Grindr is sharing personal user data in violation of the EU’s GDPR data protection legislation, a new series of complaints is alleging. The app shares data including location and device information with more than a dozen companies, according to The New York Times. The Norwegian Consumer Council has filed three complaints against Grindr, as well as five adtech companies that received personal data through the app.
Grindr describes itself as “the world’s largest social networking app for gay, bi, trans, and queer people,” and so just sharing the fact that a user has the app installed on their device can give an indication of their sexual orientation. Associating this information with an advertising ID then makes the user identifiable to third-party advertisers and across services, according to the report from the Norwegian Consumer Council.
“The extent of tracking and complexity of the adtech industry is incomprehensible to consumers, meaning that individuals cannot make informed choices about how their personal data is collected, shared and used,” the report says.
One of the adtech companies that Grindr shares data with is Twitter-owned MoPub, which says that it may share user data with over 180 of its partners, according to The New York Times. The company told Bloomberg that it has disabled Grindr’s MoPub account while it investigates.
The Norwegian Consumer Council has filed its GDPR complaint with the Norwegian Data Protection Authority, and the privacy group NOYB has said that it intends to file a complaint of its own with the Austrian Data Protection Authority in the coming weeks.
It’s worth noting that the research focused on the service’s Android app. The report said this was because of Android’s larger user base worldwide, but it noted that Android’s data flows are generally easier to observe and that Google has a closer relationship with the adtech industry than Apple does.
Beyond Grindr, the research also raised concerns about the data sharing practices of other dating apps. Match Group’s OkCupid and Tinder, for example, were found to be sharing data with each other, including information on their users’ sexualities, drug use, and political views, according to Bloomberg. The report says this may break GDPR’s purpose limitation rules.
While it declined to comment on the specifics of the report, Grindr told the NYT that it valued users’ privacy and that it safeguards their personal information. Match Group said it only shared user data that’s necessary for providing its services, and added that it complies with privacy laws.
This isn’t the first time Grindr has faced complaints over the data it collects about its users. In 2018, a separate Norwegian nonprofit discovered that the service was sharing its users’ HIV status with two outside companies. Shortly after the report became public, Grindr said it had put an end to the practice.