In the “Advance notification of an administrative fine,” the Norwegian Data Protection Authority (NDPA) (aka Datatilsynet) explained it is proposing to fine Grindr for
- having disclosed personal data to third party advertisers without a legal basis, which constitutes a violation of Article 6(1) GDPR; and
- having disclosed special category personal data to third party advertisers without a valid exemption from the prohibition in Article 9(1) GDPR
The NDPA explained it instigated the investigation upon receipt of a complaint and limited its investigation only to the issue of consent. Consequently, the NDPA reserves the right to investigate any related GDPR violations:
Although we have chosen to focus our investigation on the legitimacy of the previous consents in the Grindr application (“app”), there might be additional issues regarding e.g. data minimization in the previous and/or in the current consent mechanism platform. We have limited our investigation to the scope of the complaints. As described below, the complaints addressed concerns regarding the previous consents in the app. The fact that some issues have fallen outside the scope of our investigation does not preclude those issues from being addressed in the future. Grindr must make sure that all processing of personal data on its users in the EEA is compliant with the GDPR at all times. We may decide to investigate additional issues later on, following individual complaints or ex officio, see the tasks and powers of the supervisory authorities laid down in Articles 57 and 58 GDPR.
The NDPA explained in its press release:
In 2020, the Norwegian Consumer Council filed a complaint against Grindr claiming unlawful sharing of personal data with third parties for marketing purposes. The data shared include GPS location, user profile data, and the fact that the user in question is on Grindr.
As it turns out, the Norwegian Consumer Council (NCC) was working with the organization started by Austrian privacy advocate Maximillian Schrems, none of your business (noyb). The NCC and noyb filed three complaints with the NDPA and explained in their cover letter:
- ALL complaints: include the description of data transmissions between the Grindr app and third party advertisers.
- Complaint 1 describes the data sharing from the Grindr app with third parties using Twitter’s MoPub as a mediation partner. The categories of personal data being transmitted are similar, with small exceptions like AppNexus receiving the IP address and OpenX receiving keywords.
- Complaint 2 describes the direct transmissions from the Grindr app to AdColony. The categories of personal data being shared are similar to the ones in Complaint 1, with addition of e.g. user’s permission settings, Grindr User ID and the indication of “explicit consent”.
- Complaint 3 describes the direct transmissions from the Grindr app to Smaato. The categories of personal data being shared are similar to the ones in Complaint 1, with addition of e.g. user’s permission settings and the consent string.
NCC and noyb added
ALL complaints: the subject matter of all the three complaints is unlawful sharing of user’s personal data between the respective controllers. The Respondents do not have valid consent for the processing of special category data of the Complainant. At the same time, reliance on the legitimate interests by such controllers as AppNexus (Complaint 1), AdColony (Complaint 2) and Smaato (Complaint 3) for the processing activities in question is not possible under the GDPR framework.
In its lengthy assessment of whether Grindr met the GDPR’s consent requirements for the sharing of personal data with third parties, the NDPA concluded: “Grindr failed to comply with Article 6(1) when disclosing personal data of its users with third party advertisers.” NDPA also found that Grindr failed to make the case it qualifies for one of the exceptions under Article 9 for sharing a special category of data: the NDPA “concluded that Grindr breached the prohibition in Article 9(1) when Grindr disclosed personal data linked with the app name or the keywords “gay, bi, trans and queer” to advertising partners.”
In calculating the appropriate fine, the NDPA looked at a range of factors, including but not limited to:
- Grindr has processed personal data illegally when it disclosed personal data about its users with a number of recipients. These recipients may have subsequently disclosed the data to other recipients. Grindr disclosed the data to Twitter MoPub’s SDK, and Twitter MoPub lists more than 160 partners. This means that over 160 partners could access personal data from Grindr without a legal basis. We consider that the scope of the infringements adds to the gravity of them.
- It seems clear that Grindr intended to use its previous consent mechanism and maintains that the consents were valid and in accordance with the GDPR. Our assessment shows that the consent mechanism clearly did not meet the applicable GDPR requirements. In our view, the inadequacy of the consent mechanism should have been clear to Grindr.
- Tech companies such as Grindr process personal data of data subjects on a large scale. The Grindr app collected personal data from thousands of data subjects in Norway, and it shared data on their sexual orientation. This enhances Grindr’s responsibility to exercise processing with conscience and due knowledge of the requirements for the application of the legal basis on which it relies upon.
- We do find it aggravating that Grindr must have gained financial benefits from the infringements. Grindr users who did not want (or did not have the opportunity) to enroll in the paid version, had their personal data shared and re-shared with a potentially vast amount of advertisers without a legal basis, while Grindr and advertising partners presumably profited.
In calculating the size of the fine, the NDPA assessed the annual worldwide turnover of Grindr at about $100 million and therefore levying a €9,600,000 fine is appropriate given the GDPR allows for the imposition of a €20 million fine or one that is 4% of annual worldwide turnover, whichever is higher.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.