The Norwegian Consumer Council, a nonprofit organization, released a report Tuesday alleging that dating app Grindr is in violation of the EU’s General Data Protection Regulation (GDPR). The group has filed formal complaints against Grindr and five ad companies with the Norwegian Data Protection Authority (DPA).
The tests revealed that Grindr shares location and device information with several different companies, and the organization notes that simply sharing the fact that a user has the app installed on their device could potentially reveal that user’s sexual orientation, given that Grindr advertises itself as “the world’s largest social networking app for gay, bi, trans, and queer people.” Grindr also shares a user’s advertising ID, which is a unique identifier attached to a mobile phone and can be used to track users across different services.
The complaints allege that the consent collected by Grindr from users is not a valid consent under the GDPR, and therefore all the data processing conducted by Grindr and the ad companies is unlawful. The complaint requests a full investigation, the erasure of all unlawfully processed personal data, and imposition of the maximum possible fine under GDPR against the companies involved.
Another European data privacy advocate, noyb, announced that it plans to file similar complaints with the Austrian DPA within the next few weeks.