Grindr, an LGBTQ-focused location-based dating app, has been fined €6.5 million (£5.5 million) for providing user data to marketers.
According to the Norwegian Data Protection Authority, releasing such information without first obtaining an explicit agreement violates GDPR requirements.
After Grindr supplied facts about its financial status and made adjustments to its app, the fine was decreased to £8.6 million from £8.6 million.
The fine is the heaviest the Norwegian DPA has ever imposed because the infringements were deemed “severe” by the regulator.
GPS position, IP address, advertising ID, age, gender, and the knowledge that the user was on Grindr were among the data it discovered the app had shared with third parties.
This was notably bothersome because data concerning a person’s sexual orientation falls within the GDPR’s special category data category, which requires extra protection.
Grindr’s fine was initially greater, but it was decreased after the company supplied information regarding its size and financial status. The fact that the company has since modified the app’s permissions was also taken into consideration.
The agency stated that it had not evaluated whether the present consent procedure was GDPR compliant.
It also did not dismiss the possibility of forcing Grindr to delete the personal data that had been illegally processed.
Grindr has three weeks to overturn the decision.