The European Center for Digital Rights (noyb) filed a complaint Thursday against Grindr, alleging that the dating app violated the EU’s General Data Protection Regulation (GDPR).
Noyb noted that users can access Grindr, a dating app for gay, bi, trans and queer people, with only an email and password to share personal and explicit details. Yet users seeking information on how Grindr uses their personal data must take additional steps to confirm their identity. Grindr requires these users “to hold up a piece of paper with their email address, as well as their passport—all while balancing their phone to take a selfie.” Noyb asserts that this additional requirement “is not just absurd, but also a violation of the GDPR.”
To challenge this requirement, noyb filed the complaint on behalf of Grindr user “Hunk_69,” who was denied information on Grindr’s use of his personal data because he failed to authenticate his identity. In its complaint, noyb highlighted the inconsistency in Grindr’s policy for app use and for users’ access to information on their personal data. Though users may remain anonymous when using the app to connect with other users, users seeking access to their data use must “suddenly take off the mask and even show a government issued ID.” Noyb contends that this inconsistency violates Article 5(1)(c) of the GDPR’s principle of data minimization.
Regarding the complaint, noyb chair Max Schrems said, “You can see and share even the most intimate pictures on Grindr with just your email and password—only when you want to exercise your GDPR rights, you must strip down and show a government ID.” Schrems added that Grindr’s authentication process requires users to “come out” before they can exercise their rights.
Last year Grindr faced similar allegations when the Norwegian Consumer Council (NCC) accused Grindr of violating the GDPR after an NCC research report found that Grindr shared location and device information with other companies.