The Norwegian Data Protection Authority (DPA) on Wednesday announced a fine of NOK 65 million (U.S. $7.2 million) against gay dating app Grindr for sharing personal data with third parties without users’ consent.

The penalty represents a 35 percent reduction on the agency’s initial intention to fine Grindr NOK 100 million (then-U.S. $11.7 million) announced in January. The Norwegian DPA (Datatilsynet) acknowledged the company’s financial situation and changes it has since made to its consent management platform as factors contributing to the reduction.

Still, the fine is by far the largest handed down by the Norwegian DPA under the EU’s General Data Protection Regulation (GDPR) since the privacy law took effect in May 2018.

“We have imposed a fine of a high amount against Grindr as we consider the infringements of the GDPR in this case to (be) grave,” the agency stated in a press release. “Thousands of users in Norway have had their personal data shared unlawfully for the commercial interests of Grindr, including GPS location and the fact that the users in question were on Grindr.”

Grindr Chief Privacy Officer Shane Wiley indicated in an emailed statement the company is considering appealing the fine. It has three weeks to do so, barring an extension.

The details: In 2020, the Norwegian Consumer Council (NCC) filed a complaint against Grindr claiming unlawful sharing of personal data with third parties for marketing purposes. The data allegedly shared included GPS location, user profile data, and the fact the user in question is on Grindr (which could cause discrimination)—all without gaining consent.

To access the app, users were forced to accept the privacy policy in its entirety and were not asked specifically if they wanted to consent to the sharing of their data with third parties, according to the Norwegian DPA. Further, information about the sharing of personal data was not properly communicated to users.

“Our conclusion is that Grindr has disclosed user data to third parties for behavioral advertisement without a legal basis,” said Tobias Judin, head of the Norwegian DPA’s International department.

Grindr changed how it requests user consent in April 2020, according to the agency. The Norwegian DPA said it has yet to assess whether the new mechanism complies with the GDPR.

“We strongly disagree with Datatilsynet’s reasoning, which concerns historical consent practices from years ago, not our current consent practices or privacy policy,” said Wiley of the fine decision. “Even though Datatilsynet has lowered the fine compared to their earlier letter, Datatilsynet relies on a series of flawed findings, introduces many untested legal perspectives, and the proposed fine is therefore still entirely out of proportion with those flawed findings.”

The Norwegian DPA indicated further orders against Grindr could come in line with a request from the NCC to have the app erase all illegally processed personal data it might still have.