Grindr faces UK class action for major data breach involving users’ sensitive medical records

Article by

The world’s largest LGBTQ+ social networking and dating app, Grindr, is facing a significant group claim brought by class action specialist law firm Austen Hays on behalf of potentially thousands of UK Grindr users.

The claim, which is being lodged today in the High Court, alleges the misuse of private information of thousands of affected UK Grindr users, including highly sensitive information about their HIV status and latest tested date.

The claim states that Grindr is in breach of UK data protection laws for sharing sensitive data to third parties for commercial purposes without the users’ consent. Information about the users’ ethnicity and data relating to their sex life and/or sexual orientation may have also been shared, according to Austen Hays.

The firm claims these data breaches occurred mainly before 3 April 2018, and between 25 May 2018 and 7 April 2020, although they may extend to further periods.

Grindr was previously fined $6 million by the Norwegian Data Protection Authority in 2021 for data privacy practices that violated the General Data Protection Regulation (GDPR). Grindr appealed that finding, but failed in its attempt, with the final decision issued in September 2023. It was also issued with a reprimand by the UK Information Commissioner’s Office in July 2022, after a finding that it had infringed UK GDPR.

The claim filed today in the English Court states that Grindr unlawfully processed and shared users’ data with third parties, including advertising companies Localytics and Apptimize. This would allow a potentially unlimited number of third parties to target and/or customise advertisements to its users. Austen Hays further claims that these third parties either served the advertisements themselves or acted as “adtech” intermediaries, potentially passing on data to fourth parties.

Additionally, the claim alleges that third and/or fourth parties may have retained some of the shared data for their own purposes after the advertisement had been served. It further alleges that Grindr received payment or commercial benefits from the third and fourth parties with whom it shared users’ personal data as a source of revenue in exchange for such sharing.

Over 670 claimants have already signed up to the claim and Austen Hays is in discussions with thousands of other individuals who are interested in joining the claim. The total number of claimants could be very large, given the size of Grindr’s client base.

If the case succeeds, claimants could receive thousands in damages according to the firm, given the severity of the breach.

Chaya Hanoomanjee, Austen Hays Managing Director and the lawyer leading the claim, said: “Our clients have experienced significant distress over their highly sensitive and private information being shared without their consent, and many have suffered feelings of fear, embarrassment and anxiety as a result.

“Grindr owes it to the LGBTQ+ community it serves to compensate those whose data has been compromised and have suffered distress as a result, and to ensure all its users are safe while using the app, wherever they are, without fear that their data might be shared with third parties.

“Grindr users who think they may be affected by this breach should join the claim so that we can seek redress for them.”

Further background to the claim

The Grindr app was launched on 25 March 2009 in the US, before being disseminated around the world and reaching more than 190 countries. In 2023, there were 13 million monthly active users, making it the most popular LGBTQ+ mobile app in the world.

In February 2018, Norwegian non-profit research organisation SINTEF reported that it had carried out a technical experiment which established the personal data of the app’s users was being shared with advertisers and analytics. This included highly sensitive sexual health data such as individuals’ HIV status and “last tested date”. Data sharing in 2018 was also evidenced via reports from project Exodus which showed that Grindr was sharing data with third party companies including Apptimize and Localytics.

A CNBC article was published in April 2018. The next day, Grindr issued a privacy statement on its website indicating that it would stop sharing HIV data with third parties. This led to a number of complaints to regulatory authorities including the Spanish Data Protection Authority, the Norwegian Data Protection Authority (the “NDPA”) and the Information Commissioner’s Office (the “ICO”) in the United Kingdom.

General Data Protection Regulations (“GDPR”) came into force on 25 May 2018 and 20 July 2018 in the UK and Norway, respectively.

An ICO investigation was conducted from June 2020 into Grindr, resulting in a Reprimand on 26 July 2022 in respect of its processing operations which infringed UK GDPR. The Reprimand detailed five failings made by Grindr in respect of transparency and identified certain steps that Grindr should take to improve its compliance with the GDPR.

In December 2021, the NDPA published its final decision and enforced a record fine of NOK 65,000,000 against Grindr. In its final decision, it found that Grindr had failed to comply with GDPR rules between 20 July 2018 when the GDPR came into force in Norway and 8 April 2020 when Grindr updated its consent management system.