The Norwegian Consumer Council (NCC) has found that various popular apps – including dating apps Tinder, OkCupid, and Grindr – are sharing the personal information of users without their knowledge.

In a report published on its website, the NCC tested 10 apps that were the most popular on Google Play in “certain categories where sensitive category personal data were deemed likely to be processed, such as data about health, religion, children, and sexual preferences.”

“Of the ten apps that were tested, the majority were found to transmit data to unexpected third parties,” said the NCC.

“The data sharing was unexpected because the apps did not clearly inform the user about these third parties upon starting the apps for the first time, and/or when asking the user to consent to data processing. ”

Tinder and OkCupid

The NCC said that Tinder and OkCupid – both of which are owned by Match Group – appear to assume implied consent when a user presses “log in” or “join.”

It added that neither provides any settings within their apps that relate to user privacy or advertising.

Their privacy policies also do not specify which third parties are allowed to receive the personal data of Tinder and OkCupid users.

This means both Tinder and OkCupid fail to meet the requirements of GDPR – which requires that users give “informed and explicit consent.”

According to their respective privacy policies, both Tinder and OkCupid also reserve the right to share data with other Match Group companies.

This means that data collected through the Tinder app, for example, could be used across any of the Match Group’s 45 dating-related businesses.

“The sharing of personal data between Match group subsidiaries is also problematic, and fails to respect the data protection principle of purpose limitation,” said the report.

Grindr

The report highlighted that Grindr has already been the centre of privacy-related controversy in the past when it was discovered that it shared users’ HIV statuses with third-party analytics companies.

Grindr stopped this practice soon after the controversy, but again became the focal point of privacy concerns when security researchers discovered that malicious parties could use Grindr to determine the location of its users.

While the app does require users to accept a privacy policy and terms and conditions, no other information is available within the app regarding how personal information is used.

The Grindr privacy policy says that certain data will be shared with third parties, but this will not include HIV status or sexual preferences.

It also says that any data its partners process is governed by those partners’ privacy policies – but it only provides the name of a single advertising partner, meaning that customers don’t have any way of reading the privacy policies of the other third parties.

The NCC believes that due to how vague its privacy policy is regarding its partners, Grindr is likely in breach of GDPR.

Full findings

The NCC report said most of the apps it tested transmit data to third parties which users are unaware of.

“Sometimes, some of the data sharing is described in the apps’ privacy policy, but these documents are long and complex, and cannot realistically be expected to be read by the consumer,” said the NCC.

The NCC also highlighted that most of the tested apps do not offer any options or settings that allow users to prevent or reduce how much of their data that is shared with third parties.

A table from the report can be viewed below.