Grindr, a hook-up app for gay, bi, trans and queer people, has been fined around $7.1 million (65M NOK) by Norway’s data protection authority for passing user data to advertisers without consent — including highly sensitive information related to users’ sexual orientation.
Specifically, the DPA found that Grindr breached Articles 6(1) and 9(1) of Europe’s General Data Protection Regulation (GDPR).
The complaint adds to the behavioral advertising industry’s legal woes — which continue to pile up in the region.
The final size of the penalty Grindr has been hit with is a little reduced vs the 100M NOK/$12.1M that the gay dating app was facing back in January — when the Datatilsynet issued a preliminary decision on the case.
The authority told TechCrunch the smaller sanction takes account of the company having lower turnover in reality than the “rough estimate” it had relied upon in January when issuing the preliminary fine,
It also said the reduction takes account of measures Grindr implemented since the complaint was filed with the aim of bringing its processing of personal data in line with GDPR’s requirements.
The DPA’s decision notes that the final fine is approximately 32% of the maximum amount possible. And since GDPR allows for fines of up to €20M or up to 4% of an entity’s total global turnover in the preceding year, whichever is higher, it suggests the US-based app’s annual revenue does not exceed €20M/$22.5M.
The DPA describes the size of the fine as “proportionate both to the severity of the infringement and to Grindr’s financial situation”, asserting that it “does not exceed what is necessary to achieve the objectives pursued by the GDPR in the present case”.
The complaint has taken almost a year to arrive at a final decision owing — at least in part — to Grindr requesting extensions to deadlines on a number of occasions.
It’s also worth noting that this investigation was limited to the process Grindr used to obtain consent at the time of the complaint — in 2019 and up to April 2020 (when it switched to a different method).
So the lawfulness of Grindr’s current method for obtaining consent has not been investigated.
While the decision does not include any requirements that Grindr (or its ad partners) delete unlawfully obtained user data the DPA told us that that could change in future.
It also confirmed that its investigation against Grindr’s ad partners (who it sent user data to) is ongoing.
“Our decision does not include any erasure requirements at this time but we have also made it clear that further decisions may come at a later date if we deem it necessary,” said Tobias Judin, director for international issues at Datatilsynet. “In other words: We are not ruling out any possibilities for further enforcement at this stage.”
“Now that we have a final decision in the Grindr case, this decision will also inform those investigations,” he further confirmed of the ad partner probes.
The penalty for Grindr tracking users without consent comes at a time when some EU lawmakers continue pressing for a ban on surveillance-based advertising — although a committee vote in the European Parliament this week did not back amending the Digital Services Act to include an outright ban on surveillance-based advertising, as some MEPs have been pressing for.
The committee did back a prohibition on dark patterns to manipulate consent, though. So legal requirements look set to continue to tighten around how adtech can operate in the EU — and reform of manipulative defaults is being enforced.
See also: The UK’s data watchdog’s recent warned to the industry that the end of tracking is nigh.
In a statement welcoming Norway’s GDPR slap-down of Grindr, the deputy DG of the European Consumer Organisation, BEUC, Ursula Pachl, said: “Grindr illegally exploited and shared its users’ information for targeted advertising, including sensitive information about their sexual orientation. It is high time the behavioural advertising industry stops tracking and profiling consumers 24/7. It is a business model which clearly breaches the EU’s data protection rules and harms consumers. Let’s now hope this is the first domino to fall and that authorities start imposing fines on other companies as the infringements identified in this decision are standard surveillance ad-tech industry practices.”
Datatilsynet opened the investigation into Grindr after receiving complaints from Norway’s Consumer Council (NCC) and the European privacy campaign group, noyb, acting on behalf an individual complainant.
Last year the NCC published an analysis of data flows from a number of popular apps (including Grindr but also a number of others) showing how they share data with “unexpected third parties”, including entities in the behavioral ad industry to highlight the extent of adtech’s lawfulness problem.
In its response to the data protection watchdog’s investigation, Grindr had claimed it had users’ consent to share their data with its advertising partners — which included Twitter-owned MoPub, Xandr (previously AppNexus), OpenX, AdColony and Smaato.
However the app did not offer users a free choice over whether to agree to its terms or not. If a Grindr user declined to accept its privacy policy during onboarding they were unable to proceed to use the app.
And while Grindr went on to change how it gathers consent — implementing a consent management platform provided by the third party OneTrust in April 2020 — as noted above this complaint focuses on how the app was obtaining consent prior to that switch.
The GDPR states that for consent to be a valid legal basis to process personal data it must be informed, specific and freely given (emphasis ours). So the lack of a choice offered to users looks like a very flagrant breach of the rules.
