App data sharing sparks Grindr complaint

Dating apps and similar services are sharing sensitive data without consent despite GDPR, according to a study by a Norwegian consumer group.

The Norwegian Consumer Council looked at ten popular apps to see how they use personal data, in particular how that information is shared with third parties and whether there's meaningful consent — required under the General Data Protection Regulation (GDPR).

The findings make for uncomfortable reading. For its report, Out of Control, the NCC turned to security firm Mnemonic to analyse the data sent from ten apps to at least 135 different third parties involved with behavioural profiling and advertising.

"The actors, who are part of what we call the digital marketing and adtech industry, use this information to track us over time and across devices, in order to create comprehensive profiles about individual consumers," the NCC said in a statement. "In turn, these profiles and groups can be used to personalise and target advertising, but also for other purposes such as discrimination, manipulation, and exploitation."

The apps tested were Tinder, OkCupid, Grindr, and Happn, as well as Muslim: Qibla Finder, My Talking Tom 2, Perfect365, and Wave Keyboard.

According to the report, the apps shared the Android Advertising ID — which tracks users across different services — to 70 third parties. However, there was more data shared, including GPS location, IP address, gender and age.

For example, dating app Grindr shared IP address, GPS location, age and gender, as well as the Advertising ID, with advertising companies such as AppNexus and OpenX via Twitter's adtech arm MoPub, the report said. "Many of these third parties reserve the right to share the data they collect with a very large number of partners," the report added.

The NCC has since filed a data protection complaint against Grindr with local authorities. Grindr told The New York Times that it valued user privacy and protects their information. Last year, Grindr said it would stop sharing the HIV status of its users, following a report such data was being sent to analytics companies.

The report also showed OkCupid shared personal data including sexuality with analytics company Braze, while period tracker app MyDays shared GPS location with advertising firms, the report noted — it's unclear why a menstruation calendar would need to pinpoint your location from space in the first place.

"The apps mentioned in the report help us with everything from dating, to monitoring our menstrual cycles," notes Harriet Kingaby, of Consumers International, which is affiliated with NCC. "These services can certainly benefit consumers but there is little to no choice about the level of data sharing involved when they use them and they cannot protect themselves from the unintended consequences of this sharing."

The NCC report follows similar research by Privacy International that also concluded apps are not meeting GDPR requirements by sharing too much personal information without consent.