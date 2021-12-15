U.S. markets open in 2 hours 4 minutes

  • S&P Futures

    4,637.25
    +0.25 (+0.01%)
     

  • Dow Futures

    35,564.00
    +12.00 (+0.03%)
     

  • Nasdaq Futures

    15,913.25
    -11.50 (-0.07%)
     

  • Russell 2000 Futures

    2,158.20
    +0.70 (+0.03%)
     

  • Crude Oil

    69.88
    -0.85 (-1.20%)
     

  • Gold

    1,770.00
    -2.30 (-0.13%)
     

  • Silver

    21.82
    -0.11 (-0.50%)
     

  • EUR/USD

    1.1278
    +0.0015 (+0.14%)
     

  • 10-Yr Bond

    1.4380
    0.0000 (0.00%)
     

  • Vix

    21.95
    +1.64 (+8.07%)
     

  • GBP/USD

    1.3258
    +0.0029 (+0.22%)
     

  • USD/JPY

    113.7860
    +0.0560 (+0.05%)
     

  • BTC-USD

    48,217.10
    +381.92 (+0.80%)
     

  • CMC Crypto 200

    1,214.65
    +30.53 (+2.58%)
     

  • FTSE 100

    7,202.25
    -16.39 (-0.23%)
     

  • Nikkei 225

    28,459.72
    +27.08 (+0.10%)
     

Grindr's $7M GDPR fine is a stark warning to adtech not to track

Natasha Lomas
·13 min read

Grindr, a hook-up app for gay, bi, trans and queer people, has been fined around $7.1 million (65M NOK) by Norway's data protection authority for passing user data to advertisers without consent -- including highly sensitive information related to users' sexual orientation.

Specifically, the DPA found that Grindr breached Articles 6(1) and 9(1) of Europe's General Data Protection Regulation (GDPR).

The complaint adds to the behavioral advertising industry's legal woes -- which continue to pile up in the region.

The final size of the penalty Grindr has been hit with is a little reduced vs the 100M NOK/$12.1M that the gay dating app was facing back in January -- when the Datatilsynet issued a preliminary decision on the case.

The authority told TechCrunch the smaller sanction takes account of the company having lower turnover in reality than the "rough estimate" it had relied upon in January when issuing the preliminary fine,

It also said the reduction takes account of measures Grindr implemented since the complaint was filed with the aim of bringing its processing of personal data in line with GDPR's requirements.

The DPA's decision notes that the final fine is approximately 32% of the maximum amount possible. And since GDPR allows for fines of up to €20M or up to 4% of an entity's total global turnover in the preceding year, whichever is higher, it suggests the US-based app's annual revenue does not exceed €20M/$22.5M.

The DPA describes the size of the fine as "proportionate both to the severity of the infringement and to Grindr’s financial situation", asserting that it "does not exceed what is necessary to achieve the objectives pursued by the GDPR in the present case".

The complaint has taken almost a year to arrive at a final decision owing -- at least in part -- to Grindr requesting extensions to deadlines on a number of occasions.

It's also worth noting that this investigation was limited to the process Grindr used to obtain consent at the time of the complaint -- in 2019 and up to April 2020 (when it switched to a different method).

So the lawfulness of Grindr's current method for obtaining consent has not been investigated.

While the decision does not include any requirements that Grindr (or its ad partners) delete unlawfully obtained user data the DPA told us that that could change in future.

It also confirmed that its investigation against Grindr's ad partners (who it sent user data to) is ongoing.

"Our decision does not include any erasure requirements at this time but we have also made it clear that further decisions may come at a later date if we deem it necessary," said Tobias Judin, director for international issues at Datatilsynet. "In other words: We are not ruling out any possibilities for further enforcement at this stage."

"Now that we have a final decision in the Grindr case, this decision will also inform those investigations," he further confirmed of the ad partner probes.

The penalty for Grindr tracking users without consent comes at a time when some EU lawmakers continue pressing for a ban on surveillance-based advertising -- although a committee vote in the European Parliament this week did not back amending the Digital Services Act to include an outright ban on surveillance-based advertising, as some MEPs have been pressing for.

The committee did back a prohibition on dark patterns to manipulate consent, though. So legal requirements look set to continue to tighten around how adtech can operate in the EU -- and reform of manipulative defaults is being enforced.

See also: The UK's data watchdog's recent warned to the industry that the end of tracking is nigh.

In a statement welcoming Norway's GDPR slap-down of Grindr, the deputy DG of the European Consumer Organisation, BEUC, Ursula Pachl, said: “Grindr illegally exploited and shared its users’ information for targeted advertising, including sensitive information about their sexual orientation. It is high time the behavioural advertising industry stops tracking and profiling consumers 24/7. It is a business model which clearly breaches the EU’s data protection rules and harms consumers. Let’s now hope this is the first domino to fall and that authorities start imposing fines on other companies as the infringements identified in this decision are standard surveillance ad-tech industry practices.”

Dating and fertility apps among those snitching to ‘out of control’ ad tech, report finds

Consent breaches

Datatilsynet opened the investigation into Grindr after receiving complaints from Norway's Consumer Council (NCC) and the European privacy campaign group, noyb, acting on behalf an individual complainant.

Last year the NCC published an analysis of data flows from a number of popular apps (including Grindr but also a number of others) showing how they share data with "unexpected third parties", including entities in the behavioral ad industry to highlight the extent of adtech's lawfulness problem.

In its response to the data protection watchdog's investigation, Grindr had claimed it had users' consent to share their data with its advertising partners -- which included Twitter-owned MoPub, Xandr (previously AppNexus), OpenX, AdColony and Smaato.

However the app did not offer users a free choice over whether to agree to its terms or not. If a Grindr user declined to accept its privacy policy during onboarding they were unable to proceed to use the app.

And while Grindr went on to change how it gathers consent -- implementing a consent management platform provided by the third party OneTrust in April 2020 -- as noted above this complaint focuses on how the app was obtaining consent prior to that switch.

The GDPR states that for consent to be a valid legal basis to process personal data it must be informed, specific and freely given (emphasis ours). So the lack of a choice offered to users looks like a very flagrant breach of the rules.

In seeking to avoid a sanction, Grindr also sought to argue that it did not pass information on individual users' sexuality to advertisers -- claiming it only sent generic keywords (such as "gay", "bi" and "bi-curious").

This is important because GDPR has specific rules for so-called "special category data" -- requiring an even higher bar of explicit consent from a user if that's the legal basis you're claiming for processing information such as a person's sexual orientation.

In reaching its final decision on the complaint, the Datatilsynet concluded that protections contained in Article 9 of the GDPR (which concerns "special category data") should not be so narrowly interpreted.

"Being a Grindr user strongly indicates, and appears in most cases to accurately reflect, that the data subject belongs to a sexual minority. Furthermore, the fact that a data subject belongs to a sexual minority may lead to prejudice and discrimination even without revealing their specific sexual orientation," it writes, adding: "The wording of Article 9 does not require a revealing of a particular 'sexual orientation', and the purpose behind Article 9 discourages a narrow interpretation.

"For these reasons, we find that information that a data subject is a Grindr user is data 'concerning' the data subject’s 'sexual orientation'."

Grindr had also sought to suggest that advertisers were unlikely to use categories of special category data for profiling and ad targeting -- telling the DPA it would be surprised if that were the case.

Which is -- to put it mildly -- a surprising argument to try to make, given ample evidence from other GDPR complaints of the highly invasive profiling being carried out by the behavioral ad industry.

Not to mention the fact that a flagship industry framework that's widely used to claim consent to process people's data for ad targeting is facing a finding of unlawfulness itself. As is the online advertising body that controls it.

IAB Europe says it’s expecting to be found in breach of GDPR

In any case, Datatilsynet rejected Grindr's dodge -- pointing out that it's irrelevant how such sensitive data might be further processed, since -- under GDPR -- "the sharing of personal data concerning a natural person’s 'sexual orientation' to advertising partners is sufficient to trigger Article 9". (Its decision also makes it explicit that it does "not agree with the claim that a data subject's 'sexual orientation' is not a category of data that could potentially be used by advertisers to target ads".)

In another attempt to wiggle out of a GDPR slap-down, Grindr had also sought to argue that even if its advertisers -- theoretically -- received any sensitive personal data they must "blind" themselves to, per commitments in its contracts with advertisers.

Moreover it claimed many adtech companies operating in the EU have spent the last decade or so devising so-called "blinding methods" which it said obfuscate which app an ad call is coming from.

"Grindr holds that participants in the ad tech ecosystem would likely only receive a 'blinded' app-ID and not the corresponding app name," the DPA explains in the decision. "According to Grindr, it is a common practice in the EU for ad networks to nullify the app name and use a random App ID in the ad call so that downstream bidders are 'blind' to the actual name of the app where the ad is to be served."

However, once again, the DPA points out this is irrelevant -- given sensitive data being passed is enough to trigger Article 9 provisions.

The Datatilsynet's decision also cites a technical report, by Mnemonic, which showed Grindr's app name being shared with MoPub -- "who further shared this within their mediation network". And further notes that Mnemonic's report also showed the app name was shared from Grindr to "multiple other advertising partners".

As if that wasn't enough, Datatilsynet further points out that Grindr's own privacy policy "explicitly states that '[o]ur advertising partners are aware that such data is being transmitted from Grindr'."

So, er,.... 🥴

(NB: In a further demolition of the self-serving notion of 'blinded' app-IDs, the DPA goes on to make the point that even if this were happening as claimed by the adtech industry it still wouldn't comply with other requirements in the GDPR, noting: "Even if some advertising partners or other participants in the ad tech ecosystem would 'blind' themselves or only receive an obfuscated app ID, this is not line with the principle of accountability in Article 5(2) GDPR. Grindr would have to rely on the action of advertising partners or other participants in the ad tech ecosystem to halt its sharing of the data in question.")

The DPA's analysis goes further in unpicking adtech's obfuscating claims vs what's really being done with people's data vs what EU law actually requires. (So it's well worth reading in full if you're interested in devilish detail.)

The long and short of it is that Datatilsynet found Grindr did process users' sexual orientation data, as set out in Article 9(1) -- by "sharing personal data on a specific user alongside app name or app ID to advertising partners".

And while the GDPR can allow for consent-based processing of special category data a higher bar of "explicit" consent is required for that type of processing to be lawful. Again, the DPA found that Grindr had not obtained the required standard of permission from users.

Its decision further concludes that Grindr users had not "manifestly made public" information about their sexual orientation simply by merit of using the app, as the app had sought to argue (noting, for example, that it allows for an anonymous approach, letting users select a nickname and choose whether or not to upload a selfie).

"At any rate, it goes beyond the reasonable expectations of the data subject that Grindr would disclose information concerning their sexual orientation to advertising partners. Though information about someone merely being a Grindr user must be considered a special category of personal data under Article 9(1), becoming a Grindr user is not an affirmative act by the data subject to make the information public," Datatilsynet adds.

Grindr has been contacted for comment on the sanction.

It has three weeks to lodge an appeal against the decision -- if it wishes to do so.

Datatilsynet's order is careful to specify that there may be additional issues related to Grindr's prior or current consent mechanism since this investigation was limited to the scope of the complaints which were focused on the lawfulness of its previous consent management platform in the app.

"The fact that potential issues have fallen outside the scope of our investigation does not preclude those issues from being investigated in the future," its decision notes.

In a statement commenting on the decision, Ala Krinickytė, a data protection lawyer at noyb, described it as "astonishing that the DPA has to convince Grindr that its users are LGBT+ and that this fact is not a commodity to be bartered".

Krinickytė further summarized the Datatilsynet order thusly: "You cannot share personal data with a potentially unlimited number of partners without being able to control what happens to that data.”

And that is really the crux of the problem for surveillance-based advertising which relies upon pervasive tracking of Internet users to individually target marketing.

Even setting aside the existential problem of a lack of consent for tracking, the adtech industry does not have processes in place to control what happens to data once it's grabbed and 'shared' with scores of faceless adtech entities involved in the high velocity programmatic auction process known as real-time bidding (RTB).

GPDR complaints targeting RTB's failure to adequately protect people's data have been sitting, unenforced, on EU regulators' desks for years -- but there are signs that the enforcement blockage is starting to shift, not least as a result of smart, smaller-scale actions such as Norway going after Grindr.

The web of adtech data flows is such a tangled one that even a relative bit player can draw in and implicate scores of others.

The adtech industry's workaround for people's general distaste at being stalked and creeped on through their devices and digital activity, meanwhile, has been to not actually ask for permission to track and profile them in the first place.

But -- in Europe at least -- that mocking 'consent' pantomime is finally headed for its end-game.

Whether the alternative targeting processes the industry devises will be just as cynical, manipulative and exploitative as what they've been doing for the past decade+ will largely depend upon regulators and lawmakers driving proper oversight of a sector that's been allowed to flourish in the dark, rife with dark patterns and defined by its dark arts.

One negative signal is how the IAB Europe continues to try to confuse the issue by conflating ad targeting with invasive tracking -- in a bid to lobby MEPs not to outlaw surveillance-based adtech.

In reality, privacy-safe targeting alternatives already exist (such as contextual ads) and have been profitable for years for companies like DuckDuckGo.

