Norwegian regulator Datatilsynet has slapped Grindr, a location-based online dating application, with a $7.1 million fine for sharing data with advertisers without the consent of its users. Here are some of my initial takeaways.
- The opinion was released in (excellent) English, and this is very important and much appreciated.
- The opinion is very well written, clear, organized and legally sound. I have recommended reading it verbatim to my team for training purposes.
On Compliance, SA’s, stops and shops:
- Supervisory authorities are expected to follow EDPB guidelines when enforcing the GDPR in concrete case.
- Even if your practices are much better than what the industry has been doing, this is not necessarily compliant with the law.
- The fact that few complaints have been filed by data subjects doesn’t mean a low level of damage suffered. Few people have the initiative to sue and many don’t understand complex processing enough to sue.
- The controller’s financial situation and the fact that they profited from the infringement (e.g. due to advertising) are aggravating factors.
On Location data:
- GPS location is particularly revealing of the life habits of individuals, and can be used to infer sensitive information. This is especially sensitive when opting out of location data deteriorates the functionality of the app.
- The processing of an individual’s location information can be a highly intrusive act, depending on the circumstances.
- Even data which is normally indirectly identifiable, when containing online identifiers, it can potentially be combined with other data collected from other services, and from other devices through cross-device tracking and be reidentified.
On data sharing:
- You are responsible for controlling/taking responsibility for your own data sharing. If you are only transmitting an opt-out signal (conveying the data subject’s opt out preference together with personal data) and have to rely on the actions of others (users, OS, partners, etc.) to halt the sharing where required, you are in breach of your duties under Art 5(2), 24, 25. Same goes for downstream partners “blinding” App ID.
Read more here.