Dating app Grindr faces large GDPR fine following consumer group’s EU-wide action against ad-tech industry

PRESS RELEASE - 26.01.2021

The Norwegian data protection authority’s announcement today that it intends to fine the dating app Grindr close to €10 million for breaching the EU’s data protection law (GDPR) is an important step to stop the pervasive and illegal exploitation of consumers’ data by online advertising companies.

 

The draft decision [1] against Grindr was triggered by a from Norwegian consumer group Forbrukerrådet [2] in January 2020, which filed GDPR complaints against Grindr and five ad-tech companies [3]. Ten other consumer groups from the BEUC network [4] notified their respective national data protection authorities to investigate systemic GDPR breaches in the ad-tech sector.

BEUC strongly welcomes the Norwegian data protection authority’s (DPA) decision, which found that Grindr did not have a valid legal basis to collect and disclose users’ personal data, including sensitive data related to sexual preferences, to third party advertisers. The decision underlines that consent is necessary to process data for behavioural advertising purposes. Such consent must be informed, freely given, specific and unambiguous, requirements which were not met in this case. The DPA also clearly said that companies which collect personal data and share it with third parties must be accountable for what happens with the data afterwards.

Following the Norwegian DPA’s draft decision, BEUC calls on the EU’s data protection authorities to ensure Grindr’s practices comply with the GDPR in all countries. They must also take action to ensure the compliance of the ad-tech industry’s practices with the GDPR.

Monique Goyens, Director General of The European Consumer Organisation, commented:

“This is excellent news and sends a clear signal that it’s illegal to monitor consumers 24/7, without their consent, to collect and share their data. The GDPR does have teeth and consumer groups stand ready to act against those who break the law.

“We commend the Norwegian data protection authority for acting swiftly. It is reassuring that GDPR complaints do not have to linger on for years.

“Too many apps gather and share too much personal data with too many third parties for commercial purposes based on the same flimsy grounds and with no control. This move by the Norwegian authority will reverberate across the entire ad-tech industry – and hopefully bring some change.”

Finn Myrstad, director of digital policy in the Norwegian Consumer Council (Forbrukerrådet) said:

“This is a milestone in the ongoing work to ensure that consumers' privacy is protected online. The Data Protection Authority is clearly establishing that it is unacceptable for companies to collect and share personal data at their own behest.”

END


[1] Grindr has been given the opportunity to comment on the Norwegian DPA’s findings until 15 February.
[2] Consumentenbond (NL), EKPIZO (EL), Fédération Romande des Consommateurs (CH), KEPKA (EL), Sveriges Konsumenter (SE), Forbrugerrådet Tænk (DK), UFC-Que Choisir (FR), Verein für Konsumenteninformation (AT), Which? (UK) and Zveza Potrošnikov Slovenije (SI).
[3] The five adtech companies in question are MoPub (Twitter), AppNexus (AT&T), OpenX, AdColony and Smaato.
[4] Ad-tech companies, in most cases without people’s knowledge or any option to oppose the practice, hoover up often sensitive personal information when consumers use online devices. The research which triggered this action has shown how Grindr and the ad-tech industry snatch information about our health, sexual orientation and interests. Consumers are targeted with advertisements based on what this snooping around reveals of us – or worse suffer from discrimination if used for wrong purposes.