Grindr preliminarily fined for 100 million NOK for consent solution Summary The decision of the Norwegian Data The Norwegian Consumer Ombudsman complained to Protection Authority the Norwegian Data Protection Authority (DPA) about In the preliminary decision, the Norwegian DPA fined Grindr LLC’s (’Grindr’) processing of users’ personal Grindr 100 million NOK for having: data, including, for example, information on users’ • Shared personal data with third-party advertisers sexuality and location. The Ombudsman’s complaint without a legal basis for the processing (GDPR, centered on Grindr’s consent solution and the fact Article 6(1)). that the user’s personal data was shared with a large number of third-party advertisers, which was not clear • Shared personal data with third-party advertisers to the user. without a valid exception (GDPR, Article 9(1)). Grindr is the world’s largest social media platform for Our remarks people in the LGTBQ+ community, with 13.7 million users The consent solution worldwide and approximately 17 thousand users in Norway. • If consent is to be used as a basis for processing, it Grindr’s consent solution worked in such a way that is important to observe the requirements for valid the user was first presented with Grindr’s entire privacy consent, including that it constitutes a freely given, policy, after which the user could choose whether to specific, informed, and unambiguous indication of continue. Next, the user was asked if he or she wanted the data subject’s wishes. To fulfill the ”informed” to accept the data processing by clicking ”accept”. criterion, the data subject must be adequately Users could avoid having their personal data shared informed of the processing purposes pursued and with third-party advertisers if they upgraded their the activities carried out. This is achieved in the accounts and paid a monthly fee. following ways: ° The data subject separately gives consent for each Grindr’s defense in the case was that the company processing purpose. In this case, the user consented could not be held responsible for the consent standards to several different processing purposes with one that had just been published by the European Data click. Protection Board. In response, the Norwegian DPA ° The information provided to the data subject is stated that Grindr’s consent solution had been illegal presented clearly and concisely. In this case, the since the implementation of the GDPR in 2018 and that user was presented with the entire privacy policy at the rules on consent as a basis for processing ordinary once, where Grindr should have highlighted essential personal data had not been substantially changed information such as whom the personal data was since the 1995 Data Protection Directive. shared with. The above resulted in a preliminary decision, to which ° The data subject must not be harmed by not giving Grindr could make their final submissions before the consent or by withdrawing consent. In this case, the Norwegian DPA issued a final decision. user could pay NOK 3,240 per year to use the app without the personal data being shared with third parties. According to the Norwegian DPA, this was enough for the data subject to suffer harm by not giving or withdrawing consent. Published: 24-01-2021, Journal number: 20/02136-5 Tags: 01 Basis for processing and principles of processing 135