European regulators say they have adjusted the fine against Grindr to $7.1 million after learning more about their finances.
It was a rather awkward moment in the gay dating apps history. Somewhere along the line, a decision was made to sell personal information to a third party without the users permission. To be clear, not everyone is exactly open with their gender identity. Many reasons can contribute to that decision. Yet, if you shared this information with an app while exploring this aspect of your life, the last thing you want to hear is that the app in question sold that personal information to a third party. Yet, that is generally what happened back in January for users of Grindr.
At the time, an explosive report suggested that the app and site developers opted to share their users data with Twitter owned MoPub. The revelations sparked serious questions about whether or not you should trust such apps with such sensitive personal information. Of course, in Europe, with the General Data Protection Regulation (GDPR), it also sparked an investigation with pretty significant consequences. Norwegian officials then decided that they will issue a fine of $11.7 million for violations of the GDPR.
Now, we are learning that the actual fine levied against the company could be slightly less. The reason for this, as it turns out, is that officials based their initial fine on an estimate of what the company made. Now, they have the actual data of the sites financial situation. As such, they have adjusted the fine accordingly. From TechCrunch:
Grindr, a hook-up app for gay, bi, trans and queer people, has been fined around $7.1 million (65 million NOK) by Norway’s data protection authority for passing user data to advertisers without consent — including highly sensitive information related to users’ sexual orientation.
Specifically, the DPA found that Grindr breached Articles 6(1) and 9(1) of Europe’s General Data Protection Regulation (GDPR).
The authority told TechCrunch the smaller sanction takes account of the company having lower turnover in reality than the “rough estimate” it had relied upon in January when issuing the preliminary fine.
It also said the reduction takes account of measures Grindr implemented since the complaint was filed with the aim of bringing its processing of personal data in line with GDPR’s requirements.
The DPA’s decision notes that the final fine is approximately 32% of the maximum amount possible. And because GDPR allows for fines of up to €20 million or up to 4% of an entity’s total global turnover in the preceding year, whichever is higher, it suggests the U.S.-based app’s annual revenue does not exceed €20 million/$22.5 million.
The DPA describes the size of the fine as “proportionate both to the severity of the infringement and to Grindr’s financial situation”, asserting that it “does not exceed what is necessary to achieve the objectives pursued by the GDPR in the present case”.
The complaint has taken almost a year to arrive at a final decision owing — at least in part — to Grindr requesting extensions to deadlines on a number of occasions.
The incident may be fading in collective memory after nearly a year, but many are pointing out that this fine is one of many examples where larger sites and apps are not above the law here. Certainly, it is not the most vivid example of the big players being slapped with fines (the Amazon fine is a much bigger example now), but it does give a warning shot to other big players who think they can just ignore the European laws and continue on business as usual.
Drew Wilson on Twitter: @icecube85 and Facebook.