The Norwegian Data Protection Authority notified dating app maker Grindr it plans to fine the company $11.7m (£8.6m, $14m), which it said it about 10% of its turnover, for not complying with General Data Protection Regulation (GDPR) rules on consent. GDPR is Europe’s tough data protection laws that came into effect in 2018.
“Our preliminary conclusion is that Grindr has shared user data to a number of third parties without legal basis, said Bjorn Erik Thon, director-general of the Norwegian regulator.
Last year, the Norwegian Consumer Council filed a complaint against Grindr stating the company was sharing user’s personal data with third parties for marketing purposes.
The data shared include GPS location, user profile data, and the fact that the user in question is on Grindr.
Grindr is a location-based social networking app for gay, bi, trans, and queer people.
“Our preliminary conclusion is that Grindr needs consent to share these personal data and that Grindr’s consents were not valid. Additionally, we believe that the fact that someone is a Grindr user speaks to their sexual orientation, and therefore this constitutes special category data that merit particular protection,” the regulator said.
It added that users were not able to exercise “real and effective” control over the sharing of their data..
“We consider that this was contrary to the GDPR requirements for valid consent,” the Data Protection Authority said.
The authority has notified Grindr that we intend to “impose a fine of high magnitude as our findings suggest grave violations of the GDPR.”
However, the decision is not final. Grindr has the opportunity to comment on the regulator’s findings before 15 February. A final decision will be made once its comments have been assessed.
The Norwegian Consumer Council also filed complaints against five of the third parties receiving data from Grindr: MoPub, owned by Twitter (TWTR), Xandr, (formerly known as AppNexus Inc), OpenX Software, AdColony, and Smaato. These cases are ongoing.
Earlier this month it was reported that companies in Europe have been hit with fines worth €272.5m (£242.3m, $329m) for a wide range of infringements of the GDPR.
WATCH: What is the Bounce Back Loan scheme?