In seeking to avoid a sanction, Grindr also sought to argue that it did not pass information on individual users’ sexuality to advertisers — claiming it only sent generic keywords (such as “gay”, “bi” and “bi-curious”).
This is important because GDPR has specific rules for so-called “special category data” — requiring an even higher bar of explicit consent from a user if that’s the legal basis you’re claiming for processing information such as a person’s sexual orientation.
In reaching its final decision on the complaint, the Datatilsynet concluded that protections contained in Article 9 of the GDPR (which concerns “special category data”) should not be so narrowly interpreted.
“Being a Grindr user strongly indicates, and appears in most cases to accurately reflect, that the data subject belongs to a sexual minority. Furthermore, the fact that a data subject belongs to a sexual minority may lead to prejudice and discrimination even without revealing their specific sexual orientation,” it writes, adding: “The wording of Article 9 does not require a revealing of a particular ‘sexual orientation’, and the purpose behind Article 9 discourages a narrow interpretation.
“For these reasons, we find that information that a data subject is a Grindr user is data ‘concerning’ the data subject’s ‘sexual orientation’.”
Grindr had also sought to suggest that advertisers were unlikely to use categories of special category data for profiling and ad targeting — telling the DPA it would be surprised if that were the case.
Which is — to put it mildly — a surprising argument to try to make, given ample evidence from other GDPR complaints of the highly invasive profiling being carried out by the behavioral ad industry.
Not to mention the fact that a flagship industry framework that’s widely used to claim consent to process people’s data for ad targeting is facing a finding of unlawfulness itself. As is the online advertising body that controls it.
In any case, Datatilsynet rejected Grindr’s dodge — pointing out that it’s irrelevant how such sensitive data might be further processed, since — under GDPR — “the sharing of personal data concerning a natural person’s ‘sexual orientation’ to advertising partners is sufficient to trigger Article 9”. (Its decision also makes it explicit that it does “not agree with the claim that a data subject’s ‘sexual orientation’ is not a category of data that could potentially be used by advertisers to target ads”.)
In another attempt to wiggle out of a GDPR slap-down, Grindr had also sought to argue that even if its advertisers — theoretically — received any sensitive personal data they must “blind” themselves to, per commitments in its contracts with advertisers.
Moreover it claimed many adtech companies operating in the EU have spent the last decade or so devising so-called...
Specifically, the DPA found that Grindr breached Articles 6(1) and 9(1) of Europe’s General Data Protection Regulation (GDPR).
The complaint adds to the behavioral advertising industry’s legal woes — which continue to pile up in the region.
The final size of the penalty Grindr has been hit with is a little reduced vs the 100M NOK/$12.1M that the gay dating app was facing back in January — when the Datatilsynet issued a preliminary decision on the case.
The authority told TechCrunch the smaller sanction takes account of the company having lower turnover in reality than the “rough estimate” it had relied upon in January when issuing the preliminary fine,
It also said the reduction takes account of measures Grindr implemented since the complaint was filed with the aim of bringing its processing of personal data in line with GDPR’s requirements.
The DPA’s decision notes that the final fine is approximately 32% of the maximum amount possible. And since GDPR allows for fines of up to €20M or up to 4% of an entity’s total global turnover in the preceding year, whichever is higher, it suggests the US-based app’s annual revenue does not exceed €20M/$22.5M.
The DPA describes the size of the fine as “proportionate both to the severity of the infringement and to Grindr’s financial situation”, asserting that it “does not exceed what is necessary to achieve the objectives pursued by the GDPR in the present case”.
The complaint has taken almost a year to arrive at a final decision owing — at least in part — to Grindr requesting extensions to deadlines on a number of occasions.
It’s also worth noting that this investigation was limited to the process Grindr used to obtain consent at the time of the complaint — in 2019 and up to April 2020 (when it switched to a different method).
So the lawfulness of Grindr’s current method for obtaining consent has not been investigated.
While the decision does not include any requirements that Grindr (or its ad partners) delete unlawfully obtained user data the DPA told us that that could change in future.
It also confirmed that its investigation against Grindr’s ad partners (who it sent user data to) is ongoing.
“Our decision does not include any erasure requirements at this time but we have also made it clear that further decisions may come at a later date if we deem it necessary,” said Tobias Judin, director for international issues at Datatilsynet. “In other words: We are not ruling out any possibilities for further enforcement at this stage.”
“Now that we have a final decision in the Grindr case, this decision will also inform those investigations,” he further confirmed of the ad partner probes.
