Grindr is sharing detailed personal data with thousands of advertising partners, allowing them to receive information about users’ location, age, gender and sexual orientation, a Norwegian consumer group said.
The service -- described as the world’s largest social networking app for gay, bi, trans, and queer people -- gave user data to third parties involved in advertising and profiling, according to a report by the Norwegian Consumer Council that was released Tuesday. Twitter Inc. ad subsidiary MoPub was used as a mediator for the data sharing and passed personal data to third parties, the report said.
“Every time you open an app like Grindr, advertisement networks get your GPS location, device identifiers and even the fact that you use a gay dating app,” said Austrian privacy activist Max Schrems. “This is an insane violation of users’ EU privacy rights.”
The consumer group and Schrems’s privacy organization have filed three complaints against Grindr and five adtech companies to the Norwegian Data Protection Authority for breaching European data protection regulations. Schrems’s group Noyb will file similar complaints with the Austrian DPA in the coming weeks, according to the statement.
Match Group Inc.’s popular dating apps OkCupid and Tinder LLC share data with each other and other brands owned by the company, the research found. OkCupid gave information pertaining to customers’ sexuality, drug use and political views, to the analytics company Braze Inc., the organization said.
In a statement, Grindr said “while we reject a number of the report’s assumptions and conclusions, we welcome the opportunity to be a small part in a larger conversation about how we can collectively evolve the practices of mobile publishers and continue to provide users with access to an option of a free platform.”
A spokeswoman for Match Group said OkCupid uses Braze to manage communications to its users, but that it only shared “the specific information deemed necessary” and “in line with the applicable laws including GDPR and CCPA.” Braze also said it didn’t sell personal data, nor share it between customers. Twitter is investigating the issue to “understand the sufficiency of Grindr’s consent mechanism” and has disabled the company’s MoPub account, a representative said.
European consumer group BEUC urged national regulators to “immediately” investigate online advertising companies over possible violations of the bloc’s data protection rules, following the Norwegian report. It’s also written to European Commission executive vice-president Margrethe Vestager to take action.
“The report provides compelling evidence about how these so-called ad-tech companies collect vast amounts of personal data from people using mobile devices, which advertising companies and marketeers then use to target consumers,” BEUC said in an emailed statement. This happens “without a valid legal base and without consumers knowing it.”
The European Union’s data protection law, GDPR, came into force in 2018 setting rules for what websites can do with user data. It mandates that companies must get unambiguous consent to collect information from visitors. The most serious violations can lead to fines of as much as 4% of a company’s global annual sales.
It’s part of a broader push across Europe to crack down on companies that fail to protect customer data. In January last year, Alphabet Inc.’s Google received a fine of 50 million euros ($56 million) from France’s privacy regulator following a complaint by Schrems over the company’s privacy policies. Prior to GDPR, the French watchdog levied maximum fines of 150,000 euros.
The U.K. threatened Marriott International Inc. with a 99 million-pound ($128 million) fine in July following a hack of its reservation database, just days after the U.K.’s Information Commissioner’s Office proposed handing a 183.4 million-pound penalty to British Airways in the wake of a data breach.
Schrems has for years taken on large tech companies’ use of personal information, including filing lawsuits challenging the legal mechanisms Facebook Inc. and thousands of other companies use to move that data across borders.
He’s become even more active since GDPR kicked in, filing privacy complaints against companies including Amazon.com Inc. and Netflix Inc., accusing them of breaching the bloc’s strict data protection rules. The complaints are also a test for national data protection authorities, who are obliged to examine them.
In addition to the European complaints, a coalition of nine U.S. consumer groups urged the U.S. Federal Trade Commission and the attorneys general of California, Texas and Oregon to open investigations.
“All of these apps are available to users in the U.S. and many of the companies involved are headquartered in the U.S.,” groups including the Center for Digital Democracy and the Electronic Privacy Information Center said in a letter to the FTC. They asked the agency to look into whether the apps have upheld their privacy commitments.
— With assistance by Stephanie Bodoni, and Ben Bro