Grindr, LLC – €8,700,000 Fine (Norway, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Norway fined Grindr EUR 8.7 million for sharing users' sensitive data with advertisers without proper consent. This case highlights the importance of getting clear permission before using personal data, especially sensitive information like location. Businesses should ensure their consent processes meet GDPR standards to avoid hefty fines.
What happened
Grindr shared users' sensitive personal data with advertisers without obtaining valid consent.
Who was affected
Users of the Grindr app, whose sensitive personal data, including location, was shared with advertisers.
What the authority found
The Norwegian authority found Grindr lacked a valid legal basis for sharing personal data, as their consent process did not meet GDPR requirements.
Why this matters
This case underscores the need for companies to have robust consent mechanisms, especially when dealing with sensitive data. It serves as a warning that failing to meet GDPR standards can lead to significant fines.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
In January 2020, the Norwegian Consumer Council (Forbrukerrådet) and NOYB filed three complaints against the gay/bi dating app Grindr and five adtech companies for personal data Grindr were disclosing through their app with the aforementioned third party advertisers (Twitter`s MoPub, AT&T’s AppNexus (now Xandr), OpenX, AdColony, and Smaato). In particular, they highlighted the amount of sensitive personal data shared by such tech and adtech companies, including exact location, which is highly problematic in several countries and poses a real threat to the fundamental rights and freedoms of individuals. Grindr alleged that they had valid consent for their processing of personal data and special category personal data, including disclosure to third parties. The company further held that they had legal grounds for processing special category personal data as per Article 9(2)(e), as Grindr users "manifestly" had made their use of the app public, simply by using it. The DPA conducted a thorough analysis on the matter, specifically concerning the fundamental requirements for valid consent, i.e. a consent must be freely given, specific, informed and unambiguous. Their analysis demonstrated that Grindr, in fact, were in breach of all consent requirements as per the GDPR. Did Grindr have legal grounds for disclosing personal data to third party advertisers? Did their alleged consents meet the standards of the GDPR? The DPA held that Grindr's alleged legal grounds, namely consent as per Article 6(1)(a) and explicit consent as per Article 9(2)(a), did not meet the requirements as per the GDPR. Further, they found that Article 9(2)(e) was not a relevant legal ground, as it couldn't be demonstrated that Grindr users "manifestly" made their use of the app public. Thus, Grindr did not fulfill one of the exceptions in Article 9(2)(e). Consequently, the DPA held that Grindr did not have a legal basis under Article 6(1) for disclosing personal data to third party advertiserts, an
Related Enforcement Actions (0)
No other enforcement actions found for Grindr, LLC in NO
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
24 January 2021
Authority
Datatilsynet (Norway)
Fine Amount
€8,700,000
100,000,000 NOK
GDPRhub ID
gdprhub-3097About this data
Cite as: Cookie Fines. Grindr, LLC - Norway (2021). Retrieved from cookiefines.eu
Last updated: