The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email: segreteria@imperialida.com

Grindr sanctioning measure

The case in which the Norwegian supervisory authority (Datatilsynet) sanctioned the American company Grindr LLC, supplying the mobile application Grindr, the world’s largest social networking app for the LGBTQ community, offers elements to be considered both from the point of view of the strategy for effective compliance control actions and for the legal contents of the measure.

 

Strategy for effective compliance monitoring actions

On the compliance control policy side, it should be noted the positive synergy found in the Norwegian case between:

  1. the technology company that performed the technical testing, which provided objective evidence of user tracking and information flows between Grindr and other third parties for behavioral marketing purposes that would otherwise be difficult to detect
  2. the Norwegian Consumer Council which has investigated the behavior of the adtech market in a valuable document and has filed a complaint with the authority
  3. the Datatilsynet which, following previous initiatives, carried out a rigorous investigation culminating in an administrative fine against Grindr.

 

Measure_against_app_Grindr_Datatilsynet

 

Legal summary

The most important points of the measure issued by the Norwegian authority (Datatilyinet) against the Grindr company are:

A- a detailed analysis of the requirements for consent (Art. 6) and for the derogation of Art. 9 GDPR

B- the non onerousness of the denial as for the withdrawal of consent

C- the exclusion of personal data as a commercial asset

D- the interpretation of the notion of sexual orientation data

E- the legal consequences of the incorrect practice of asking the user to accept the privacy policy

F- the confirmation of the jurisdiction of the supervisory authority of the EU Member State (no one-stop-shop) on the processing carried out by foreign companies without an EU establishment but under the territorial scope of Article 3.2 GDPR.

 

Facts

Grindr is a dating app for the LGBTQ community, available in a free version and a “premium” paid version.

The paid version, in relation to the disputed period, was priced at around €1 per day.

The free version contained a consent mechanism – object of dispute – through which the user was shown the full privacy policy, asking the data subject to click on “Proceed”. If the data subject clicked on “Proceed”, a pop-up appeared with the phrase “I accept the Privacy Policy”, where Grindr gave the data subject the option to press “Cancel” or “Accept”. If the data subject pressed “Cancel”, further registration was not possible, and the data subject would be unable to use the app.