Grindr Fined €6.5 million for Breaching GDPR Consent Requirements
Norway’s data privacy watchdog has issued a 6.5 million Euro fine to a location-based social networking app for gay, bisexual, trans, and queer people, Grindr, for sharing sensitive personal data without valid user consent. The Grindr privacy breach fine is the largest to date handed down by the Norwegian Data Privacy Authority (NDPA). It appears Grindr has accepted the fine, given that the three weeks the app had to appeal the decision have now lapsed.
Personal Information Shared in the Grindr Privacy Breach
The fine resulted from Grindr sharing the personal data of its users with third parties for marketing purposes, without valid consent.
The NDPA’s press release revealed that data shared without user consent included:
- GPS location data.
- IP address.
- Advertising ID.
- Age.
- Gender.
- User profile data.
- Sensitive information about the users’ sexual orientation – by virtue of the fact that they were using an app for gay, bi, trans, and queer people.
The personal and sensitive information was shared with third parties in a manner that made it possible for users to be identified. Moreover, the data was shared in such a way that the recipients could potentially further share the users’ personal and sensitive information.
Details of Grindr’s Privacy Breach
The complaint stemmed from Grindr sharing personal data with five third parties for advertising purposes. It was alleged (and later decided) that Grindr did not obtain valid consent from its users to disclose this information to third parties.
Specifically, the complaints were threefold:
Complaint 1 describes the data sharing from the Grindr app with third parties using Twitter’s MoPub as a mediation partner. The categories of personal data being transmitted are similar, with small exceptions like AppNexus receiving the IP address and OpenX receiving keywords.
Complaint 2 describes the direct transmissions from the Grindr app to AdColony. The categories of personal data being shared are similar to the ones in Complaint 1, with addition of e.g. user’s permission settings, Grindr User ID and the indication of “explicit consent”.
Complaint 3 describes the direct transmissions from the Grindr app to Smaato. The categories of personal data being shared are similar to the ones in Complaint 1, with addition of e.g. user’s permission settings and the consent string.
Why the ‘Consents’ Obtained by Grindr Were Invalid
Grindr initially claimed that it had obtained consent in line with the requirements of the General Data Protection Right (GDPR). The consent mechanism at the time of the complaint displayed the full privacy policy to the data subject, asking them to click on “Proceed”. When the user clicked that button, a pop-up appeared stating “I accept the Privacy Policy” with the user being provided the options of either pressing “Cancel” or “Accept”.
Where the user pressed “Accept”, the consents for sharing personal data with the five third parties for advertising purposes was bundled with the user’s acceptance of the app’s privacy policy. If the user hit “Cancel”, they were excluded from using the Grindr app.
The NDPA analysed this consent collection mechanism in detail, finding that Grindr’s consent mechanisms fell afoul of the GDPR requirements. Here’s an overview of the detailed analysis provided in the NDPA’s decision:
GDPR Consent Requirements
Article 4(11) of the GDPR notes that valid consent is only obtained where it is freely given, specific, informed, and unambiguous.
In its analysis of whether user consent to Grindr was freely given, the NDPA considered whether not allowing for separate consents to be given to different personal data processing operations meant that users were not freely giving their consent.
The NDPA relied on Recital 43 of the GDPR and the European Data Protection Board (EDPB) Guidelines in determining that:
“…we can establish that Grindr’s previous consent mechanism did not allow for separate consents to be given to different purposes or processing operations despite it being appropriate, indicating that consent was not “freely given”.”
Recital 43 of the GDPR
Recital 43 of the GDPR states that:
“Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case…”
The EDPB Guidelines on Consent
The EDPB Guidelines on Consent note that consent is presumed not to be freely given where it is bundled up as a non-negotiable part of terms and conditions. Moreover, it also asserts that consent will not (usually) be valid where a data subject has no real choice, feels compelled to consent, or will endure negative consequences if they do not consent.
You can read the EDPB’s Guidelines on Consent here: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf
Further Reasons for the NDPA’s Decision on the Grindr Privacy Breach
The way Grindr made consent to the processing of personal data that’s not necessary for the performance of the service an absolute requirement to gain access to the app was also seen as problematic by the NDPA. Given that users needed to provide their consent for their personal and sensitive information to be disclosed to third-party advertisers to even gain access to the app, the NPDA deemed that the consents obtained were invalid on the basis that:
- Access to services in the free version of the app was made conditional on consenting to Grindr sharing personal data with advertising partners despite this not being necessary for the performance of the service; and
- Data subjects could not refuse or withdraw consent without detriment.
Moreover, it was determined that the consents provided by data subjects were not informed, specific, or unambiguous.
You can find more details about the NDPA’s analysis in the 68-page NDPA Decision (in English) here: https://www.datatilsynet.no/contentassets/8ad827efefcb489ab1c7ba129609edb5/administrative-fine—grindr-llc.pdf
What Would Valid Consent Have Looked Like for Grindr?
The NDPA noted that separate consents for the requests for sharing personal data with advertising partners would have been “appropriate and practical”. It noted the lack of granularity in the way Grindr obtained its consent as being key in its determination that consent was not freely given.
“In sum, refusing consent under Grindr’s previous CMP was dependent on the user’s patience and technological understanding, and it did not demonstrate a fair, intuitive and genuine free choice.”
The magnitude of the fine highlights the importance of obtaining valid consent. Here are some key takeaways for businesses looking to implement GDPR-compliant consent mechanisms:
- Do not make consent to disclose personal information a requirement unless it is necessary for the functionality of the app or the provision of services.
- Separate consents for different types of data processing.
- Make the consent mechanisms as granular as practicable.
- Separate consents for data processing from the privacy policy and terms of use.
- Make it clear to data subjects that their data will be shared with third parties (if that’s the case).
- Ensure clear, easy-to-understand, and jargon-free language is used when describing privacy practices.
Further Resources on Privacy Breaches
Data Breach Notifications in Australia: A basic guide to who, what, when, how, and why.
Fallout from Uber’s Privacy Breach – and Subsequent Cover Up.
Business Lessons from the NSW Services Privacy Breach.
Flight Lesson’s Design Jam Breach: What Can We Learn?
Meet Your Privacy Obligations with Privacy 108
Privacy 108’s team works with organisations throughout the Australian-Pacific to ensure compliance with global privacy requirements, including those under the GDPR, CCPA, PIPA, and Australia’s Privacy law. For assistance meeting your privacy obligations, reach out.