The behavioral advertising industry's lawfulness problem is in fact directly chainlinked to its mass surveillance of Internet users.

Commenting on the Datatilsynet's decision against Grindr in a statement, Finn Myrstad, director of digital policy in the NCC, warned: “This sends a strong signal to all companies involved in commercial surveillance. There are serious repercussions to sharing personal data without a legal basis. We call for the digital advertising industry to make fundamental changes to respect consumers’ rights.”

NB: While Norway is not an EU Member it is part of the European Economic Area and it transposed the GDPR into national law in 2018. Additionally, Grindr being a US company without a defined legal entity in the EU opens its business to regulatory oversight by DPAs in any part of the bloc which have concerns (and where it offers a service), rather than oversight being funnelled via gatekeepers like Ireland's Data Protection Commission, as has happened with complaints against Google's adtech for example

Grindr on the hook for €10M over GDPR consent violations

Inside a European push to outlaw creepy ads

 

Recommended Stories

  • Contribution Limits for IRAs, 401(k)s in 2022

    Contribution limits for IRAs, 401(k)s, and other plans can change from year to year due to cost-of-living adjustments. Here are the changes for 2022.

  • Biden Team Mulls New Clampdown on China’s Largest Chipmaker

    (Bloomberg) -- The Biden administration is considering imposing tougher sanctions on China’s largest chipmaker, according to people familiar with the situation, building on an effort to limit the country’s access to advanced technology.Most Read from BloombergZero Taxes, Golf and Beach Houses Create a Crypto Island ParadiseCan Indoor Farms Reach Skyscraper Height?China Is Building the World’s Largest National Park SystemBoris Johnson’s Furious MPs Worry That His Next Misstep Could Be FatalThe Na

  • U.S. to Blacklist DJI and Seven Other China Firms, FT Reports

    (Bloomberg) -- Shares of China’s biggest chipmaker and several of its largest pharmaceutical firms sank on Wednesday on fears that Washington will slap investment and export sanctions against more companies. Most Read from BloombergZero Taxes, Golf and Beach Houses Create a Crypto Island ParadiseCan Indoor Farms Reach Skyscraper Height?China Is Building the World’s Largest National Park SystemBoris Johnson’s Furious MPs Worry That His Next Misstep Could Be FatalWuxi Biologics Cayman Inc. tumbled

  • What Income Reduces Social Security Benefits?

    You can get Social Security benefits and work at the same time. But if you haven't reached full retirement age, your benefits could be reduced.

  • China EV, battery makers grapple with graphite squeeze

    Graphite, in both natural and synthetic forms, is used for the negative end of a lithium-ion battery, known as the anode. Around 70% of all graphite comes from China, and there are few viable alternatives for batteries. Chinese producers have their work cut out keeping up with global demand for graphite, which has surged along with rapid growth in the battery market in recent years. Top global EV battery maker Contemporary Amperex Technology Co Ltd (CATL) is "desperate" to secure supply of key ingredients such as graphite to keep up with rising orders, said a person with knowledge of the matter.

  • The EU isn’t thrilled about the US’s investigation into rare earth magnets

    In September, the US commerce department launched an investigation into the national security impact of imports of neodymium-iron-boron (NdFeB) permanent magnets, the most widely manufactured rare earth magnet. Governments, businesses, and experts submitted public comments to weigh in on whether the US should slap tariffs on imports of NdFeB magnets as a way of counteracting the security risks of being overly reliant on imports from foreign countries, especially China. Under Section 232 of the Trade Expansion Act, the president can impose tariffs on products that the commerce department deems to be imported “in such quantities or under such circumstances as to threaten to impair the national security.” Among the comments submitted by the Nov. 12 deadline, the European Union came out most strongly in opposition to any kind of US tariffs on NdFeB magnets, which have a broad range of military and civilian industrial uses.

  • Toyota says it will build record 800,000 vehicles in January

    Toyota Motor Co said on Wednesday it planned to build 800,000 vehicles globally in January, a record for the month, as it ramps up production to make up for output lost to parts shortages. The production plan for January represents an increase of 60,000 vehicles from a year earlier.

  • Where gas prices are headed in 2022, according to leading forecast models

    While U.S. government forecasts predict both oil and gas prices will see a decline in 2022, many private sector forecasts show the opposite occurring.

  • Pfizer early study shows vaccine is 70% effective against Omicron variant as cases rise globally

    Yahoo Finance's Anjalee Khemlani provides data on the Pfizer vaccine's reported effectiveness against the Omicron variant, which has been detected in 33 U.S. states and 77 countries worldwide.

