Grindr: the fact of being there¶
In December 2021 Norway’s data protection authority, Datatilsynet, fined Grindr NOK 65 million, about €6.5 million, for sharing its users’ data with advertisers without valid consent. Grindr appealed, and in 2025 the Borgarting Court of Appeal upheld the fine.
What was shared¶
Between the GDPR taking effect in 2018 and a consent redesign in April 2020, Grindr passed to its advertising partners a bundle that included GPS location, IP address, the device’s advertising identifier, age, and gender. It also passed the plainest fact of all: that the person was a Grindr user. On an app for gay, bi, and trans people, that single fact is an inference about sexual orientation, which the GDPR treats as a special category needing stricter protection. Nothing had to be labelled sensitive for a sensitive conclusion to travel.
Why the consent did not count¶
The authority found that the consent Grindr collected was not freely given. Using the app was conditioned on accepting the advertising sharing, the choices were bundled rather than separable, and a person could not reasonably refuse the tracking while still using the service. Consent gathered on those terms is not the legal basis the sharing needed.
The pattern¶
This is the inferred protected trait made concrete. The defence that a firm only shared an app name, not a sworn statement of orientation, does not survive contact with what the app is for. Being on the list was the disclosure.
Last reviewed: 2026-07-16.