Grindr’s $7M GDPR fine is a stark warning to adtech not to track

Grindr, a hook-up app for gay, bi, trans and queer people, has been fined around $7.1 million (65 million NOK) by Norway’s data protection authority for passing user data to advertisers without consent — including highly sensitive information related to users’ sexual orientation.

Specifically, the DPA found that Grindr breached Articles 6(1) and 9(1) of Europe’s General Data Protection Regulation (GDPR).

The complaint adds to the behavioral advertising industry’s legal woes — which continue to pile up in the region.

The final size of the penalty Grindr has been hit with is a little reduced versus the 100 million NOK/$12.1 million that the gay dating app was facing back in January — when the Datatilsynet issued a preliminary decision on the case.

The authority told TechCrunch the smaller sanction takes account of the company having lower turnover in reality than the “rough estimate” it had relied upon in January when issuing the preliminary fine.

It also said the reduction takes account of measures Grindr implemented since the complaint was filed with the aim of bringing its processing of personal data in line with GDPR’s requirements.

The DPA’s decision notes that the final fine is approximately 32% of the maximum amount possible. And because GDPR allows for fines of up to €20 million or up to 4% of an entity’s total global turnover in the preceding year, whichever is higher, it suggests the U.S.-based app’s annual revenue does not exceed €20 million/$22.5 million.

The DPA describes the size of the fine as “proportionate both to the severity of the infringement and to Grindr’s financial situation”, asserting that it “does not exceed what is necessary to achieve the objectives pursued by the GDPR in the present case”.

The complaint has taken almost a year to arrive at a final decision owing — at least in part — to Grindr requesting extensions to deadlines on a number of occasions.

It’s also worth noting that this investigation was limited to the process Grindr used to obtain consent at the time of the complaint — in 2019 and up to April 2020 (when it switched to a different method).

So the lawfulness of Grindr’s current method for obtaining consent has not been investigated.

While the decision does not include any requirements that Grindr (or its ad partners) delete unlawfully obtained user data, the DPA told us that that could change in future.

It also confirmed that its investigation against Grindr’s ad partners (who it sent user data to) is ongoing.

Our decision does not include any erasure requirements at this time but we have also made it clear that further decisions may come at a later date if we deem it necessary,” said Tobias Judin, director for international issues at Datatilsynet. “In other words: We are not ruling out any possibilities for further enforcement at this stage.”

“Now that we have a final decision in the Grindr case, this decision will also inform those investigations,” he further confirmed of the ad partner probes. 

The penalty for Grindr tracking users without consent comes at a time when some EU lawmakers continue pressing for a ban on surveillance-based advertising — although a committee vote in the European Parliament this week did not back amending the Digital Services Act to include an outright ban on surveillance-based advertising, as some MEPs have been pressing for.

The committee did back a prohibition on dark patterns to manipulate consent, though. So legal requirements look set to continue to tighten around how adtech can operate in the EU — and reform of manipulative defaults is being enforced.

See also: The U.K.’s data watchdog’s recent warned to the industry that the end of tracking is nigh.

In a statement welcoming Norway’s GDPR slap-down of Grindr, the deputy DG of the European Consumer Organisation, BEUC, Ursula Pachl, said: “Grindr illegally exploited and shared its users’ information for targeted advertising, including sensitive information about their sexual orientation. It is high time the behavioural advertising industry stops tracking and profiling consumers 24/7. It is a business model which clearly breaches the EU’s data protection rules and harms consumers. Let’s now hope this is the first domino to fall and that authorities start imposing fines on other companies as the infringements identified in this decision are standard surveillance ad-tech industry practices.”

Consent breaches

Datatilsynet opened the investigation into Grindr after receiving complaints from Norway’s Consumer Council (NCC) and the European privacy campaign group, noyb, acting on behalf an individual complainant.

Last year the NCC published an analysis of data flows from a number of popular apps (including Grindr but also a number of others) showing how they share data with “unexpected third parties”, including entities in the behavioral ad industry to highlight the extent of adtech’s lawfulness problem.

In its response to the data protection watchdog’s investigation, Grindr had claimed it had users’ consent to share their data with its advertising partners — which included Twitter-owned MoPub, Xandr (previously AppNexus), OpenX, AdColony and Smaato.

However the app did not offer users a free choice over whether to agree to its terms or not. If a Grindr user declined to accept its privacy policy during onboarding they were unable to proceed to use the app.

And while Grindr went on to change how it gathers consent — implementing a consent management platform provided by the third party OneTrust in April 2020 — as noted above this complaint focuses on how the app was obtaining consent prior to that switch.

The GDPR states that for consent to be a valid legal basis to process personal data it must be informed, specific and freely given (emphasis ours). So the lack of a choice offered to users looks like a very flagrant breach of the rules.

