Grindr Slapped with Record £8.5 Million Fine for Selling User Data
Grindr has been fined £8.5 million for illegally selling user data, including tracking codes and precise locations, in a serious violation of European privacy law.
The Norwegian Data Protection Authority revealed on Monday (25 January) that the global hook-up app had shared users’ private details with at least five advertisers, including Twitter’s own advertising platform, which may in turn share data with more than 100 partners.
The app had illegally transmitted users’ IP address, advertising ID, GPS location, age and gender, essentially tagging individuals as LGBT+ without obtaining their explicit consent.
The fine of 100 million Norwegian kroner (£8.5m or $11.7m US) is the highest ever issued by the authority and amounts to around 10 per cent of Grindr’s estimated global annual revenue, reflecting the “very severe” nature of the breach.
The agency notes that, as the world’s most popular gay dating app, Grindr is active in nearly every country in the world; the privacy violation could have put users at serious risk in countries like Qatar and Pakistan, where homosexuality is criminalised.
“If someone finds out that they are gay and knows their movements, they may be harmed,” said Tobias Judin, head of the Norwegian Data Protection Authority’s international department.
“We’re trying to make these apps and services understand that this approach – not informing users, not gaining a valid consent to share their data – is completely unacceptable.”
In a statement to the New York Times, a spokesperson for Grindr said the company had obtained “valid legal consent from all” of its users in Europe on multiple occasions and was confident that its “approach to user privacy is first in class” among social apps.
“We continually enhance our privacy practices in consideration of evolving privacy laws and regulations, and look forward to entering into a productive dialogue with the Norwegian Data Protection Authority,” they added.
Grindr has until 15 February to officially respond to the ruling, after which the Data Protection Authority will make its final decision in the case.