Grindr, the popular gay dating app, is facing a multi-million dollar fine by Norwegian regulators over alleged data sharing violations.
On Tuesday, the Norwegian Data Protection Authority said in a statement that it has notified makers of the app that it intends to issue “an administrative fine of 100 million Norwegian krone ($11.7 million)” over the company’s failure to comply with EU’s General Data Protection Regulations (GDPR).
“Our preliminary conclusion is that Grindr has shared user data to a number of third parties without legal basis,” said Bj 1/4 u00f8rn Erik Thon, the head of the agency.
Earlier this year the Norwegian Consumer Council filed a complaint against the company “claiming unlawful sharing of personal data with third parties for marketing purposes,” the agency said in a statement.
The data shared include GPS location, user profile data, and the fact that the user in question is on the “location-based social networking app for gay, bi, trans, and queer people,” as described by the agency.
According to Thon, an investigation that focused on the app’s consent mechanism found that users of the app weren’t able to exercise real and effective control over the sharing of their personal data.
The agency accuses Grindr of sharing personal data of users of the free version of the app with an “unknown number of third parties” without their knowledge or consent.
“Business models where users are pressured into giving consent, and where they are not properly informed about what they are consenting to, are not compliant with the law,” Thon said.
The agency adds that the fact that someone is a Grindr user also speaks to their sexual orientation, and “therefore this constitutes special category data that merit particular protection.”
“We have notified Grindr that we intend to impose a fine of high magnitude as our findings suggest grave violations of the GDPR. Grindr has 13.7 million active users, of which thousands reside in Norway. Our view is that these people have had their personal data shared unlawfully,” Thon said.
“An important objective of the GDPR is precisely to prevent take-it-or-leave-it ‘consents’. It is imperative that such practices cease,” he added.
If finalized, the fine — which would constitute approximately 10% of the company’s annual revenue — would be the largest-ever penalty handed out by the agency.
On Monday, Shane Wiley, Grindr’s chief privacy officer, stressed in bold type in a blog post that “there is nothing from within a user’s Grindr account details that is shared with an ad partner. Full Stop.”
It’s unclear if Wiley was referring to the announcement made by Norwegian regulators, but he added that, “We care deeply about the privacy of our users, and we approach advertising policy globally so any Grindr user across the planet can rest assured that the details above are the same for them.”
“I hope this clears up some of the misconceptions and misreporting around how Grindr approaches ads on our platforms,” he wrote.
Grindr has until Feb. 15 to respond to the allegations.
The agency will make its final decision “once we have assessed any remarks the company may have.”