Dating apps leak personal data, Norwegian group says

Joanna Estrada
January 15, 2020

Popular dating apps like Grindr, OkCupid and Tinder are sharing users' intimate details with dozens of advertising and marketing companies in ways that may violate privacy laws, a new study has found. "In the meantime, we have disabled Grindr's MoPub account".

Tech companies have come under increased scrutiny over data privacy, fueled by 2018's Cambridge Analytica scandal in which tens of millions of Facebook profiles were harvested without their users' consent.

"Twitter's MoPub managed data transmissions that included personal data of a Grindr user", according to researchers from Mnemonic, a Norwegian security firm that studied the app and ad tech partners.

At least some of those other businesses, including Braze, say they may pass your information on to additional companies, in what amounts to an invisible chain reaction of data-sharing.

The consumer group and Schrems' privacy organization have filed three complaints against Grindr and five ad-tech companies to the Norwegian Data Protection Authority for breaching European data protection regulations. OkCupid, it found, shared "highly personal data about sexuality, drug use, political views and more" with analytics company Braze.

The California law requires companies that sell personal data to third parties to provide a prominent opt-out button; Grindr does not seem to do this.

Consumer Reports reached out to Grindr and Match Group, which owns OkCupid and Tinder. "We are now investigating this issue to understand the sufficiency of Grindr's consent mechanism", a Twitter spokeswoman said in an e-mail statement. "If the third parties are actually listed, the consumer then has to read the privacy policies of these third parties to understand how they may use the data", the study says. This happens "without a valid legal base and without consumers knowing it".

The Match Group, the company that owns OKCupid and Tinder, said in a statement that privacy was at the core of its business, saying it only shares information to third parties that comply with applicable laws. If Grindr is found to be in violation of GDPR rules, the popular app could face fines totaling up to 4% of the company's global annual revenue.

It's part of a broader push across Europe to crack down on companies that fail to protect customer data. Before the European Union law took effect, the French watchdog levied maximum fines of about $170,000. The report alleges that Grindr does not follow the proper consent procedures to share data with MoPub and its partners OpenX and AppNexus. In the US, there are similar laws to GDPR, like California's Consumer Privacy Protection Act, which regulates how companies collect and sell personal information. Nine civil rights groups, including the American Civil Liberties Union of California, the Electronic Privacy Information Center, Public Citizen and U.S. PIRG sent a letter to the Federal Trade Commission, Congress and state attorneys general of California, Texas and OR asking them to investigate the apps named in the report.

"All of these apps are available to users in the USA and numerous companies involved are headquartered in the US", groups including the Center for Digital Democracy and the Electronic Privacy Information Center said in a letter to the FTC.

In its letter sent Tuesday to the California Attorney General, the ACLU of California argues that the practice described in the Norwegian report may violate the state's new data privacy law, in addition to constituting possible unfair and deceptive practices, which is unlawful in California.

Syed, Drozdiak and Lanxon write for Bloomberg.

Other reports by Click Lancashire

Discuss This Article