The penalty for Grindr tracking users without consent comes at a time when some EU lawmakers continue pressing for a ban on surveillance-based advertising — although a committee vote in the European Parliament this week did not back amending the Digital Services Act to include an outright ban on surveillance-based advertising, as some MEPs have been pressing for.
The committee did back a prohibition on dark patterns to manipulate consent, though. So legal requirements look set to continue to tighten around how adtech can operate in the EU — and reform of manipulative defaults is being enforced.
See also: The UK’s data watchdog’s recent warned to the industry that the end of tracking is nigh.
In a statement welcoming Norway’s GDPR slap-down of Grindr, the deputy DG of the European Consumer Organisation, BEUC, Ursula Pachl, said: “Grindr illegally exploited and shared its users’ information for targeted advertising, including sensitive information about their sexual orientation. It is high time the behavioural advertising industry stops tracking and profiling consumers 24/7. It is a business model which clearly breaches the EU’s data protection rules and harms consumers. Let’s now hope this is the first domino to fall and that authorities start imposing fines on other companies as the infringements identified in this decision are standard surveillance ad-tech industry practices.”
Consent breaches
Datatilsynet opened the investigation into Grindr after receiving complaints from Norway’s Consumer Council (NCC) and the European privacy campaign group, noyb, acting on behalf an individual complainant.
Last year the NCC published an analysis of data flows from a number of popular apps (including Grindr but also a number of others) showing how they share data with “unexpected third parties”, including entities in the behavioral ad industry to highlight the extent of adtech’s lawfulness problem.
In its response to the data protection watchdog’s investigation, Grindr had claimed it had users’ consent to share their data with its advertising partners — which included Twitter-owned MoPub, Xandr (previously AppNexus), OpenX, AdColony and Smaato.
However the app did not offer users a free choice over whether to agree to its terms or not. If a Grindr user declined to accept its privacy policy during onboarding they were unable to proceed to use the app.
And while Grindr went on to change how it gathers consent — implementing a consent management platform provided by the third party OneTrust in April 2020 — as noted above this complaint focuses on how the app was obtaining consent prior to that switch.
The GDPR states that for consent to be a valid legal basis to process personal data it must be informed, specific and freely given (emphasis ours). So the lack of a choice offered to users looks like a very flagrant breach of the rules.
In seeking to avoid a sanction, Grindr also sought to argue that it did not pass information on individual users’ sexuality to advertisers — claiming it only sent generic keywords (such as “gay”, “bi” and “bi-curious”).
This is important because GDPR has specific rules for so-called “special category data” — requiring an even higher bar of explicit consent from a user if that’s the legal basis you’re claiming for processing information such as a person’s sexual orientation.
In reaching its final decision on the complaint, the Datatilsynet concluded that protections contained in Article 9 of the GDPR (which concerns “special category data”) should not be so narrowly interpreted.
“Being a Grindr user strongly indicates, and appears in most cases to accurately reflect, that the data subject belongs to a sexual minority. Furthermore, the fact that a data subject belongs to a sexual minority may lead to prejudice and discrimination even without revealing their specific sexual orientation,” it writes, adding: “The wording of Article 9 does not require a revealing of a particular ‘sexual orientation’, and the purpose behind Article 9 discourages a narrow interpretation.
“For these reasons, we find that information that a data subject is a Grindr user is data ‘concerning’ the data subject’s ‘sexual orientation’.”
Grindr had also sought to suggest that advertisers were unlikely to use categories of special category data for profiling and ad targeting — telling the DPA it would be surprised if that were the case.
Which is — to put it mildly — a surprising argument to try to make, given ample evidence from other GDPR complaints of the highly invasive profiling being carried out by the behavioral ad industry.
Not to mention the fact that a flagship industry framework that’s widely used to claim consent to process people’s data for ad targeting is facing a finding of unlawfulness itself. As is the online advertising body that controls it.
In any case, Datatilsynet rejected Grindr’s dodge — pointing out that it’s irrelevant how such sensitive data might be further processed, since — under GDPR — “the sharing of personal data concerning a natural person’s ‘sexual orientation’ to advertising partners is sufficient to trigger Article 9”. (Its decision also makes it explicit that it does “not agree with the claim that a data subject’s ‘sexual orientation’ is not a category of data that could potentially be used by advertisers to target ads”.)
In another attempt to wiggle out of a GDPR slap-down, Grindr had also sought to argue that even if its advertisers — theoretically — received any sensitive personal data they must “blind” themselves to, per commitments in its contracts with advertisers.
Moreover it claimed many adtech companies operating in the EU have spent the last decade or so devising so-called...