The Norwegian Data Protection Authority (DPA) recently notified the dating app Grindr of its intentions to administer a fine of NOK 100 million ($11.7 million) for violating some of the General Data Protection Regulation (GDPR) privacy rules.
This fine would result in roughly 10% of the company's global revenue. The GDPR allows for a maximum fine of 4 percent of global "turnover" or €20 million, whichever is greater.
EU says Grindr violated GDPR consumer privacy laws
The fine stems from a complaint originally filed last year.
The Norwegian Consumer Council found that Grindr allowed "...unlawful sharing of personal data with third parties for marketing purposes."
This data included GPS location, user profile data, and the fact that the user is on Grindr.
Also, Grindr bills itself as an "App for gay, bi, trans, and queer people." NCC regulators therefore believe that when someone is a Grindr user, it speaks to their sexual orientation, constituting special category data that merits particular protection.
Bjørn Erik Thon, Director-General of the Norwegian Data Protection Authority, said:
"The Norwegian Data Protection Authority considers that this is a serious case. Users were not able to exercise real and effective control over the sharing of their data. Business models where users are pressured into giving consent, and where they are not properly informed about what they are consenting to, are not compliant with the law.
Grindr is seen as a safe space, and many users wish to be discrete. Nonetheless, their data have been shared with an unknown number of third parties, and any information regarding this was hidden away."
If Grindr is fined the proposed 10% of its annual revenue, it would result in the largest fine in the history of the Norwegian DPA.