Norway’s data privacy watchdog on Tuesday issued gay dating app Grindr with a notice of intention to fine it NOK 100 million (U.S. $11.7 million) for sharing personal data with third parties without users’ consent.

If the Norwegian Data Protection Authority (DPA) sticks to this figure in its final decision, the penalty will amount to around 10 percent of the company’s estimated global turnover and would mark Norway’s highest fine under the General Data Protection Regulation (GDPR).

The GDPR allows for a maximum fine of 4 percent of global turnover or €20 million—whichever is greater.

In 2020, the Norwegian Consumer Council (NCC) filed a complaint against Grindr claiming unlawful sharing of personal data with third parties for marketing purposes. The data allegedly shared included GPS location, user profile data, and the fact the user in question is on Grindr (which could cause discrimination)—all without gaining consent.

To access the app, users were forced to accept the privacy policy in its entirety and were not asked specifically if they wanted to consent to the sharing of their data with third parties, according to the Norwegian DPA. Furthermore, information about the sharing of personal data was not properly communicated to users.

The NCC detailed these abusive practices and more in an early 2020 report highlighting how popular dating and lifestyle apps were sharing data to drive their revenue streams.

In a statement, Bjørn Erik Thon, director-general of the Norwegian DPA, described the infringements as “serious.”

“Users were not able to exercise real and effective control over the sharing of their data,” he said. “Business models where users are pressured into giving consent, and where they are not properly informed about what they are consenting to, are not compliant with the law.

“We have notified Grindr that we intend to impose a fine of high magnitude as our findings suggest grave violations of the GDPR. … An important objective of the GDPR is precisely to prevent take-it-or-leave-it ‘consents.’ It is imperative that such practices cease.”

Grindr has 13.7 million active users worldwide, of which thousands reside in Norway. The data regulator’s investigation was limited to the free version of the Grindr app, as paid subscribers’ details were not shared with marketing companies or other third parties.

Norway’s investigation focused on the consent mechanism in place for users from the date when the GDPR became effective in May 2018 up until April 2020, when Grindr changed its user consent policies. The DPA has not assessed whether the subsequent changes comply with the GDPR.

Grindr has until Feb. 15 to respond to the DPA’s findings. The authority will then make its final decision “as quickly as possible” once it has assessed any comments the company may have.

In a statement, Grindr said: “The allegations from the Norwegian Data Protection Authority date back to 2018 and do not reflect Grindr’s current privacy policy or practices.”

In a blog published Monday, Shane Wiley, Grindr’s chief privacy officer, refuted some of the criticisms made against the company. “Grindr is a location-centric application, so it is understandable that people assume that we’d share your location information with our advertisers. … [T]hat’s a misconception,” he said. Wiley added “precise” location data is not shared so that “accuracy drops sharply below city level detail.” He also said information on age and gender are not shared, and only “basic” personal data is shared with advertisers and other companies.

The NCC has also filed complaints against five of the third parties receiving data from Grindr: MoPub (owned by Twitter), Xandr (formerly known as AppNexus), OpenX Software, AdColony, and Smaato. These investigations are ongoing, though still in their early stages. The Norwegian DPA said “it is difficult to say when they will be concluded” and has hinted there is a possibility not all of them will be handled by itself “for procedural reasons.”

For example, Smaato, whose main European headquarters is in Germany, has already had its case transferred to the Hamburg DPA.