What happened exactly?
Back in 2020, the Norwegian Consumer Council (NCC), lodged a complaint against Grindr for illegally disclosing sensitive user data to third parties for advertising purposes. The data allegedly shared included IP addresses, GPS locations, gender, age and the fact that the user in question was on Grindr – all without any user consent.
According to the Norwegian DPA, information about sharing of personal data was not clearly communicated to the users – a contradiction to the GDPR for valid consent. Users were forced to accept the privacy policy to access the app and were not explicitly asked if they really wanted to consent to the sharing of their data with third parties.
Why such a huge penalty?
To underline the gravity of the offence, this is the highest GDPR fine issued by the Norwegian authority till date. This was particularly disturbing because information about a person’s sexual orientation or gender identity constitutes special category data and is subjected to special protection under the GDPR rules. Grindr clearly didn’t do that.
In addition, Grindr illegally passing on the location details added severity to the case. This is because sharing information of where users are located could severely harm their physical safety if they were located and targeted in countries where homosexuality is illegal.
Overall, the Norwegian Authority sees the data infringements to be grave and a serious case of GDPR violation that justifies the high, deterrent penalty. However, it is also important to note the fine was reduced from its initial sum of £8.2 million because of Grindr’s quick fixes to reform its consent management platform.
What can organisations do to comply?
Data is the most valuable asset in this digital world. And though GDPR creates challenges for us, it also opens the door to new opportunities. Organisations who value user’s privacy (more than just legal compliance), who are transparent about how user data can be used, and who prioritise on valid user consent build deeper trust and retain more loyal customers. On top, explicit consent also prevents you from falling prey to any legal consequences.
So, any organisation who relies on consent as one legal basis for data processing, should timely review its consent mechanisms. They should ensure:
- The consent mechanisms are of “opt-in” nature.
- Data subjects are provided with a clear clarification of the data processing to which they are consenting.
- Data subjects are allowed to withdraw their consent as per their interest.
- The consent is freely given.
Our take on this
It’s time for businesses to be transparent about how they use data. We have seen some huge fines during 2021 against organisations who used processes designed to capture consent without users noticing. Let’s do better in 2022, let’s be open and upfront, explain clearly why we need individuals’ data and what we will do with it when we get it. Anything less is not only morally wrong, but it can cost you financially and damage your brand’s reputation.
Sign up to our newsletter – Get practical tips and invitations to webinars and online Q&A sessions.
