Dating app accused of flouting GDPR law by passing personal data to ad firms but report says problem is endemic

Twitter has suspended Grindr from its ad platform after a study claimed the dating app was passing significant amounts of private information to advertisers without explicit consent from users.

The study, carried out by the Norwegian Consumer Council (NCC), found that the online advertising industry was “systematically breaking the law”, transmitting personal data and tracking users in ways that are banned under the GDPR, the EU’s data law.

'Anonymised' data can never be totally anonymous, says study Read more

Of the 10 apps examined in depth by the NCC, which included period trackers and dating apps, Grindr stood out as being significantly problematic. The council said the app had such a “vague” privacy policy that it was probably in breach of GDPR, particularly concerning how the company tried to excuse itself from misuse of data by advertising partners.

Grindr told users that they needed to check with partners to find out how their data was used, but only named one such partner, MoPub, an ad network owned by Twitter. MoPub, in turn, lists more than 160 partners to which data may be passed.

“By stating that it does ‘not control the use of these tracking technologies’, and by asking users to read the privacy policies of any third-party companies that may receive personal data, Grindr is attempting to shift accountability for the advertising technologies that it is using away from itself,” the report concluded.

Max Schrems, founder of the European privacy non-profit organisation Noyb, told the NCC: “Every time you open an app like Grindr, advertisement networks get your GPS location, device identifiers and even the fact that you use a gay dating app. This is an insane violation of users’ EU privacy rights.”

Following the publication of the report, the council filed formal complaints of GDPR breaches against Grindr and MoPub, as well as four other ad tech firms.

Twitter said it would investigate the allegations saying Grindr provided data with inadequate consent, and suspended the app from MoPub. “We are currently investigating this issue to understand the sufficiency of Grindr’s consent mechanism,” Twitter said. “In the meantime, we have disabled Grindr’s MoPub account.”

Every app assessed had some privacy problems, however, leading the report’s authors to conclude that the problem was endemic. “Because of the scope of tests, size of the third parties that were observed receiving data and popularity of the apps, we regard the findings from these tests to be representative of widespread practices.”

The tests, which were carried out on Android devices, showed that every single app shared data with third parties. Eight of the 10 also shared data with Google’s ad service, while nine of them shared data with Facebook.

“We urge data protection authorities to enforce the GDPR,” the NCC concluded, “and for advertisers and publishers to look toward alternative digital advertising methods that respect fundamental rights.”

Finn Myrstad, the NCC’s digital policy director, told the New York Times, which first reported the study: “Any consumer with an average number of apps on their phone – anywhere between 40 and 80 apps – will have their data shared with hundreds or perhaps thousands of actors online.”

A Grindr spokesperson said: “User privacy and data security is, and always will be, a high priority for Grindr. Examples of this commitment include sharing our revised privacy policy in its entirety to every Grindr user in order to gain their consent and provide even greater transparency about Grindr’s privacy-forward practices.

“In addition, Grindr is currently implementing an enhanced consent management platform with OneTrust to provide users with additional in-app control regarding their personal data. As always, Grindr users have individual control over exactly what information they choose to provide in their profiles. We have also further enhanced our information security policy as part of our ongoing commitment to safeguard our users’ data.

“So while we reject a number of the report’s assumptions and conclusions, we welcome the opportunity to be a small part in a larger conversation about how we can collectively evolve the practices of mobile publishers and continue to provide users with access to an option of a free platform. As the data protection landscape continues to change, our commitment to user privacy remains steadfast.”