The case in which the Norwegian supervisory authority (Datatilsynet) sanctioned the American company Grindr LLC, supplying the mobile application Grindr, the world’s largest social networking app for the LGBTQ community, offers elements to be considered both from the point of view of the strategy for effective compliance control actions and for the legal contents of the measure.
Strategy for effective compliance monitoring actions
On the compliance control policy side, it should be noted the positive synergy found in the Norwegian case between:
- the technology company that performed the technical testing, which provided objective evidence of user tracking and information flows between Grindr and other third parties for behavioral marketing purposes that would otherwise be difficult to detect
- the Norwegian Consumer Council which has investigated the behavior of the adtech market in a valuable document and has filed a complaint with the authority
- the Datatilsynet which, following previous initiatives, carried out a rigorous investigation culminating in an administrative fine against Grindr.
The most important points of the measure issued by the Norwegian authority (Datatilyinet) against the Grindr company are:
A- a detailed analysis of the requirements for consent (Art. 6) and for the derogation of Art. 9 GDPR
B- the non onerousness of the denial as for the withdrawal of consent
C- the exclusion of personal data as a commercial asset
D- the interpretation of the notion of sexual orientation data
F- the confirmation of the jurisdiction of the supervisory authority of the EU Member State (no one-stop-shop) on the processing carried out by foreign companies without an EU establishment but under the territorial scope of Article 3.2 GDPR.
Grindr is a dating app for the LGBTQ community, available in a free version and a “premium” paid version.
The paid version, in relation to the disputed period, was priced at around €1 per day.