ANALYSIS: Norwegian DPA Steamrolls Grindr’s Consent Mechanism

Jan. 7, 2022, 10:00 AM

A 68-page opinion issued last month by Norway’s data protection authority thoroughly trounces the consent protocol originally used by the social networking app Grindr.

Even though Grindr claimed that its consent mechanism “exceeded industry standards” at the time it was implemented, the Norwegian regulator Datatilsynet concluded that Grindr failed to secure valid consent to share personal data for behavioral advertising purposes, imposing an eye-popping €6.5 million ($7 million) fine.

The opinion serves as a wake-up call for any organization relying on an indiscriminate “accept/reject” option to obtain consent under the General Data Protection Regulation (GDPR).

During the relevant time frame, individuals seeking to download the app were presented with Grindr’s full privacy policy, along with an invitation to “Proceed.” Clicking on “Proceed” would generate a pop-up, stating “I accept the Privacy Policy,” with options to “Cancel” or “Accept.”

While Grinder did display a separate “accept/reject” option for its Terms of Use, consent regarding the use of personal data for advertising purposes was in the privacy policy. That policy, however, also mentioned other uses, including those essential to the app’s operation.

The DPA found that wholesale acceptance of the privacy policy fell woefully short of the requirements that consent be “freely given,” “specific,” “informed,” and “unambiguous” under the GDPR. By bundling advertising uses with those essential to the app’s operation, Grindr deprived users of free choice and control over their data, according to the opinion.

The ability for users to subsequently “opt out” of data sharing with advertising partners did not remedy the situation.

Moreover, since Grindr shared sexual orientation data―a “special category” of data under GDPR Art. 9―consent also had to be “explicit” unless covered by an exemption.

Grindr failed to convince the Datatilsynet that an exemption applied. The fact that Grindr users themselves had created profiles on the app did not make data concerning their sexual orientation “manifestly public,” according to the DPA.

Bloomberg Law subscribers can find related content in our In Focus: GDPR page.

If you’re reading this on the Bloomberg Terminal, please run BLAW OUT in order to access the hyperlinked content, or click here to view the web version of this article.

To read more articles log in.

Learn more about a Bloomberg Law subscription.