The data protection authority in Norway fined Grindr $7.1 million for passing user data to advertisers without consent, including highly sensitive information related to users' sexual orientation.
The DPA found that Grindr had violated the General Data Protection Regulation.
The behavioral advertising industry has a lot of legal troubles in the region.
The final size of the penalty for the gay dating app was less than the 100 million NOK/ $12.1 million that the Datatilsynet issued a preliminary decision on the case.
The authority said the smaller sanction was taken into account because the company had lower turnover than it had thought.
The reduction takes into account the measures Grindr implemented since the complaint was filed with the aim of bringing its processing of personal data in line with the requirements of the EU's General Data Protection Regulation.
The final fine is 32% of the maximum amount that can be. It suggests the US-based app's annual revenue does not exceed 20M/$22.50M since the EU's General Data Protection Regulation allows fines of up to 20M or 4% of an entity's total global turnover in the preceding year.
The size of the fine is proportional to the severity of the violation and to the financial situation of the company, according to the DPA.
The complaint took almost a year to arrive at a final decision due to the fact that Grindr requested extensions to deadlines on a number of occasions.
The investigation was limited to the process that Grindr used to get consent in the first two years after the complaint, when it switched to a different method.
The lawfulness of Grindr's current method for obtaining consent has not been investigated.
The decision doesn't include any requirements for Grindr or its ad partners to remove user data that was obtained illegally, but that could change in the future.
The investigation against the ad partners of Grindr is still going on.
Datatilsynet has made it clear that further decisions may come at a later date if they deem it necessary, said the director for international issues at Datatilsynet. We are not ruling out any possibilities for further enforcement.
The final decision in the Grindr case will inform the ad partner probes.
At a time when some EU lawmakers are pressing for a ban on surveillance-based advertising, a committee vote in the European Parliament this week did not back amending the Digital Services Act to include an overall ban on such advertising.
Dark patterns are not allowed to manipulate consent. Legal requirements look set to tighten around how adtech can operate in the EU, and reform of the "manipulative defaults" is being enforced.
The UK data watchdog warned the industry that the end of tracking is near.
The deputy director general of the European Consumer Organisation, BEUC, Ursula, welcomed the slap-down of Grindr, saying that it illegally exploited and shared its users' information for targeted advertising. It is time for the behavioural advertising industry to stop tracking consumers. It is a business model that harms consumers. This is the first domino to fall and we hope that authorities start imposing fines on other companies as the violations identified in this decision are standard surveillance ad-tech industry practices.
The report finds that dating and fertility apps are out of control.
Consent is violated.
The European privacy campaign group, noyb, acted on behalf of an individual complaint and Datatilsynet opened the investigation into Grindr.
An analysis of data flows from a number of popular apps, including Grindr, showed how they share data with un expected third parties, including entities in the behavioral ad industry to highlight the extent of adtech's lawfulness problem.
In its response to the data protection watchdog, Grindr claimed that it had users' consent to share their data with its advertising partners.
The app didn't give users a choice over whether to agree or not. If a Grindr user refused to accept its privacy policy, they couldn't use the app.
This complaint focuses on how the app was obtaining consent prior to the switch to a consent management platform.
The lack of a choice offered to users looks like a violation of the rules.
In order to avoid a sanction, Grindr tried to argue that it did not pass information on individual users' sexuality to advertisers.
If you want to process information such as a person's sexual orientation, you need to get explicit consent from the user.
The Datatilsynet concluded that the protections contained in the EU's General Data Protection Regulation should not be interpreted narrowly.
Being a Grindr user is a strong indicator that the data subject is a sexual minority. The purpose behind the wording of the article is to discourage discrimination, and the fact that a data subject belongs to a sexual minority may lead to prejudice and even discrimination without revealing their specific sexual orientation.
The data subject is concerned with the data subject's sexual orientation.
It would be surprising if advertisers used categories of special category data for profiling and ad targeting, as was suggested by Grindr.
It's a surprising argument to try to make, given the evidence from other complaints of profiling being carried out by the behavioral ad industry.
A framework used to claim consent to process people's data for ad targeting is facing a GDPR breach. The online advertising body controls it.
IAB Europe says it will be found in violation of the law.
