Norway nonprofit alleges Grindr shared personal user data with ad companies in violation of EU rules
geralt / Pixabay
Norway nonprofit alleges Grindr shared personal user data with ad companies in violation of EU rules

The Norwegian Consumer Council, a nonprofit organization, released a report Tuesday alleging that dating app Grindr is in violation of the EU’s General Data Protection Regulation (GDPR). The group has filed formal complaints against Grindr and five ad companies with the Norwegian Data Protection Authority (DPA).

The tests revealed that Grindr shares location and device information with several different companies, and the organization notes that simply sharing the fact that a user has the app installed on their device could potentially reveal that user’s sexual orientation, given that Grindr advertises itself as “the world’s largest social networking app for gay, bi, trans, and queer people.” Grindr also shares a user’s advertising ID, which is a unique identifier attached to a mobile phone and can be used to track users across different services.

While Grindr’s privacy policy informs users that the app shares some user data including the advertising ID with third parties, how that data is processed by those parties is governed by the third parties’ own privacy policies. The report accuses Grindr of “attempting to shift accountability for the advertising technologies that it is using away from itself” when it asks users to read through the policies of all the parties that may receive that data. For example, Grindr lists Twitter’s MoPub as an advertising partner, and encourages users to read the policies of MoPub’s partners, but MoPub itself has over 160 partners, “which clearly makes it impossible for users to give an informed consent to how each of these partners may use personal data.”

The complaints allege that the consent collected by Grindr from users is not a valid consent under the GDPR, and therefore all the data processing conducted by Grindr and the ad companies is unlawful. The complaint requests a full investigation, the erasure of all unlawfully processed personal data, and imposition of the maximum possible fine under GDPR against the companies involved.

Another European data privacy advocate, noyb, announced that it plans to file similar complaints with the Austrian DPA within the next few weeks.