Norwegian court upholds €6.5m Grindr fine for data sharing violations

The Borgarting Court of Appeal has dismissed Grindr's appeal against a substantial fine imposed by Norway's Data Protection Authority. On October 21, 2025, the court ruled that the dating app company violated the General Data Protection Regulation (GDPR) by sharing sensitive personal data with advertising partners without obtaining valid user consent.

Court ruling confirms data protection violations

According to the Norwegian Data Protection Authority, Grindr LLC disclosed users' App IDs to advertising partners between July 20, 2018, and April 7, 2020. The App ID revealed that individuals were using the dating application, which the court determined constitutes information about sexual orientation and sexual relationships under Article 9(1) of the GDPR.

The court found that "information about a Grindr user's App ID is both information about 'sexual relations' and information about 'sexual orientation.'" This classification placed the data under special categories of personal data requiring explicit consent.

Grindr markets itself on the App Store as "the world's #1 free dating app serving the LGBTQ community." The application was originally developed for gay men seeking other gay men, though the court acknowledged the platform now serves a broader LGBTQ+ community.

Consent mechanism failed legal requirements

The court examined Grindr's consent solution extensively. Users had to accept the company's privacy policy to access the app, with no option to use the service while declining data sharing. The judges determined this arrangement did not constitute voluntary consent.

"Users at this stage had to choose between either not using the app or accepting Grindr's privacy policy, including the company's disclosure of special categories of personal data," the ruling stated. "Because it was impossible to use the app without consenting to sharing, there was no real freedom of choice."

The privacy policy itself spanned seven and a half pages before December 31, 2019, and grew longer afterward. The court found the document too comprehensive for users to understand they were consenting to data sharing merely by accepting the policy. Information about disclosure was "difficult to access, unclear, incomplete, and partly misleading."

Grindr argued that users could avoid data sharing by upgrading to paid versions of the app or adjusting device settings. The court rejected both arguments. Personal data was shared immediately upon accepting the privacy policy, before users could access paid options. Device-level settings represented passive behavior rather than active consent required under GDPR.

Extensive data sharing with advertising partners

The information Grindr shared included advertising identifiers, IP addresses, device technical specifications, self-reported age and gender, GPS location, and the App ID identifying the data's origin. During the violation period, Grindr had between seven and ten advertising partners.

One partner, MoPub, had 160 partners of its own, including AppNexus, which reserved rights to share information with 4,000 partners. The court found this created "extensive sharing" affecting a large number of users over nearly two years.

Financial penalty deemed appropriate

The Norwegian Data Protection Authority initially imposed a NOK 65 million (approximately €6.5 million) fine on December 24, 2021. The Privacy Appeals Board upheld this decision on September 27, 2023. Oslo District Court affirmed the ruling on July 1, 2024, and now the Borgarting Court of Appeal has dismissed Grindr's final appeal.

According to EDPB Guidelines 04/2022, fines for serious violations should start between 20 and 100 percent of the applicable maximum. The maximum penalty under Article 83(5) of the GDPR is €20 million or four percent of global annual turnover, whichever is higher. The fine imposed on Grindr represents approximately 30 percent of the maximum amount.

The court determined Grindr acted intentionally. "Persons acting on behalf of Grindr were aware of and made a conscious choice regarding what information was shared with advertising partners, the extent of this sharing, and how the consent solution was designed," judges wrote.

Grindr argued the fine was disproportionately high compared to revenue from Norwegian users. The court rejected this argument, noting Article 83(5) focuses on "total global annual turnover" as the key factor.

Industry practice not a mitigating factor

Grindr attempted to defend its practices by claiming they aligned with industry standards during the period in question. The court dismissed this argument, stating that widespread violations "reinforces the need for a fine with a deterrent effect."

The judges found no mitigating circumstances of significance. The company's compliance with the Electronic Communications Act was deemed irrelevant since GDPR specifically regulates sharing personal data with third parties.

Implications for digital advertising

The ruling clarifies important boundaries for consent in digital advertising. Companies cannot condition service access on blanket acceptance of data sharing. Consent must be voluntary, specific, informed, and unambiguous.

For companies headquartered outside the European Economic Area, the decision confirms that each EEA country may impose separate fines for violations within its jurisdiction. Grindr is not covered by the "one-stop shop" mechanism in Articles 56 and 60 of GDPR that would designate a single lead supervisory authority.

The court emphasized that even indirect disclosure of sexual orientation qualifies as processing special categories of personal data. Marketing an app to specific communities creates reasonable inferences about users' characteristics that trigger heightened protection requirements.

Timeline

• March 2009: Grindr app launches as location-based dating platform for gay men
• July 20, 2018: Period of alleged GDPR violations begins
• January 14, 2020: Norwegian Consumer Council files complaints against Grindr based on data sharing reports
• April 7, 2020: Grindr implements new consent solution; violation period ends
• January 24, 2021: Norwegian Data Protection Authority issues notice of administrative fine
• December 24, 2021: Data Protection Authority imposes NOK 65 million fine
• September 27, 2023: Privacy Appeals Board upholds decision
• July 1, 2024: Oslo District Court affirms ruling
• August 12-14, 2025: Borgarting Court of Appeal holds appeal hearing
• October 21, 2025: Appeals court dismisses Grindr's appeal

Summary

Who: Grindr LLC, an American company operating a location-based dating app primarily serving the LGBTQ community, faced action from Norway's Data Protection Authority.

What: The company was fined NOK 65 million for sharing sensitive personal data (App IDs revealing sexual orientation) with advertising partners without obtaining valid user consent under GDPR requirements.

When: The violations occurred between July 20, 2018, and April 7, 2020. The appeals court issued its final ruling on October 21, 2025.

Where: The case proceeded through Norwegian courts, beginning with the Data Protection Authority, moving through the Privacy Appeals Board and Oslo District Court, and concluding at the Borgarting Court of Appeal.

Why: Grindr's consent mechanism failed GDPR requirements because users could not access the app without accepting data sharing, the privacy policy was overly complex, and the company shared information with numerous advertising partners who further distributed the data without explicit user authorization.