Study says Grindr, OkCupid, and Tinder breach GDPR

The researchers behind the study have also filed a complaint asking for Norwegian regulators to start an investigation against the dating service.
Written by Campbell Kwan, Contributor

Dating apps Grindr, OkCupid, and Tinder are allegedly spreading user information like sexual preferences, behavioural data, and precise location to advertising companies in ways that may violate privacy laws, according to a study conducted by the Norwegian Consumer Council (NCC).

The study tracked the activity of 10 popular apps during the period June to November 2019 in order to identify howpersonal data is transmitted from these apps to commercial third parties.

The apps tested include the dating apps Grindr, Happn, OkCupid, and Tinder; the period tracker apps Clue and MyDays; the makeup app Perfect; the religious app Muslim: Qibla Finder; the children's app My Talking Tom 2; and the keyboard app Wave Keyboard.

See also: Russia says Tinder must share user data, private messages    

The ten apps were chosen for the study as they were the most popular apps on Google Play at the time in "certain categories where sensitive category personal data were deemed likely to be processed, such as data about health, religion, children, and sexual preferences". 

Only the Android versions of these apps were tested, with NCC explaining that this was due to Android being the largest mobile operating system worldwide, in addition to Google being a key player in the ad tech industry.

Following testing, a majority of the ten apps were found to transmit data to "unexpected third parties", with users not being clearly informed about where their information was being sent, and how it was being used. 

The study also found that Grindr was among the apps with the most glaring privacy issues as it failed to do the following: Share clear information regarding the way it shares data with non-service provider third parties; share clear information about how user data is used for targeted ads; and provide in-app options to reduce data sharing with third parties. 

Image: The Norwegian Consumer Council

When analysing the data flow from the Grindr app, the researchers observed the Twitter-owned company MoPub acted as a mediation network, which facilitated personal data transmissions to other third parties, who then used the data to determine whether they wanted to purchase advertisements directed toward Grindr users. 

According to the study, MoPub's advertising partners could also potentially distribute that user data to other companies under certain situations despite not receiving explicit consent from Grindr's users. For example, one of MoPub's partners, AppNexus, could potentially provide data such as users' IP addresses and advertising IDs to other companies such as its parent entity AT&T to sell and target ads, the study said. 

"AT&T can use the data from the online tracking industry in combination with first-party data from its TV boxes, in order further to refine its targeted advertising," it added.

Privacy-wise, Grindr encourages users to read the privacy policy from MoPub; meanwhile, MoPub's privacy policy recommends that consumers read the privacy policies of the company's 160 partners in order to understand how their personal data may be used. 

According to the study, although MoPub claims to rely on consent in order to process personal data, its partners do not necessarily use consent as a legal basis. This means that if a consumer wants to withdraw their consent from MoPub, the partners may choose not to respect this withdrawal. Thus, the consumer would have to track down each of those partners to ensure their data is not shared. 

"This is clearly an impossible task for anyone, illustrating the lack of consumer control when data is being shared widely across the adtech industry," the study said.

And where the consumers do have control, such as from opting out of location data tracking by changing their device settings or by not giving apps access to location data, the study said MoPub's advertising partners like AppNexus could still infer a user's location based on their IP address.

The NCC argues, through the study's findings, that there are widespread breaches of Europe's General Data Protection Regulation (GDPR), especially given that key principles of that EU framework -- such as data protection by design and default -- are not present in a majority of the apps tested. 

With consent being a core component of the GDPR's application of data protection, the study added that the language of ad tech companies' privacy policies were often "incomprehensible" with "questionable legal basis".

Under the GDPR, the legal concept of consent requires that users receive clear and easily understandable information about what they are consenting to. Consent also needs to be explicit and freely, meaning that "users must actively opt in, rather than having to jump through hoops to opt out of data sharing", the study said. 

"In the cases described in this report, none of the apps or third parties appear to fulfil the legal conditions for collecting valid consent," it writes. 

In response to the study's findings, the Norwegian group has since filed complaints asking for domestic regulators to undertake investigations into Grindr and five ad tech companies [PDF] for possible violations of the European data protection law.

If the companies are found to be in breach of the GDPR, they could face fines of up to 4% of their global revenue. 

"The multitude of violations of fundamental rights are happening at a rate of billions of times per second, all in the name of profiling and targeting advertising," the NCC writes in the study's conclusion.

"It is time for a serious debate about whether the surveillance-driven advertising systems that have taken over the internet, and which are economic drivers of misinformation online, is a fair trade-off for the possibility of showing slightly more relevant ads."

In 2018, another Norwegian nonprofit group found that Grindr had shared users' HIV status with the third party analytics companies Apptimize and Localytics. Grindr subsequently announced that it had stopped the practice.

Related Coverage

These are the worst hacks, cyberattacks, and data breaches of 2019

A slew of hacks, data breaches, and attacks tainted the cybersecurity landscape in 2019.

Four major dating apps expose precise locations of 10 million users

Updated: In some countries, such lax security can be of real risk to a user's personal safety.

Ashley Madison: A honeypot for people who had something to hide

OPINION: If Ashley Madison was a honeypot for people who had something to hide, its breach reveals a harsh reality about websites who safeguard our secrets.

Tantan dating app removed from Chinese app stores

Tantan, the Chinese dating app which bore a high resemblance to Tinder, had more than 20 million monthly active users in mid-2018.

Crowdsourcing answers: Social search as a threat to the Google algorithm (TechRepublic)

Enquire is the latest Q&A app that appeals to human curiosity. We look at what apps like this mean for the future of social searching, Google searching, and the sharing economy.

Editorial standards