In seeking to avoid a sanction, Grindr also sought to argue that it did not pass information on individual users’ sexuality to advertisers — claiming it only sent generic keywords (such as “gay”, “bi” and “bi-curious”).

This is important because GDPR has specific rules for so-called “special category data” — requiring an even higher bar of explicit consent from a user if that’s the legal basis you’re claiming for processing information such as a person’s sexual orientation.

In reaching its final decision on the complaint, the Datatilsynet concluded that protections contained in Article 9 of the GDPR (which concerns “special category data”) should not be so narrowly interpreted.

“Being a Grindr user strongly indicates, and appears in most cases to accurately reflect, that the data subject belongs to a sexual minority. Furthermore, the fact that a data subject belongs to a sexual minority may lead to prejudice and discrimination even without revealing their specific sexual orientation,” it writes, adding: “The wording of Article 9 does not require a revealing of a particular ‘sexual orientation’, and the purpose behind Article 9 discourages a narrow interpretation.

“For these reasons, we find that information that a data subject is a Grindr user is data ‘concerning’ the data subject’s ‘sexual orientation’.”

Grindr had also sought to suggest that advertisers were unlikely to use categories of special category data for profiling and ad targeting — telling the DPA it would be surprised if that were the case.

Which is — to put it mildly — a surprising argument to try to make, given ample evidence from other GDPR complaints of the highly invasive profiling being carried out by the behavioral ad industry.

Not to mention the fact that a flagship industry framework that’s widely used to claim consent to process people’s data for ad targeting is facing a GDPR breach finding itself. As is the online advertising body that controls it.

In any case, Datatilsynet rejected Grindr’s dodge — pointing out that it’s irrelevant how such sensitive data might be further processed, since — under GDPR — “the sharing of personal data concerning a natural person’s ‘sexual orientation’ to advertising partners is sufficient to trigger Article 9”. (Its decision also makes it explicit that it does “not agree with the claim that a data subject’s ‘sexual orientation’ is not a category of data that could potentially be used by advertisers to target ads”.)

In another attempt to wiggle out of a GDPR slap-down, Grindr had also sought to argue that even if its advertisers — theoretically — received any sensitive personal data they must “blind” themselves to, per commitments in its contracts with advertisers.

Moreover it claimed many adtech companies operating in the EU have spent the last decade or so devising so-called “blinding methods” which it said obfuscate which app an ad call is coming from.

“Grindr holds that participants in the ad tech ecosystem would likely only receive a ‘blinded’ app-ID and not the corresponding app name,” the DPA explains in the decision. “According to Grindr, it is a common practice in the EU for ad networks to nullify the app name and use a random App ID in the ad call so that downstream bidders are ‘blind’ to the actual name of the app where the ad is to be served.”

However, once again, the DPA points out this is irrelevant — given sensitive data being passed is enough to trigger Article 9 provisions.

The Datatilsynet’s decision also cites a technical report, by Mnemonic, which showed Grindr’s app name being shared with MoPub — “who further shared this within their mediation network”. And further notes that Mnemonic’s report also showed the app name was shared from Grindr to “multiple other advertising partners”.

As if that wasn’t enough, Datatilsynet further points out that Grindr’s own privacy policy “explicitly states that ‘[o]ur advertising partners are aware that such data is being transmitted from Grindr’.”

So, er,…. 🥴

(NB: In a further demolition of the self-serving notion of “blinded” app-IDs, the DPA goes on to make the point that even if this were happening as claimed by the adtech industry it still wouldn’t comply with other requirements in the GDPR, noting: “Even if some advertising partners or other participants in the ad tech ecosystem would ‘blind’ themselves or only receive an obfuscated app ID, this is not line with the principle of accountability in Article 5(2) GDPR. Grindr would have to rely on the action of advertising partners or other participants in the ad tech ecosystem to halt its sharing of the data in question.”)

The DPA’s analysis goes further in unpicking adtech’s obfuscating claims vs what’s really being done with people’s data vs what EU law actually requires. (So it’s well worth reading in full if you’re interested in devilish detail.)

The long and short of it is that Datatilsynet found Grindr did process users’ sexual orientation data, as set out in Article 9(1) — by “sharing personal data on a specific user alongside app name or app ID to advertising partners”.

And while the GDPR can allow for consent-based processing of special category data a higher bar of “explicit” consent is required for that type of processing to be lawful, again, the DPA found that Grindr had not obtained the required legal standard of permission from users.

Its decision further concludes that Grindr users had not “manifestly made public” information about their sexual orientation simply by merit of using the app, as the app had sought to argue (noting, for example, that it allows for an anonymous approach, letting users select a nickname and choose whether or not to upload a selfie).

