Social Dating App Grindr Accused of Breaching GDPR

A General Data Protection Regulation complaint has been submitted in Norway against LGBTQ+ social networking app Grindr and a number of online advertising companies.

The complaints in question were submitted by the Norwegian Consumer Council (NCC) and claim that these companies have been illegally obtaining and improperly using personal data.

Finn Myrstad, director of digital policy at the Norwegian Consumer Council said: “These practices are out of control and in breach of European data protection legislation. The extent of tracking makes it impossible for us to make informed choices about how our personal data is collected, shared and used. This massive commercial surveillance is systematically at odds with our fundamental rights and can be used to discriminate, manipulate and exploit us. The widespread tracking also has the potential to seriously degrade consumer trust in digital services.”

The complaints refer to concerns that Grindr, a social networking dating app for gay men, has been collating personal data collection for targeted advertising.  There were also complaints made against five advertising companies including Twitter’s MoPub, AT&T’s AppNexus, OpenX, AdColony and Smaato.

Commenting on the case, Max Schrems, founder of European privacy non-profit NGO noyb, stated: “Every time you open an app like Grindr, advertisement networks get your GPS location, device identifiers and even the fact that you use a gay dating app. This is an insane violation of users’ EU privacy rights.”

A number of other dating apps including OkCupid and Tinder have had similar allegations levelled against them in relation to the illegal sharing information including behavioural data and sexual preference.

Grindr has responded to the case claiming that it gathers numerous data points on its users including: chat message text, images (potentially explicit), email addresses, display names, age, height, weight, body type, favoured sexual position, ethnicity, relationship status, “‘tribes” (bear, twink, jock, trans, etc), “looking for” (chat, friends, right now, etc), gender, preferred pronouns (he, they, etc), HIV status and testing details, profile pictures, linked Facebook data, linked Twitter data, linked Instagram data, location data, IP address, and device ID such as Google Advertising ID. It added that personal data points such as Google Advertising ID (if allowed by user), age, gender and location data are shared if permitted by the user.

A Grindr spokesperson said: “User privacy and data security is, and always will be, a high priority for Grindr. Examples of this commitment include sharing our revised privacy policy in its entirety to every Grindr user in order to gain their consent and provide even greater transparency about Grindr’s privacy-forward practices. In addition, Grindr is currently implementing an enhanced consent management platform with OneTrust to provide users with additional in-app control regarding their personal data.”

Legal analysis submitted with the complaint indicate that Grindr and the ad companies involved possess data without a valid legal basis that contravenes sections six and nine of the GDPR. Section nine covers “special categories” of data, which includes information on sexual orientation.

Ala Krinickytė, a lawyer at noyb, said: “In the case of Grindr, it seems especially problematic that third parties do not just get the GPS location or device identifiers, but also the information that a person is using a dating app that is described as being ‘exclusively for gay/bi community’. This obviously reveals the sexual orientation of the user.”

Twitter has already taken steps to remove Grind from its advertising network due to the nature of the complaint. A Twitter spokesperson said: “We are currently investigating this issue to understand the sufficiency of Grindr’s consent mechanism. In the meantime, we have disabled Grindr’s MoPub account.”