Datatilsynet (Norway) - 20/02136: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Norway |DPA-BG-Color= |DPAlogo=LogoNO.png |DPA_Abbrevation=Datatilsynet (Norway) |DPA_With_Country=Datatilsynet (Norway) |Case_Number_Name=20/...") |
(→Facts) |
||
| Line 57: | Line 57: | ||
=== Facts === | === Facts === | ||
In January 2020, the NO DPA received 3 complaints against Grindr from the Norwegian Consulmer Council (NCC) in collaboration with noyb regarding the sharing of data between the Grindr app and advertising partners MoPub, Xandr, OpenX Software, Ad Colony and Smaato. The complaint was based on the report 'our of control' prapared by the company mnemonic commissioned by the NCC. | |||
The NCC's inquiry showed that Grindr shared certain categories of personal data to several advertising partners, including advertising ID, IP address, GPS, location, gender, age, device information and app name. | The NCC's inquiry showed that Grindr shared certain categories of personal data to several advertising partners, including advertising ID, IP address, GPS, location, gender, age, device information and app name. | ||
Revision as of 16:27, 17 December 2021
| Datatilsynet (Norway) - 20/02136-18 | |
|---|---|
 | |
| Authority: | Datatilsynet (Norway) |
| Jurisdiction: | Norway |
| Relevant Law: | Article 3(2) GDPR Article 6(1) GDPR Article 9 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 13.12.2021 |
| Published: | 15.12.2021 |
| Fine: | 65000000 NOK |
| Parties: | n/a |
| National Case Number/Name: | 20/02136-18 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | Datatilsynet (in EN) |
| Initial Contributor: | n/a |
The Norwegian Data Protection Authority imposed a fine of € 6.5 million on Grindr for not complying with the GDPR rules on consent when sharing data with third parties for profiling and advertising purposes from Grindr App.
English Summary
Facts
In January 2020, the NO DPA received 3 complaints against Grindr from the Norwegian Consulmer Council (NCC) in collaboration with noyb regarding the sharing of data between the Grindr app and advertising partners MoPub, Xandr, OpenX Software, Ad Colony and Smaato. The complaint was based on the report 'our of control' prapared by the company mnemonic commissioned by the NCC.
The NCC's inquiry showed that Grindr shared certain categories of personal data to several advertising partners, including advertising ID, IP address, GPS, location, gender, age, device information and app name.
The data was shared through software development kits (SDKs).
Holding
ON TERRITORIAL SCOPE OF THE GDPR
Grindr is etsablished in thre US. The NO DPA holds that the GDPR is applicable since the sservice is provided to users in the EU and Grindr is monitoring its user's behaviour, including meovement and location within Norway and the EEA (Article 3(2)(a) and (b) GDPR respectively).
Since there is no extablishment of Grindr in the EU, the one stop shop mechanism is not applicable.
ON THE PROCESSING OF PERSONAL DATA The NO DPA considered that since the data shared were associated with/included advertising ID provided by the mobile devices, the data at stake were personal data.
ON THE VALUE OF EDPB GUIDELINES The NO DPA refers to EDPB Guidelines on consent. It considers that even if not binding, EDPB guidelines cannot be regarded as having no legal effect and DPAs are expected to follow them when enforcing the GDPR in concrete cases.
CONSENT MUST BE FREELY GIVEN - Consent can only be regarded as freely given is users are given a genuine choice. - 'Take it or leave it' situations make the consent not free. - Consent mus t be granular and cover each specific processing operations, and not a set of them. - The users were forced to accept the privacy policy to ude the app and therefore, consent requests for sharing personal data with advertising partners were bundled with requests for consent for other processing operations and othe rpurposes, despite separate consents being appropriate and practical. This did not give the users a free choice.
MAKING THE PROVISION OF THE SERVICE CONDITIONAL TO PROCESSING - Sharing Grindr's users personal data with advertising partners for online behavioural advertising purposes was not necessary for the performance of the Grindr's services. - Consequently, gaining access to the Grindr services within the free version of the app was made conditional on “consenting” to sharing personal data with advertising partners for advertising purposes which was not necessary for the performance of Grindr’s services. This indicates that consent was not “freely given”. - By making it more difficult and time-consuming to refuse consent than to give consent, the controller “nudges” the data subject to consent to the processing operation even if they may not wish to, and it thus deprives the data subject of genuine freedom of choice. - Consenting to personal data sharing for advertising purposes was two clicks away, while declining required the data subject to take the time to read a lengthy privacy policy. Thus, refusal of consent was a lot more difficult and time consuming compared to accepting. - An “opt-out” solution would not meet the requirements for a valid consent, as it would not be an “unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action - The fact that a paid version is offered without sharing of data does not change this conclusion. Among other things, the NO DPA stresses that the paid version was not advertised as a way to op-out of sharing data. - The NO DPA shares the views ot eh EDPS and EDPB that data is not a commodity.
CONCLUSION ON FREE CONSENT: Consent cannot be seen as free since: - Grindr did not allow separate consents to different personal data processing operations despite it being appropriate; - Access to services in the free version of the app was made conditional on consenting to Grindr sharing personal data with advertising partners despite this not being necessary for the performance of the service; and - Data subjects could not refuse or withdraw consent without detriment.
CONSENT IS NOT SPECIFIC SInce Grindr did not provide a separate opt-in for each purpose, to allow users to give specific consent for specific purposes, the NO DPA conclude that Grindr does not provide separate opt-in for each purpose.
CONSENT IS NOT INFORMED - The information Grindr provided on the processing in question was not distinguishable from other matters. The NO DPA's view is that the way Grindr bundled consent with the whole privacy policy does not differ significantly from bundling consent with terms of use in the context of enabling data subjects to make informed decisions and understand what they are agreeing to. -Grindr did not present the information in an easily accessible form, and it did not enable the data subject to be able to easily determine the consequences of any consent they might give. - Except for the example of Twitter’s MoPub, there was no information available for the data subject on which recipients or the number of recipients the personal data was disclosed to for the purpose of targeted advertisement. As a result, consent is not informed.
CONSENT WAS NOT UNAMBIGUOUS - Clicking "accept" the privacy policy may entail that the user acknowledged the fact that infiormation has been provided. it is therefore not obvious that the users consented to the data processing.
WITHDRAWAL OF CONSENT WAS NOT AS EASY AS TO GIVE CONSENT
While, in the previous version of the CMP, consenting to data sharing was two clicks away, withrawing consent required to read a long privacy policy and going through the required steps of opting out in their device settings. The only other options to effectively withdraw “consent” was limited to the data subject deleting his or her Grindr account, or going through the necessary steps to upgrade to the paid version of the app. Neither of these options could be considered as easy as giving “consent”, which as mentioned was two clicks away.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
