Grindr, Tinder and OkCupid apps share personal data, group finds

Grindr is sharing detailed personal data with thousands of advertising partners, allowing them to receive information about users’ location, age, gender and sexual orientation, a Norwegian consumer group said.

Other apps, including popular dating apps Tinder and OkCupid, share similar user information, the group said. Its findings show how data can spread among companies, and they raise questions about how exactly the companies behind the apps are engaging with Europe’s data protections and tackling California’s new privacy law, which went into effect Jan. 1.

Grindr — which describes itself as the world’s largest social networking app for gay, bi, trans and queer people — gave user data to third parties involved in advertising and profiling, according to a report by the Norwegian Consumer Council that was released Tuesday. Twitter Inc. ad subsidiary MoPub was used as a mediator for the data sharing and passed personal data to third parties, the report said.

“Every time you open an app like Grindr, advertisement networks get your GPS location, device identifiers and even the fact that you use a gay dating app,” Austrian privacy activist Max Schrems said. “This is an insane violation of users’ [European Union] privacy rights.”

The consumer group and Schrems’ privacy organization have filed three complaints against Grindr and five ad-tech companies to the Norwegian Data Protection Authority for breaching European data protection regulations.

Match Group Inc.’s popular dating apps OkCupid and Tinder share data with each other and other brands owned by the company, the research found. OkCupid gave information pertaining to customers’ sexuality, drug use and political views to the analytics company Braze Inc., the organization said.

A Match Group spokeswoman said that OkCupid uses Braze to manage communications to its users, but that it only shared “the specific information deemed necessary” and “in line with the applicable laws,” including the European privacy law known as GDPR as well as the new California Consumer Privacy Act, or CCPA.

Braze also said it didn’t sell personal data, nor share that data between customers. “We disclose how we use data and provide our customers with tools native to our services that enable full compliance with GDPR and CCPA rights of individuals,” a Braze spokesman said.

The California law requires companies that sell personal data to third parties to provide a prominent opt-out button; Grindr does not seem to do this. In its privacy policy, Grindr says that its California users are “directing” it to disclose their personal information, and that therefore it’s allowed to share data with third-party advertising companies. “Grindr does not sell your personal data,” the policy says.

The law does not clearly lay out what counts as selling data, “and that has produced anarchy among businesses in California, with each one possibly interpreting it differently,” said Eric Goldman, a Santa Clara University School of Law professor who co-directs the school’s High Tech Law Institute.

How California’s attorney general interprets and enforces the new law will be crucial, experts say. State Atty. Gen. Xavier Becerra’s office, which is tasked with interpreting and enforcing the law, published its first round of draft regulations in October. A final set is still in the works, and the law won’t be enforced until July.

But given the sensitivity of the information they have, dating apps in particular should take privacy and security extremely seriously, Goldman said. Exposing a person’s sexual orientation, for example, could change that person’s life.

Grindr has faced criticism in the past for sharing users’ HIV status with two mobile app service companies. (In 2018 the company announced it would stop sharing this information.)

Representatives for Grindr didn’t immediately respond to requests for comment.

Twitter is investigating the issue to “understand the sufficiency of Grindr’s consent mechanism” and has disabled the company’s MoPub account, a Twitter representative said.

European consumer group BEUC urged national regulators to “immediately” investigate online advertising companies over possible violations of the bloc’s data protection rules, following the Norwegian report. It also has written to Margrethe Vestager, the European Commission executive vice president, urging her to take action.

“The report provides compelling evidence about how these so-called ad-tech companies collect vast amounts of personal data from people using mobile devices, which advertising companies and marketeers then use to target consumers,” the consumer group said in an emailed statement. This happens “without a valid legal base and without consumers knowing it.”

The European Union’s data protection law, GDPR, came into force in 2018 setting rules for what websites can do with user data. It mandates that companies must get unambiguous consent to collect information from visitors. The most serious violations can lead to fines of as much as 4% of a company’s global annual sales.

It’s part of a broader push across Europe to crack down on companies that fail to protect customer data. In January last year, Alphabet Inc.’s Google was hit with a $56-million fine by France’s privacy regulator after Schrems made a complaint about Google’s privacy policies. Before the EU law took effect, the French watchdog levied maximum fines of about $170,000.

The U.K. threatened Marriott International Inc. with a $128-million fine in July following a hack of its reservation database, just days after the U.K.’s Information Commissioner’s Office proposed handing an approximately $240-million penalty to British Airways in the wake of a data breach.

Schrems has for years taken on large tech companies’ use of personal information, including filing lawsuits challenging the legal mechanisms Facebook Inc. and thousands of other companies use to move that data across borders.

He’s become even more active since GDPR kicked in, filing privacy complaints against companies including Amazon.com Inc. and Netflix Inc., accusing them of breaching the bloc’s strict data protection rules. The complaints are also a test for national data protection authorities, who are obliged to examine them.

In addition to the European complaints, a coalition of nine U.S. consumer groups urged the U.S. Federal Trade Commission and the attorneys general of California, Texas and Oregon to open investigations.

“All of these apps are available to users in the U.S. and many of the companies involved are headquartered in the U.S.,” groups including the Center for Digital Democracy and the Electronic Privacy Information Center said in a letter to the FTC. They asked the agency to look into whether the apps have upheld their privacy commitments.

Syed, Drozdiak and Lanxon write for Bloomberg. Hussain is a Times staff writer.