  • Europe’s Gas Is Pricier Than Ever Relative to U.S. Supplies

    (Bloomberg) -- European natural gas has never been more expensive relative to U.S. supplies amid a spiraling Old World energy crisis as winter descends across the northern hemisphere. Most Read from BloombergZero Taxes, Golf and Beach Houses Create a Crypto Island ParadiseCan Indoor Farms Reach Skyscraper Height?China Is Building the World’s Largest National Park SystemBoris Johnson’s Furious MPs Worry That His Next Misstep Could Be FatalBenchmark Dutch gas futures were almost $40 per million Br

  • Matterport CEO describes the business of digitizing properties

    Matterport CEO Todd Albright joins Yahoo Finance to discuss the growth of Matterport since its IPO and how the company is helping bring digital retail shopping 3D.

  • Can a 70-Year-Old Open an IRA?

    Whether or not you can open an individual retirement account (IRA) depends on several factors, and age is just one of them. A traditional IRA allows investors to make contributions or deposits, and you receive a tax deduction equal to the contribution amount in the tax year that you made it. In return, you pay income taxes on your withdrawals or distributions in retirement. A Roth IRA does not provide a tax deduction for contributions.

  • U.S. airlines to defend $54 billion COVID-19 government lifeline

    Major U.S. airlines Wednesday will defend a $54 billion COVID-19 government lifeline even as they face operational challenges and work to speed hiring to address rising demand. The Senate Commerce Committee will hear from the chief executives of American Airlines, Southwest Airlines and United Airlines, as well as the chief of operations for Delta Air Lines and the head of a large flight attendants unions.

  • Exclusive: Brazil bribery probe expands to four JPMorgan fuel deals -documents and sources

    A Brazilian police investigation of alleged bribery of Petrobras employees to fix the price of fuel sold to JPMorgan Chase & Co by the state-run oil firm has expanded from one deal to at least four over the course of 2011, according to documents and two law enforcement officials. Previously unreported invoices related to fuel sale agreements between the two companies show one of the alleged intermediaries in the bribery scheme, known as Oil & Gas Venture Capital Corp (OGVC), received approximately $150,000 that year from another alleged intermediary named EGR Consultants to facilitate the purchase of roughly 826,000 barrels of fuel oil by JPMorgan, worth more than $80 million at the time. The additional invoices are significant as Brazilian police have been working to determine if a 305,000-barrel JPMorgan deal facilitated by OGVC and EGR was a one-time arrangement or part of a pattern, which would raise the stakes of the investigation, according to two law enforcement sources in Brazil, who requested anonymity to discuss an ongoing probe.

  • Peru's poor Andean hamlets, backed by state, unleash anger at mines

    Gabino Leon is angry, and he is not alone. The farmer in Peru's southern Apurimac region watches each day as hundreds of trucks carrying copper roar past his adobe home, kicking up dust on a potholed dirt road that has become a lightning rod for protests hitting the world's no. 2 producer of the metal. Leon's rage - echoed in hundreds of small hamlets around the South American nation, Reuters reporting shows - is because, he says, he sees little benefit from that mineral wealth on his doorstep and blames mining for damaging his livelihood as a subsistence farmer. "All the wealth of Apurimac goes before our eyes," Leon told Reuters at his home, some 20 kilometers (12 miles) from MMG's Las Bambas mine, which started production in 2016 and supplies some 2% of the world's copper.

  • How Social Security Works After Retirement

    Here's how to maximize the Social Security benefits you receive and minimize the taxes you pay on them.

  • 2 Metaverse Stocks to Buy Before 2022 Begins

    Metaverse news has been flooding the headlines ever since Facebook changed its name to Meta Platforms. No one knows how successful, if at all, the metaverse will be. Two companies providing metaverse services are CrowdStrike (NASDAQ: CRWD) and Unity Software (NYSE: U). Crowdstrike provides endpoint security software to secure network access points.

  • 5G Stocks To Buy And Watch: Apple Upgraded On View Augmented Reality To Drive 5G

    The best 5G stocks to invest in will change as smartphone apps, enterprise services and the metaverse develop over time.

  • West Coast export terminal halted, Colorado natural gas group backs other projects

    A liquified natural gas terminal export project was hoped to give Rockies' vast natural gas reserves an export outlet to Asia.

  • Diabetes device maker opens Mesa distribution facility to handle increases in volume

    Dexcom, the maker of continuous glucose monitoring systems for diabetes management, is expanding its presence yet again with a second large facility in the East Valley.