Grindr LLC – €6,300,000 Fine (Norway, 2021)

The Norwegian DPA has fined Grindr LLC EUR 6.3 million. Grindr is a location-based social networking app designed for gay, bi, trans and queer people. In 2020, the Norwegian Consumer Protection Authority filed a complaint against Grindr with the Norwegian DPA, alleging that the portal had shared information about users' GPS location, IP address, cell phone advertising ID, age and gender with several third parties for marketing purposes. Under GDPR, consent is required for the sharing of this personal data. However, during its investigation, the DPA found that the consent collected by Grindr was not valid. Users had to accept the privacy policy in order to use the app, but were not explicitly asked whether they would consent to their data being shared with third parties for marketing purposes. In addition, the information about the disclosure of personal data was not clear or accessible enough for users. The DPA points out that this type of data may identify a Grindr user as a member of a sexual minority. Grindr users would sometimes want to use the app anonymously without, for example, giving their full name or uploading a photo of themselves. With the sexual orientation of the users, a special category of personal data, which is subject to a particularly high level of protection, was therefore also affected. The DPA therefore considers the infringement to be a particularly serious case that justifies a deterrent high fine. Business models based on behavior-based marketing are widespread in the digital economy, making it important that the fines for GDPR violations are deterrent. ---UPDATE--- The Norwegian Court of Appeal upheld the decision of the DPA to issue the fine.