Norway’s Data Protection Authority plans to fine the platform 100m Norwegian Crowns, or around 10% of Grindr’s estimated global revenue.
The popular social networking app for lesbian, gay, bisexual, and trans people has until 15 February to respond to the case.
It has yet to reply to the BBC’s request for a comment.
In a statement to the New York Times, a spokesperson for Grindr said it had obtained “valid legal consent from all” of its users in Europe on multiple occasions and was confident its “approach to user privacy is first in class” among social apps.
“We continually enhance our privacy practices in consideration of evolving privacy laws and regulations, and look forward to entering into a productive dialogue with the Norwegian Data Protection Authority,” it added.
“Our preliminary conclusion is that the breaches are very severe,” the Norwegian agency said in a statement.
The data breach was revealed last January, after the Norwegian Consumer Council made three complaints against Grindr for sharing personal information with advertisers.
This included details of users’ locations, age, gender and information that could reveal an individual’s sexuality.
Users could be targeted with this information in countries where homosexuality is illegal, the NCC said at the time.
“If someone finds out that users are gay and knows their movements, they may be harmed,” said Tobias Judin, head of the Norwegian Data Protection Authority’s international department.
“We’re trying to make these apps and services understand that this approach – not informing users, not gaining a valid consent to share their data – is completely unacceptable.”
Europe’s General Data Protection Regulation (GDPR) sets guidelines for the collection, processing and sharing of personal information in the European Union as well as in non-EU Norway.
However, the European Centre for Digital rights claims the alleged "consent" Grindr obtained was invalid because users were not properly informed, and the consent was not specific enough.
Grindr made use of the app conditional on consenting to data sharing or by paying a subscription fee.
“‘Take it or leave it' is not consent,” added Ala Krinickytė, data protection lawyer at the European Centre for Digital Rights. “If you rely on unlawful 'consent' you are subject to a hefty fine.
"Grindr forwarded user data to potentially hundreds of third parties - it now also has to ensure these 'partners' comply with the law."
Grindr has previously been caught out for its handling of user security.
In October, a vulnerability where accounts could be easily hacked with an email address was revealed.
And in 2018, it shared the HIV status of users with two external companies.
“This last is important. Even in corporate environments, it is very difficult to remove an underling for incompetence if that underling has seniority and a long history of good performance reviews. As in government bureaucracies, the easiest way to deal with such people is often to “kick them upstairs”: promote them to a higher post, where they become somebody else’s problem.”