Grindr has been fined 100m krone (£8.6m) by the Norwegian Data Protection Authority after an investigation revealed the dating app was sharing deeply personal information with advertisers, including location, sexual orientation and mental health details.

The fine is 10% of Grindr’s global annual revenue and is particularly high because of the personal nature of the information shared.

“This is a milestone in the ongoing work to ensure that consumers’ privacy is protected online. The Data Protection Authority has clearly established that it is unacceptable for companies to collect and share personal data without users’ permission,” said Finn Myrstad, the director of digital policy in Norway’s Consumer Council (NCC).

In 2019, the NCC launched a study of the data practices of 10 apps, including period trackers and dating services. At the time, it found that Grindr stood out for the lack of information contained in its privacy policy: the company told users that they needed to check with advertising partners to find out how their data was used, but only listed one such partner, MoPub, an ad network owned by Twitter. Twitter dropped Grindr soon after.

Grindr argued that sexual orientation, a specially protected category of data, was not exposed by selling its users’ data, since some of them may be straight. That argument was rejected by the Norwegian authorities, who noted that the app explicitly markets itself as “exclusively for the gay/bi community”.

Max Schrems, the chairman of consumer rights group noyb, which supported the case, said the claim was “rather remarkable”. “An app for the gay community, that argues that the special protections for exactly that community actually do not apply to them, is rather remarkable. I am not sure if Grindr’s lawyers have really thought this through.”

Ala Krinickytė, a data protection lawyer at noyb, said the fine also created precedent for companies that simple “take it or leave it” terms of service were not sufficient to claim user consent. “The message is simple: ‘take it or leave it’ is not consent. If you rely on unlawful ‘consent’ you are subject to a hefty fine. This does not only concern Grindr, but many websites and apps.

“We do not expect any successful objection by Grindr. However, more fines may be in the pipeline for Grindr as it lately claims an unlawful ‘legitimate interest’ to share user data with third parties – even without consent. Grindr may be bound for a second round.”

Last June, Grindr attempted to blunt controversy over a different use of user data, after the company committed to removing an “ethnicity filter” from its app to mark its support for the Black Lives Matter movement. The company had long defended the feature, which allowed users to filter out people of particular ethic backgrounds from their search results, even though the company’s head of communications said as far back as 2018 that the option “does promote racist behaviour in the app”.

Grindr said: “Grindr is confident that our approach to user privacy is first-in-class among social applications with detailed consent flows, transparency, and control provided to all of our users. For example, Grindr has retained valid legal consent from all of our EEA users on multiple occasions. We most recently required all users to provide consent (again) in late 2020 to align with the GDPR Transparency and Consent Framework (TCF) version 2 which was developed by the IAB EU in consultation with the UK ICO.

“The allegations from the Norwegian Data Protection Authority date back to 2018 and do not reflect Grindr’s current Privacy Policy or practices. We continually enhance our privacy practices in consideration of evolving privacy laws and regulations, and look forward to entering into a productive dialogue with the Norwegian Data Protection Authority.”