Cordery

Legal.Compliance.

Client Alert: Norwegian DPA to fine Grindr for sharing sensitive information without consent

At the end of last month The Norwegian Data Protection Authority, Datatilsynet, notified dating app Grindr LLC (Grindr) of its intention to fine the company NOK 100 000 000 (around €10 million) for unlawfully sharing highly sensitive information and, in particular, for not complying with the GDPR rules on consent.

The notice came off the back of complaints from the Norwegian Consumer Council (NCC) and European privacy activists NOYB against Grindr and several adtech companies relating to unlawful sharing of users’ data with third parties for marketing purposes. NOYB was founded by privacy campaigner Max Schrems who serves as its Honorary Chairman. The decision relates to the free version of the Grindr app. The data shared included GPS location, user profile data, and the fact that the user is on Grindr. Grindr is a location-based social networking app which calls itself “the world’s largest social networking app for gay, bi, trans, and queer people”.

Why was the fine notice issued?

The main grounds for ordering the high fine were that:

  1. Users were not able to exercise real and effective control over the sharing of their data.
  2. Generally, consent is needed for intrusive profiling and tracking for marketing or advertising.
  3. Grindr needed consent here, particularly as a commercial app wishing to share data concerning users’ sexual orientation. The fact that someone is a Grindr user reveals information about their sexual orientation – this is special category data that requires special protection and “explicit consent” would be the appropriate condition for sharing that data.
  4. Grindr’s consents were invalid under GDPR, in particular because users were:
    1. pressured into giving consent – to use the app, users were forced to give a general consent to the privacy policy as a whole
    2. not given granular enough choices as to what they were consenting to – in particular, they were not asked specifically if they wanted to consent to the sharing of their data with third parties, and
    3. not properly informed about what they were agreeing to in terms of that sharing,
  5. Grindr’s sharing of special category data with an unknown number of third parties, without adequate transparency, was not what users would reasonably anticipate in the context of an app that is presented as a safe space and where many users may want to exercise discretion.

The proposed fine was calculated on the basis of this being approximately 10% of the company’s turnover. The Norwegian DPA’s decision will not be finalised until after Grindr has had the chance to comment on the DPA’s findings. The deadline for comment has now passed but the Norwegian DPA has not yet published any response it has received.

The NCC also filed complaints against a number of the third parties receiving data from Grindr: MoPub (owned by Twitter Inc.), Xandr Inc. (formerly AppNexus Inc.), OpenX Software Ltd., AdColony Inc., and Smaato Inc. These cases are still open.

The lack of consent for some services has been a clear focus of the work of both Mr. Schrems and NOYB. He talked about that in some length when he was interviewed in 2016 about the future of data protection. You can read a report of that interview here https://www.corderycompliance.com/interview-with-max-schrems/.

The investigation relates to the period from when GDPR came into force in 2018 until the time when Grindr changed its policy on consent in April 2020. The Norwegian DPA has not ruled out a further investigation into its privacy practices since that date.

How is the EDPB involved in this case?

Norway is not in the EU but is part of the EEA (more details here www.bit.ly/gdprwords). Norway has participated in meetings of the European Data Protection Board by virtue of the EEA agreement from 20 July 2018. Whilst it can participate in EDPB proceedings there are some limits on its participation.

What else is happening in ad tech?

In the meantime, the UK ICO’s investigation into real-time bidding (RTB) and ad tech has been rebooted after several months’ hiatus. This will focus on similar issues to those mentioned above. In particular, the ICO’s Deputy Commissioner has said:

“The complex system of RTB can use people’s sensitive personal data to serve adverts and requires people’s explicit consent, which is not happening right now. Sharing people’s data with potentially hundreds of companies, without properly assessing and addressing the risk of these counterparties, also raises questions around the security and retention of this data. Our work will continue with a series of audits focusing on digital market platforms and we will be issuing assessment notices to specific companies in the coming months. The outcome of these audits will give us a clearer picture of the state of the industry.”

What should businesses take from this?

When processing personal data, businesses should ensure that they:

  1. are transparent about how they are using people’s data by including clear information in privacy notices – recent decisions and news (e.g. WhatsApp’s proposed changes to its terms) have shown that not being upfront with users or treating them unfairly can damage trust
  2. assess the correct lawful basis for processing data – if consent, this will need to meet the GDPR conditions for valid consent (i.e. freely given, specific, informed and unambiguous and require a positive action to opt in; unbundled from other terms and conditions, concise and easy to understand, and user-friendly)
  3. implement special protections for special category data / vulnerable users, and
  4. impose proper technical controls over data sharing.

Further reading:

https://www.datatilsynet.no/en/news/2021/intention-to-issue–10-million-fine-to-grindr-llc2/

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/01/adtech-investigation-resumes/

More information

Cordery’s GDPR Navigator includes resources to help deal with data protection compliance. GDPR Navigator includes template processes and procedures to deal with data right requests and short films and other guidance. You can find out more about GDPR Navigator at www.bit.ly/gdprnav

We report about data protection issues here: http://www.corderycompliance.com/category/data-protection-privacy/

For more information please contact Katherine Eyres or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.

Jonathan Armstrong

Cordery,

Lexis House,

30   Farringdon Street,

London EC4A 4HH

Katherine Eyres

Cordery,

Lexis House,

30 Farringdon Street,

London EC4A 4HH
Office: +44 (0)207 075 1784 Office: +44 (0)20 7075 1786
jonathan.armstrong katherine.eyres

Image courtesy of https://www.visitoslo.com/en/

Contact a Cordery Specialist +44(0)207 118 2700 | Contact Us

Cordery is a trading name of Cordery Compliance Limited. Authorised and regulated by the Solicitors Regulation Authority.
SRA number 608187. Company number 07931532 registered in England and Wales. VAT number: 730859520
Registered office: Lexis House, 30 Farringdon Street, London, EC4A 4HH, United Kingdom

Cordery Compliance Limited trading as Cordery provides some products and services which are not regulated by the Solicitors Regulation Authority; we will clearly state this to you if this is the case.

We use the word “partner” to refer to a shareowner or director of the company, or an employee or consultant who is a lawyer with equivalent standing and qualifications.

Cordery is a registered trademark of RELX (UK) Limited, used under license. The Knowledge Burst logo is a registered trademark of Reed Elsevier Properties Inc., used under license.

Copyright © 2021 Cordery. All rights reserved.