A 68-page opinion issued last month by Norway’s data protection authority thoroughly trounces the consent protocol originally used by the social networking app Grindr.
Even though Grindr claimed that its consent mechanism “exceeded industry standards” at the time it was implemented, the Norwegian regulator Datatilsynet concluded that Grindr failed to secure valid consent to share personal data for behavioral advertising purposes, imposing an eye-popping €6.5 million ($7 million) fine.
The opinion serves as a wake-up call for any organization relying on an indiscriminate “accept/reject” option to obtain consent under the General Data Protection Regulation (GDPR).
The ability for users to subsequently “opt out” of data sharing with advertising partners did not remedy the situation.
Moreover, since Grindr shared sexual orientation data―a “special category” of data under GDPR Art. 9―consent also had to be “explicit” unless covered by an exemption.
Grindr failed to convince the Datatilsynet that an exemption applied. The fact that Grindr users themselves had created profiles on the app did not make data concerning their sexual orientation “manifestly public,” according to the DPA.
Bloomberg Law subscribers can find related content in our In Focus: GDPR page.
If you’re reading this on the Bloomberg Terminal, please run BLAW OUT in order to access the hyperlinked content, or click here to view the web version of this article.