Data protection: Class action against Grindr in London

A class action lawsuit against Grindr is pending at the High Court for England and Wales and London. It accuses the dating app of misusing the personal data of thousands of British men. Without the users' consent, Grindr has allegedly shared years of sensitive user data with third parties for commercial purposes, which is a violation of British data protection law.

This was announced by the London law firm Austen Hays, which specialises in class actions. According to the law firm, more than 670 affected men have already registered as plaintiffs, and more can still join the lawsuit. The law firm assumes that, if successful, each plaintiff could receive thousands of pounds in compensation, especially as a large number of third parties may have profited from the data. Users of the free version of the Grindrs app or website between December 2016 and April 2020 are eligible to join the lawsuit.

The plaintiffs refer to a reprimand by the British Data Protection Authority and a fine of 6.5 million euros imposed by the Norwegian Data Protection Authority for violating the General Data Protection Regulation (GDPR). Grindr has announced that it will defend itself vigorously in court and accuses Austen Hays of misrepresenting Grindr's business practices, which were discontinued more than four years ago.

Grindr: "Data never sold"

"Grindr has never passed on user information about their health for 'commercial purposes' and has never monetized such information," the operator of the dating app, which is used by millions of non-heterosexual men every day, told heise online. With this statement, however, Grindr is only referring to one part of the lawsuit, albeit the most controversial.

In April 2018, the Scandinavian institute SINTEF revealed that Grindr had passed on sensitive data from user profiles to Apptimize and Localytics, including email addresses, GPS coordinates, HIV status and details of the last date of an HIV test. Apptimize is dedicated to the further tracking of users for advertising purposes when they switch from an app or website to other online offers. Localytics helps app operators to attract new users and retain existing ones.

Grindr confirmed the data transferat the time, but denied selling the data. The company also promised not to inform Apptimize and Localytics about the HIV status of certain Grindr users from then on. There are no known indications that HIV status has been transmitted since then.

Penalty for disclosure under GDPR

The following month, the General Data Protection Regulation came into force in the European Economic Area (EEA). Nevertheless, Grindr passed on data until 2020 to enable the display of behavioral advertising. This involved GPS coordinates, IP address, age, gender, advertising code and the fact that the user is a Grindr user, which indicates sexual orientation. And such information is particularly strictly protected by the GDPR.

The consent obtained from the data subjects was invalid under the GDPR, as the Norwegian Data Protection Authority (DPA) found at the end of 2021. It therefore imposed a fine of 6.5 million euros, which a Norwegian court confirmed following Grindr's appeal. Whether Grindr has also violated British data protection law will be determined in the damages proceedings now initiated by Austen Hays.

Grindr was launched from California in 2009. From the beginning of 2018, the service was owned by a company in the People's Republic of China. This takeover was reversed by the US authority CFIUS (Committee on Foreign Investment in the United States) the following year. The reason was that Chinese developers were gaining access to the personal data of Grindr users. CFIUS apparently feared that the sensitive data (including HIV status) included information about members of the US military or US services, and that this data would end up in the hands of Chinese services via the Chinese owner.

(ds)