise to serious concerns over the transparency and clarity of the policy. In short, the DPA found these conditions run contrary to GDPR provisions for valid consent.
The NCC also filed complaints against five of the third-party adtech companies that received data from Grindr: MoPub (owned by Twitter), Xandr (formerly known as AppNexus), OpenX Software, AdColony and Smaato. These cases are ongoing.
Incidentally, this is not the first time Grindr has been the source of privacy complaints in Norway. Back in 2018, SINTEF, the Norwegian nonprofit research firm, uncovered Grindr had shared users’ HIV status with two third-party companies, data that is optional in user profiles. Shortly after the report became public, Grindr said it put an end to the practice. One could reasonably conclude that this type of issue is not new for the company or the authorities, for that matter.
I spoke with Eija Warma-Lehtinen, IAPP country leader for the Nordics, who said this is a clear example that DPAs are working hard and using the tools that the GDPR has to offer them. This case is the source of much discussion and will be followed very closely by all the Nordic privacy community. Warma-Lehtinen added that the proposed fine is very significant and will be interesting to see how it plays out, particularly if Grindr decides to appeal. It now has until 15 Feb. to provide comments or remarks on the draft decision.