$12m Grindr fine shows GDPR's got teeth

$12m Grindr fine shows GDPR’s got teeth

As thoughts turn to Data Privacy this week in a big way, GDPR illustrates it isn’t an afterthought. Grindr, the popular social network and dating platform, will likely suffer a $12 million USD fine due to privacy related complaints. What happened here, and what are the implications for future cases?

What is GDPR?

The General Data Protection Regulation is a robust set of rules for data protection created by the European Union (EU), replacing much older rules from the 1990s. It was adopted in 2016 and enforcement began in 2018. It’s not a static thing, and is often updated. There’s plenty of rules and requirements for things such as data breaches or poor personal data notifications. Crucially, should you get your data protection wrong somewhere along the way, big fines may follow.

Although mostly spoken of in terms of the EU, its impact is global. Your data may be sitting under the watchful eye of GDPR right now without you knowing it, which…would be somewhat ironic. Anyway.

The complaint

On the 24th January, Norway’s Data Protection Authority (NDPA) gave Grindr advance notification [PDF] of its intention to levy a fine. This is because they claim Grindr shared user data to third parties “without legal basis”. From the document:

Pursuant to Article 58(2)(i) GDPR, we impose an administrative fine against Grindr LLC of 100 000 000 – one hundred million – NOK for

– having disclosed personal data to third party advertisers without a legal basis, which constitutes a violation of Article 6(1) GDPR and

– having disclosed special category personal data to third party advertisers without a valid exemption from the prohibition in Article 9(1) GDPR

That doesn’t sound good. What does it mean in practice?

Noticing the notification

The Norwegian Consumer Council, in collaboration with the European Center for Digital Rights, put forward 3 complaints on behalf of a complainant. The complaints themselves related to third-party advertising partners. The privacy policy stated that Grindr shared a variety of data with third-party advertising companies, such as:

[…] your hashed Device ID, your device’s advertising identifier, a portion of your Profile Information, Location Information, and some of your demographic information with our advertising partners

Personal data shared included the below:

Hardware and Software Information; Profile Information (excluding HIV Status and Last Tested Date and Tribe); Location and Distance Information; Cookies; Log Files and Other Tracking Technologies.

Additional Personal Data we receive about you, including: Third-Party Tracking Technologies.

Where this all goes wrong for Grindr, is that NDPA object to how consent was gained for the various advertising partners. Users were “forced to accept the privacy policy in its entirety to use the app”. They weren’t asked specifically if they wanted to share with third parties. Your mileage may vary if this is worth the fine currently on the table or not, but it is a valid question.

Untangling the multitude of privacy policies

Privacy policies can cause headaches for developers and users alike, in lots of different areas besides dating. For example, there are games in mobile land with an incredible amount of linked privacy policies and data sharing agreements. Realistically there’s no way to genuinely read all of it [PDF, p.4], because it’s too complicated to understand.

Does the developer roll with a “blanket” agreement via one privacy policy to combat this, because thousands of words across multiple policies is too much? If so, how do they cope at a granular level where smaller decisions exist for each individual advertiser?

Removing an advertiser from a specific network might warrant a notification from an app, to let the user know things have changed. Even more so if replaced by another advertiser, entirely unannounced. Does the developer pop notifications every single time an ad network changes, or hope that their blanket policy covers the alteration?

Considering the imminent fine, many organisations may be racing to their policy teams to carve out an answer. A loss of approximately 10% of estimated global revenue isn’t the best of news for Grindr. It seems likely the fine will stick.

Batten down the data privacy hatches

Data privacy, and privacy policies, are an “uncool” story for many. Everyone wants to see the latest hacks, or terrifying takeovers. Yet much of the bad old days of Adware/spyware from 2005 – 2008 was dependent on bad policies and leaky data sharing. While companies would occasionally be brought before the FTC, this was rare.

GDPR is a lot more omnipresent than the FTC is in terms of showing up at your door and passing you a fine. With data being so crucial to regulatory requirements and basic security hygiene, GDPR couldn’t be clearer: its here, and it isn’t going away.