Dating app Grindr is facing a more than US$10 million-fine in Norway for sharing with advertisers deeply personal user information, without users’ consent. The data shared included users’ locations and dating profiles. The manner in which such data was shared for marketing, tracking, and behavioral profiling purposes, the Norwegian Consumer Council (NCC) outlined in a report released last year, was “out of control,” and was done in violation of European privacy laws.
Since the release of the report, Grindr has responded with changes in their privacy and consent policies, which the Norwegian Data Protection Authority says “has not mitigated our concerns regarding the lawfulness of Grindr’s personal data sharing with advertising partners,” they told the dating app in a recent notice. In response, the authority has decided to take action against Grindr. The company is required to submit comments by February 15, which is when the authority will announce a final penalty.
“Grindr markets itself as the world’s largest social networking app for gay, bi, trans, and queer people,” the authority writes in the notice issued to Grindr, but does not “take adequate responsibility as a controller of any personal data collected and shared through its services.”
First, the app states it does “not control the use of these tracking technologies,” and instead asks users to go read the privacy policies of the third parties with whom Grindr shares data, such as Twitter’s MoPub, Xandr, OpenX Software Ltd., AdColony Inc., and Smaato Inc. The authority expresses concerns over any individual user’s ability to track down and understand the privacy policies of such third-party companies with whom they have no interaction.
Related on The Swaddle:
Racism On Dating Apps Institutes Feelings of Shame, Guilt Among Gay Men of Color
Second, “Grindr’s previous consent mechanism did not allow for separate consents to be given to different purposes or processing operations,” meaning the app bundled its consent questions. This forced the user to consent to the whole privacy policy, including terms of use and sharing of data, without the option to proceed without disagreeing with the entire policy presented to them. “Gaining access to the Grindr services within the free version of the app seemed dependent on consenting to sharing personal data for marketing purposes,” the notice says, essentially forcing users to “take it or leave it,” data protection lawyer Ala Krinickytė tells The Guardian. This, Krinickytė adds, is not consent.
And third, Grindr’s current practices can put on a target on their users’ backs, putting them in danger. In sharing user profiles with advertisers, the notice says, “Grindr discloses information about the data subject and that he or she belongs to a sexual minority.” And as long as discrimination against sexual minorities is a given in most countries around the world, Grindr’s policy “could put the data subject’s fundamental rights and freedoms at risk.” We already see this happening around the world, including in India — people are using Grindr to lure gay men for sex and extort them; racketeers are using the app to blackmail corporate CEOs; even governments are using the app to arrest gay men for “debauchery.” In a climate that is especially dangerous for queer people, an app that promises connection to them also needs to prioritize their safety, a commitment that Norwegian authorities have found severely lacking in Grindr’s ethos.
In welcoming the current fine, NCC’s director of digital policy, Finn Myrstad, tells the AP, “We hope that this marks the starting point for many similar decisions against companies that engage in buying and selling personal data.”
