© Photographer: Leon Neal/Getty Images Europe LONDON, ENGLAND - NOVEMBER 24: The "Grindr" app logo is seen amongst other dating apps on a mobile phone screen on November 24, 2016 in London, England. Following a number of deaths linked to the use of anonymous online dating apps, the police have warned users to be aware of the risks involved, following the growth in the scale of violence and sexual assaults linked to their use. (Photo by Leon Neal/Getty Images)

(Bloomberg) --

Grindr is sharing detailed personal data with thousands of advertising partners, allowing them to receive information about users’ location, age, gender and sexual orientation, a Norwegian consumer group said.

The service -- described as the world’s largest social networking app for gay, bi, trans, and queer people -- gave user data to third parties involved in advertising and profiling, according to a report by the Norwegian Consumer Council that was released Tuesday. Twitter Inc. ad subsidiary MoPub was used as a mediator for the data sharing and passed personal data to third parties, the report said.

“Every time you open an app like Grindr, advertisement networks get your GPS location, device identifiers and even the fact that you use a gay dating app,” said Austrian privacy activist Max Schrems. “This is an insane violation of users’ EU privacy rights.”

The consumer group and Schrems’s privacy organization have filed three complaints against Grindr and five adtech companies to the Norwegian Data Protection Authority for breaching European data protection regulations. Schrems’s group Noyb will file similar complaints with the Austrian DPA in the coming weeks, according to the statement.

Match Group Inc.’s popular dating apps OkCupid and Tinder LLC share data with each other and other brands owned by the company, the research found. OkCupid gave information pertaining to customers’ sexuality, drug use and political views, to the analytics company Braze Inc., the organization said.

In a statement, Grindr said “while we reject a number of the report’s assumptions and conclusions, we welcome the opportunity to be a small part in a larger conversation about how we can collectively evolve the practices of mobile publishers and continue to provide users with access to an option of a free platform.”

A spokeswoman for Match Group said OkCupid uses Braze to manage communications to its users, but that it only shared “the specific information deemed necessary” and “in line with the applicable laws including GDPR and CCPA.” Braze also said it didn’t sell personal data, nor share it between customers. Twitter is investigating the issue to “understand the sufficiency of Grindr’s consent mechanism” and has disabled the company’s MoPub account, a representative said.

European consumer group BEUC urged national regulators to “immediately” investigate online advertising companies over possible violations of the bloc’s data protection rules, following the Norwegian report. It’s also written to European Commission executive vice-president Margrethe Vestager to take action.

“The report provides compelling evidence about how these so-called ad-tech companies collect vast amounts of personal data from people using mobile devices, which advertising companies and marketeers then use to target consumers,” BEUC said in an emailed statement. This happens “without a valid legal base and without consumers knowing it.”

The European Union’s data protection law, GDPR, came into force in 2018 setting rules for what websites can do with user data. It mandates that companies must get unambiguous consent to collect information from visitors. The most serious violations can lead to fines of as much as 4% of a company’s global annual sales.

Where Tech Giants Are Getting Slapped Over Privacy: QuickTake

It’s part of a broader push across Europe to crack down on companies that fail to protect customer data. In January last year, Alphabet Inc.’s Google received a fine of 50 million euros ($56 million) from France’s privacy regulator following a complaint by Schrems over the company’s privacy policies. Prior to GDPR, the French watchdog levied maximum fines of 150,000 euros.

The U.K. threatened Marriott International Inc. with a 99 million-pound ($128 million) fine in July following a hack of its reservation database, just days after the U.K.’s Information Commissioner’s Office proposed handing a 183.4 million-pound penalty to British Airways in the wake of a data breach.

Schrems has for years taken on large tech companies’ use of personal information, including filing lawsuits challenging the legal mechanisms Facebook Inc. and thousands of other companies use to move that data across borders.

He’s become even more active since GDPR kicked in, filing privacy complaints against companies including Amazon.com Inc. and Netflix Inc., accusing them of breaching the bloc’s strict data protection rules. The complaints are also a test for national data protection authorities, who are obliged to examine them.

In addition to the European complaints, a coalition of nine U.S. consumer groups urged the U.S. Federal Trade Commission and the attorneys general of California, Texas and Oregon to open investigations.

“All of these apps are available to users in the U.S. and many of the companies involved are headquartered in the U.S.,” groups including the Center for Digital Democracy and the Electronic Privacy Information Center said in a letter to the FTC. They asked the agency to look into whether the apps have upheld their privacy commitments.

(Updates with FTC complaint from U.S. consumer groups in last two paragraphs)

--With assistance from Stephanie Bodoni and Ben Brody.

To contact the reporters on this story: Sarah Syed in London at ssyed35@bloomberg.net;Natalia Drozdiak in Brussels at ndrozdiak1@bloomberg.net;Nate Lanxon in London at nlanxon@bloomberg.net

To contact the editors responsible for this story: Giles Turner at gturner35@bloomberg.net, Amy Thomson

For more articles like this, please visit us at bloomberg.com

©2020 Bloomberg L.P.