Digital rights nonprofit alleges Grindr violated user privacy laws
TBIT / Pixabay
Digital rights nonprofit alleges Grindr violated user privacy laws

The European Center for Digital Rights (noyb) filed a complaint Thursday against Grindr, alleging that the dating app violated the EU’s General Data Protection Regulation (GDPR).

Noyb noted that users can access Grindr, a dating app for gay, bi, trans and queer people, with only an email and password to share personal and explicit details. Yet users seeking information on how Grindr uses their personal data must take additional steps to confirm their identity. Grindr requires these users “to hold up a piece of paper with their email address, as well as their passport—all while balancing their phone to take a selfie.” Noyb asserts that this additional requirement “is not just absurd, but also a violation of the GDPR.”

To challenge this requirement, noyb filed the complaint on behalf of Grindr user “Hunk_69,” who was denied information on Grindr’s use of his personal data because he failed to authenticate his identity. In its complaint, noyb highlighted the inconsistency in Grindr’s policy for app use and for users’ access to information on their personal data. Though users may remain anonymous when using the app to connect with other users, users seeking access to their data use must “suddenly take off the mask and even show a government issued ID.” Noyb contends that this inconsistency violates Article 5(1)(c) of the GDPR’s principle of data minimization.

Grindr’s privacy policy requires users to provide “limited Personal Data such as email or phone number and date of birth” to protect users’ privacy and security, and that a dedicated security team monitors Grindr’s safety and integrity. Still, the app disclaims that “no method of transmission over the Internet, or method of electronic storage, is fully secure, and Grindr cannot guarantee the security of your Personal Data.” Grindr’s policy also lists several general personal data use purposes, such as to promote services, process purchases, and conduct research.

Regarding the complaint, noyb chair Max Schrems said, “You can see and share even the most intimate pictures on Grindr with just your email and password—only when you want to exercise your GDPR rights, you must strip down and show a government ID.” Schrems added that Grindr’s authentication process requires users to “come out” before they can exercise their rights.

Last year Grindr faced similar allegations when the Norwegian Consumer Council (NCC) accused Grindr of violating the GDPR after an NCC research report found that Grindr shared location and device information with other companies.