“At any rate, it goes beyond the reasonable expectations of the data subject that Grindr would disclose information concerning their sexual orientation to advertising partners. Though information about someone merely being a Grindr user must be considered a special category of personal data under Article 9(1), becoming a Grindr user is not an affirmative act by the data subject to make the information public,” Datatilsynet adds.

Grindr has been contacted for comment on the sanction.

Update: The app has now responded — sending a statement attributed to Shane Wiley, its chief privacy officer, who writes:

We strongly disagree with Datatilsynet’s reasoning, which concerns historical consent practices from years ago, not our current consent practices or Privacy Policy. Even though Datatilsynet has lowered the fine compared to their earlier letter, Datatilsynet relies on a series of flawed findings, introduces many untested legal perspectives, and the proposed fine is therefore still entirely out of proportion with those flawed findings.

Grinder has three weeks to lodge an appeal against the decision — if it wishes to do so.

Per Wiley, the company is currently “analyzing” the Datatilsynet’s decision, which he said it had “just” received, adding that it is “considering its options including the right to appeal the findings to the Personvernnemnda (PVN – Appeal Board)”.

In further remarks attributed to Wiley, Grindr added:

Since launching in 2009, Grindr has grown into the preeminent mobile social networking platform for the LGBTQ+ community. We safely connect millions of daily adult users in almost every country in the world and enable them to discover, share, and navigate their community and their world. Protecting our users’ interests and ensuring that we put them in control of their personal data have always been our top priorities. We have also been proactive in adopting industry-leading privacy positions and tools, like detailed consent flows, granular user privacy controls, and ‘just-in-time’ app notifications.

Datatilsynet’s order is careful to specify that there may be additional issues related to Grindr’s prior or current consent mechanism since this investigation was limited to the scope of the complaints which were focused on the lawfulness of its previous consent management platform in the app.

“The fact that potential issues have fallen outside the scope of our investigation does not preclude those issues from being investigated in the future,” its decision notes.

In a statement commenting on the decision, Ala Krinickytė, a data protection lawyer at noyb, described it as “astonishing that the DPA has to convince Grindr that its users are LGBT+ and that this fact is not a commodity to be bartered”.

Krinickytė further summarized the Datatilsynet order thusly: “You cannot share personal data with a potentially unlimited number of partners without being able to control what happens to that data.”

And that is really the crux of the problem for surveillance-based advertising which relies upon pervasive tracking of Internet users to individually target marketing.

Even setting aside the existential problem of a lack of consent for tracking, the adtech industry does not have processes in place to control what happens to data once it’s grabbed and “shared” with scores of faceless adtech entities involved in the high velocity programmatic auction process known as real-time bidding (RTB).

GPDR complaints targeting RTB’s failure to adequately protect people’s data have been sitting, unenforced, on EU regulators’ desks for years — but there are signs that the enforcement blockage is starting to shift, not least as a result of smart, smaller-scale actions such as Norway going after Grindr.

The web of adtech data flows is such a tangled one that even a relative bit player can draw in and implicate scores of others.

The adtech industry’s workaround for people’s general distaste at being stalked and creeped on through their devices and digital activity, meanwhile, has been to not actually ask for permission to track and profile them in the first place.

But — in Europe at least — that mocking “consent” pantomime is finally headed for its end-game.

Whether the alternative targeting processes the industry devises will be just as cynical, manipulative and exploitative as what they’ve been doing for the past decade+ will largely depend upon regulators and lawmakers driving proper oversight of a sector that’s been allowed to flourish in the dark, rife with dark patterns and defined by its dark arts.

One negative signal is how the IAB Europe continues to try to confuse the issue by conflating ad targeting with invasive tracking — in a bid to lobby MEPs not to outlaw surveillance-based adtech.

In reality, privacy-safe targeting alternatives already exist (such as contextual ads) and have been profitable for years for companies like DuckDuckGo.

The behavioral advertising industry’s lawfulness problem is in fact directly chainlinked to its mass surveillance of Internet users.

Commenting on the Datatilsynet’s decision against Grindr in a statement, Finn Myrstad, director of digital policy in the NCC, warned: “This sends a strong signal to all companies involved in commercial surveillance. There are serious repercussions to sharing personal data without a legal basis. We call for the digital advertising industry to make fundamental changes to respect consumers’ rights.”

NB: While Norway is not an EU Member it is part of the European Economic Area and it transposed the GDPR into national law in 2018. Additionally, Grindr being a US company without a defined legal entity in the EU opens its business to regulatory oversight by DPAs in any part of the bloc which have concerns (and where it offers a service), rather than oversight being funnelled via gatekeepers like Ireland’s Data Protection Commission, as has happened with complaints against Google’s adtech for example