December 20, 2021
Data is a valuable asset for many businesses and selling it can be a good additional revenue stream. But, when it comes to personal data, you need to make sure that any sharing complies with the law, as Grindr discovered last week...
Most of us have heard of Grindr – a dating app aimed at the LGBTQIA+ community – but what you may not know is that they have recently been held under investigation for allegedly breaching some major data protection rules. And have been threatened with a fine of £5.5m for it. Woof. The Norwegian Data Protection Authority has issued an advance notification (i.e. a draft but not yet binding decision) inviting Grindr to contradict their findings.
The regulator’s decision is based on things such as the nature, seriousness and duration of the breach of the rules, as well as the types of data shared, amongst other things.
The Commissioner, in their draft decision, has also not ruled out the possibility that Grindr may be ordered to erase the unlawfully shared data completely.
The Norwegian Consumer Council (NCC) reported that it had received a number of complaints about breaches of personal data rights by Grindr. Following investigation, it was discovered that Grindr had in fact been selling personal data to advertisers, without the consent of the app users. This included things like IP addresses, GPS location, advertising ID, age, gender and the fact that the user was on Grindr, all of which are classed as personal data that can identify an individual.
In particular, issue was taken with the fact that a lot of the data collected by use of the app, and that was subsequently shared and sold, was special category data. This is particularly sensitive data and includes things like sexual orientation and sex life. Special category data is granted extra protections under the EU General Data Protection Regulation (GDPR) and other data protection legislation. Sharing or selling it without consent..? Big no-no!
According to these anonymous complaints, Grindr “lacked a lawful basis for sharing personal data on its users with third party companies when providing advertising in its free version of the Grindr application.” The NCC stated that Grindr shared such data through software development kits.
Did they deny it? Heck yes, they did.
Grindr argued that sexual orientation was not actually exposed by selling its users’ data, since some of their users, they said, may be straight. That argument was swiftly rejected by the Norwegian authorities, who highlighted that the app explicitly markets itself as, “exclusively for the gay/bi community”. Awkward.
In order to lawfully process personal data, you must identify, and be able to evidence compliance with one of the lawful bases set out in Article 6. This must be determined before you begin processing data, and ideally you should document it. The most relevant of these lawful bases to Grindr is consent.
In this case, however, special category sensitive data was involved, which triggers the involvement of Article 9 and sets a higher standard of compliance to be met.
Article 9(1) contains the general prohibition on processing data that reveals,
“racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.”
Article 9(1)(a) lists the exceptions to the rule. There are a few, but none that would be likely to apply to Grindr other than obtaining the individual’s explicit consent (and without undue force or coercion).
Prior to processing data, it’s a good idea to carry out a Data Protection Impact Assessment (DPIA) (and in circumstances where you process personal data that is likely to be viewed as “high risk”, this is a legal requirement). This shows diligence in taking the security of the data you process seriously, and will raise any red flag issues with your policies, especially if you are processing high risk data. It was clear that Grindr were not aware of the risks of processing the special category data and selling it.
Grindr have attempted to wriggle out of their faux-pas, claiming that they consistently review and improve their policies to ensure compliance, and that accusations are based on older versions of these documents.
Whether or not Grindr’s defence will be accepted by the regulator is not for us to speculate. However, the lesson here is that it’s important to triple check your data protection obligations and make sure you have consent if you need it. The earlier you can do this the better (ideally prior to launch!) because, unlike changes to documents, which are technically quite straightforward, obtaining and tracking consent usually needs to be built into the app itself. And getting this wrong can get you more than a playful slap!
We’re the experts in getting data on your good side. Find out more about our data protection offering here.