GDPR Breach Report Among Social Dating Apps Including Grindr

In Norway a General Data Protection Regulation (GDPR) complaint has been registered against LGBTQ+ social networking app Grindr and a number of online advertising and dating companies.

The Norwegian Consumer Council (NCC) received the complaints which claim that these companies have been obtaining and improperly using personal data in contravention to the GDPR legislation.

“These practices are out of control and in breach of European data protection legislation. The extent of tracking makes it impossible for us to make informed choices about how our personal data is collected, shared and used. This massive commercial surveillance is systematically at odds with our fundamental rights and can be used to discriminate, manipulate and exploit us. The widespread tracking also has the potential to seriously degrade consumer trust in digital services” said Finn Myrstad, director of digital policy at the Norwegian Consumer Council.

The complaints make reference to worries that Grindr, a social networking dating app created for homosexual men, has been gathering up personal data for the purpose of targeted advertising.  There were also others complaints submitted made against five advertising companies including Twitter’s MoPub, AT&T’s AppNexus, OpenX, AdColony and Smaato.

Max Schrems, founder of European privacy non-profit NGO noyb, commented on the case saying: “Every time you open an app like Grindr, advertisement networks get your GPS location, device identifiers and even the fact that you use a gay dating app. This is an insane violation of users’ EU privacy rights.”

A number of other dating apps including OkCupid and Tinder have had similar allegations levelled against them in relation to the illegal sharing information including behavioural data and sexual preference.

Grindr has reacted to the case claiming that it collects numerous data points on its users including: chat message text, images (potentially explicit), email addresses, display names, age, height, weight, body type, favoured sexual position, ethnicity, relationship status, “‘tribes” (bear, twink, jock, trans, etc), “looking for” (chat, friends, right now, etc), gender, preferred pronouns (he, they, etc), HIV status and testing details, profile pictures, linked Facebook data, linked Twitter data, linked Instagram data, location data, IP address, and device ID such as Google Advertising ID. It added that personal data points such as Google Advertising ID (if allowed by user), age, gender and location data are shared if allowed by the user.

A Grindr spokesperson said: “User privacy and data security is, and always will be, a high priority for Grindr. Examples of this commitment include sharing our revised privacy policy in its entirety to every Grindr user in order to gain their consent and provide even greater transparency about Grindr’s privacy-forward practices. In addition, Grindr is currently implementing an enhanced consent management platform with OneTrust to provide users with additional in-app control regarding their personal data.”