Nope, it’s not Facebook – this time, at least – and the stakes could literally be the threat of physical harm. The Norwegian Data Protection Authority said recently that it would fine Grindr, the world’s most popular gay dating app, 100 million Norwegian kroner, or about $11.7 million, for illegally disclosing private details about its users to advertising companies.
According to The New York Times (Grindr is fined $11.7 million under European privacy law, written by Natasha Singer and Aaron Krolik), The agency said the app had transmitted users’ precise locations, user-tracking codes and the app’s name to at least five advertising companies, essentially tagging individuals as L.G.B.T.Q. without obtaining their explicit consent, in violation of European data protection law. Grindr shared users’ private details with, among other companies, MoPub, Twitter’s mobile advertising platform, which may in turn share data with more than 100 partners, according to the agency’s ruling.
Tobias Judin, head of the Norwegian Data Protection Authority’s international department, said Grindr’s data-mining practices not only violated European privacy rights but also could have put users at serious risk in countries, like Qatar and Pakistan, where consensual same-sex sexual acts are illegal.
“If someone finds out that they are gay and knows their movements, they may be harmed,” Judin said. “We’re trying to make these apps and services understand that this approach — not informing users, not gaining a valid consent to share their data — is completely unacceptable.”
The fine comes one year after European nonprofit groups lodged complaints against Grindr and its advertising partners with data protection regulators. In tests last January, The New York Times actually found that the Android version of the Grindr app was sharing location information that was so precise, it actually pinpointed reporters on the side of the building they were sitting on. In April, Grindr revamped its user consent process.
In a statement, a spokesperson for Grindr said the company had obtained “valid legal consent from all” of its users in Europe on multiple occasions and was confident that its “approach to user privacy is first in class” among social apps.
The statement added: “We continually enhance our privacy practices in consideration of evolving privacy laws and regulations, and look forward to entering into a productive dialogue with the Norwegian Data Protection Authority.”
The company has until Feb. 15 to comment on the ruling before it is final. The Norwegian agency said it was investigating whether the ad companies that received users’ details from Grindr had also violated European data protection law.
Even if users are giving “valid legal consent”, do they fully realize to what they’re consenting? So far, it seems that – despite millions of dollars of actual fines being assessed – there aren’t a lot of changes in how social networks are handling user data. It’s almost as if they’ve accepted the fines as a cost of doing business. When they’re making billions, why would they change when they’re only being fined millions?
So, what do you think? Do you think there is a level of fines that will change how social networks handle user data? Please share any comments you might have or if you’d like to know more about a particular topic.
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.