Grindr has received a whopping €6.3 million fine for, once again, not complying with the General Data Protection Regulation.
In the official complaint against Grindr, the Norwegian Consumer Council stated their concern that the dating platform shared personal data, such as advertising ID, location, IP address, age, and gender, with advertisers without consent. What's worse, the advertisers could freely pass the data along to others.
The investigation findings
After a thorough investigation, the head of the Norwegian Data Protection Authority international department, Tobias Judin, confirmed that Grindr had disclosed user data to third parties for behavioral advertisement without a legal basis.
Although Grindr claims it presented all its users with a legal privacy policy each time before joining the platform, the DPA concluded that the consents collected for sharing personal data with the advertisers weren't valid. The two biggest problems with those consents were that:
- Users had no choice but to accept the privacy policy in full to use the app – without a specific section dedicated to sharing personal info with third parties for advertisement purposes.
- Grindr didn't properly explain details about sharing personal data with its advertising partners to its users. In other words, the users weren't aware of what they were consenting to.
The overall verdict was that Grindr had infringed the EU's GDPR, which passed in 2018. As per GDPR, Grindr is a company interacting with EU customers and, as such, must comply with strict privacy and security rules, regardless of the company's headquarters. GDPR also highlighted that Grindr's vague privacy practices could have worldwide implications and, therefore, should be punished with a very high fine.
The repercussions
Grindr received a €6.3 million fine for compromising users' privacy. The initial fine of €9.6 million, or 10% of the Grindr global turnover, (suggested in 2020, when Consumer Council sued Grindr) was reduced due to the efforts Grinder invested since to improve its consent management. Grindr sharing the actual size of the company and current financial situation with the GDP also helped the fine reduction.
On the downside, this is not the first time Grindr infringed some provision of the GDPR, and so the company will remain under close observation. Both users and authorities have lost their trust in the dating app, and it won't be easy for Grindr to recuperate. The Consumer Council has also requested that Grindr erases all the illegally processed information it collected – in other not to further process it. Grindr now has three weeks to submit its appeal against the court's final decision.
Will Grindr keep grinding its users' privacy rights?
Grindr is a dating app for the LGBT population, and so discovering that a person has a registered account is already regarded as sensitive information – indicating that they belong to a sexual minority. Besides, data concerning anyone's sexual orientation is extremely private and therefore calls for careful protection under GDPR. Not to mention the fact that this data can get abused on so many levels.
Not only does Grindr use the super-accurate GPS locator that could allow anybody to find and follow a person, but we've seen in the past how simply knowing a user's email address any threat actor could reset someone's Grindr password and hijack their account. Grindr did make some improvements in both these fields, though, but the app still has to make many adjustments to prevent its vicious history from repeating itself.
And while this whole Grindr episode is so eerily reminiscent of Netflix's series Clickbait, it serves as another reminder of how important is to use only trusted apps. If nothing else, next time you're using Grinder, consider what you can do to protect yourself – for example, using a private VPN that will encrypt all your traffic and hide your IP address.