Location-based social networking and online dating application, Grindr, designed uniquely for the LGBTQ community has been fined €6.5m (£5.5m) for selling user data to advertisers.
The Norwegian Data Protection Authority while reacting to the violation stated that sharing such data without seeking authorization broke the General Data Protection Regulation (GDPR) rules.
Initially, Grindr was hit with a fine of £8.6m but after the company provided details about its financial situation and made changes to its app, the fine was reduced.
Tobias Judin, head of the Norwegian Data Protection Authority’s (DPA) international department said, “Our conclusion is that Grindr has disclosed user data to third parties for behavioural advertisement without a legal basis.”
The Norwegian DPA launched an investigation off the strength of a complaint from the Norwegian Consumer Council.
This is the largest fine the Norwegian DPA has issued and it has acted in such a manner because it considers the breach to be “grave.”
Some of the data which the app has been found out to have shared include GPS location, IP address, advertising ID, age, gender, and the fact that the user was on Grindr.
The DPA noted that this particular was intrusive because data about a person’s sexual orientation constitutes special category data that merits particular protection under GDPR rules.
It also revealed that users were compelled to the privacy policy without being asked specifically if they wanted to consent to the sharing of their data for behavioural advertisements.
The regulator also said that it is not sure if the current changes about the consent mechanism made by Grindr on its app are in compliance with GDPR and could go hard to order the company to wipe off the illegally processed personal data. Grindr has been given 3 weeks to appeal.