Datatilsynet pointed out that the sharing of personal data concerning a natural person's "sexual orientation" to advertising partners is sufficient to process sensitive data. It is explicit in its decision that it does not agree with the claim that a data subject's sexual orientation is not a category of data that could potentially be used by advertisers to target ads.
In another attempt to wriggle out of a GDPR slap-down, Grindr had also sought to argue that even if its advertisers received any sensitive personal data they must blind themselves to, per commitments in its contracts with advertisers.
It said that many adtech companies in the EU have spent the last decade or so creating so-called "blinding methods" which it said obfuscate which app an ad call is coming from.
According to the decision,Grindr holds that participants in the ad tech ecosystem would likely only receive a blinded app-ID and not the corresponding app name. It is a common practice in the EU for ad networks to use a random App ID in the ad call so that downstream bidders are not aware of the actual name of the app where the ad is to be served.
This is irrelevant because sensitive data being passed is enough to invoke the provisions of the Articles.
The Datatilsynet cites a technical report by Mnemonic, which shows that the app name was shared with MoPub. The app name was shared from Grindr to multiple other advertising partners according to the report.
Datatilsynet points out that the privacy policy of Grindr explicitly states that advertising partners are aware that the data is being transmitted.
So, er,...
Even if this were happening as claimed by the adtech industry, it still wouldn't comply with other requirements in the GDPR, as the DPA points out. The action of advertising partners or other participants in the ad tech ecosystems would have to be stopped by Grindr.
The analysis goes further in unpicking adtech's obfuscating claims vs what is actually being done with people's data. If you are interested in devilish detail, you should read it in full.
Datatilsynet found that Grindr shared users sexual orientation data with advertising partners, as per the article 9(1).
The consent-based processing of special category data can be done, but only if the user gives explicit consent, which the DPA found to be not the case.
The decision concludes that Grindr users had not made public their sexual orientation simply by virtue of using the app, as the app had sought to argue.
It goes beyond the expectations of the data subject that Grindr would give information about their sexual orientation to advertising partners. Being a Grindr user is not an affirmative act by the data subject to make the information public.
The sanction has been commented on by Grindr.
It has three weeks to lodge an appeal against the decision.
Datatilsynet made sure to mention that there may be additional issues related to the current consent mechanism since the investigation was limited to the lawfulness of the previous platform.
Potential issues that have fallen outside of the scope of the investigation will still be looked at in the future.
In a statement commenting on the decision, a data protection lawyer at noyb described it as "astonishing that the DPA has to convince Grindr that its users are LGBT+ and that this fact is not a commodity to be bartered".
The Datatilsynet order states that you cannot share personal data with a potentially unlimited number of partners without being able to control what happens to that data.
The crux of the problem is that the tracking of Internet users is used to individually target marketing.
The adtech industry doesn't have processes in place to control what happens to data once it's grabbed and shared with scores of faceless adtech entities involved in the high speed programmatic auction process known as real-time
There are signs that the enforcement block is starting to shift, not least as a result of smart, smaller-scale actions such as the one that resulted in the GPDR complaints being sitting on EU regulators desks for years.
The web of adtech data flows is so tangled that even a relative bit player can implicate scores of others.
The adtech industry has a solution for people who don't want to be tracked through their devices and digital activity: not asking for permission to do so.
The end-game for that mocking pantomime is finally here in Europe.
The industry has been doing things that are exploitative and cynical for the past decade, so it will depend on regulators and lawmakers to make sure that the new targeting processes are not as bad.
The IAB Europe is trying to confuse the issue by conflating ad targeting with tracking, in a bid to lobby the European Parliament not to outlaw adtech.
Privacy-safe targeting alternatives exist and have been profitable for DuckDuckGo for years.
The behavioral advertising industry has a lawfulness problem.
Finn Myrstad, director of digital policy in the NCC, warned that the Datatilsynet decision against Grindr sends a strong signal to all companies involved in commercial surveillance. Sharing personal data without a legal basis can have serious consequences. Digital advertising needs to make fundamental changes to respect consumers' rights.
Norway is a member of the European Economic Area and it has transposed the EU's General Data Protection Regulation into national law. The business of a US company without a defined legal entity in the EU is open to regulatory oversight by the Data Protection Commission in any part of the bloc which has concerns, rather than being funnelled via the Irish Data Protection Commission.
The exchanger is on the hook for 10 million dollars for consent violations.
There is a European push to outlaw ads that are offensive.
