Norway’s data protection authority has notified gay dating app Grindr that it intends to impose a financial penalty of NOK100 M ($11.7m, €9.65m) on the company for breaching consent requirements under the General Data Protection Regulation (GDPR).

“In this case, we are warning of a high violation fee because our preliminary conclusion is that the breaches are very serious,” said Datatilsynet’s director Bjorn Erik Thon.

“Grindr has 13.7m active users, of which several thousand are in Norway. These people have had their personal information illegally shared with many third parties.”

The case arose when Norway’s Consumer Council last year complained to the DPA that Grindr, a dating app primarily for gay and bisexual men, and transgender people, shared users’ personal data with advertising partners in its app’s free version. Those third parties may potentially share the information further, according to the DPA.

Users were not specifically asked if they would consent to disclosure to third parties and information about disclosure of personal information was not clear or accessible enough to users. “We believe this is contrary to the consent requirements in the GDPR,” Datatilsynet said.

Thon added: “Users were not allowed to exercise real control over the disclosure of their own personal information. Business models that involve forcing the user to agree to something, and without explaining well what they agree to, are not in line with the law.”

The DPA’s preliminary conclusion is that Grindr needs consent to share such personal data. It also regards Grindr as dealing with a special category of sensitive personal information because use of the app says something about a person’s sexual orientation.

In a blog published on Monday night, Shane Wiley, Chief Privacy Officer of Grindr, sought to allay the concerns.

He said the company does not share users’ data about their precise location, age or gender with advertisers.

Wiley said: “We share the basics and only the basics: the mobile advertising ID (MAID) of the device (which users have full control over within their mobile operating system), IP Address (needed to communicate with the user’s device), and device details like make, model and operating system version.”

Grindr has until 15 February to submit comments on the notice of fine before the DPA makes a final decision.

The Consumer Council’s complaint also mentioned five associated companies: MoPub (owned by Twitter), Xandr (formerly AppNexus), OpenX Software, AdColony and Smaato for breaches of privacy laws. Those cases are still being processed by Datatilsynet.