The report also accused ad tech companies of generally serving as go-betweens, particularly Twitter's MoPub. It's used as a "mediator" for Grindr's personal data, the Consumer Council said, passing it along to companies like AT&T's AppNexus and OpenX. They, in turn, reserve rights to share that info to a wide variety of companies. MoPub lists over 160 partners in total -- it's "impossible" for users to offer true consent on how each of those companies uses their data, according to the Consumer Council.

Moreover, most of the apps in the study (including non-dating apps like Muslim - Qibla Finder and the period tracker Clue) don't provide clear info about what you're consenting to or any in-app settings to control what you're sharing. You frequently have to wade through legal documents to understand what's happening, or contact the companies directly to withdraw consent. Grindr and others also tend to use a "mix of legal bases" to handle data collection, making it difficult to know just what methodology is being applied and when.

Accordingly, the Consumer Council and the privacy group Noyb are filing GDPR complaints against Grindr, Twitter, AppNexus, OpenX and two other ad tech firms, AdColony and Smaato. The two privac advocate groups want to "shift the significant power imbalance" between users and third parties and ensure that people can make "informed choices" about how their data is shared, the Consumer Council's Finn Myrstad said.

The companies involved haven't addressed the individual nuances of the complaint, but unsurprisingly disputed its general premise in statements to the New York Times. OKCupid and Tinder owner Match Group claimed that it honored privacy laws and had contracts ensuring user data security. Grindr said it valued privacy, had protections for personal info and outlined its practices in its privacy policy. Clearly, the report writers disagree -- and the European Union won't care what the companies claim if it finds privacy violations.

Update 1/14 7:10PM ET: Braze unsurprisingly objected to the Consumer Council's findings. It insisted to Engadget that it took users' data privacy and security "very seriously." It also maintained that it honors GDPR and other privacy rules, that its customers are required to follow the law (by posting privacy policies and terms of use) and that it neither sells data nor uses it for anything other than intended purposes. You can read its statement below. However, that's not really the main issue here -- it's that Braze is receiving data customers might not want to share in the first place.