App data sharing sparks Grindr complaint

Norwegian consumer group reveals how apps are sharing user data

Dating apps and similar services are sharing sensitive data without consent despite GDPR, according to a study by a Norwegian consumer group. 

The Norwegian Consumer Council looked at ten popular apps to see how they use personal data, in particular how that information is shared with third parties and whether there's meaningful consent — required under the General Data Protection Regulation (GDPR). 

The findings make for uncomfortable reading. For its report, Out of Control, the NCC turned to security firm Mnemonic to analyse the data sent from ten apps to at least 135 different third parties involved with behavioural profiling and advertising. 

"The actors, who are part of what we call the digital marketing and adtech industry, use this information to track us over time and across devices, in order to create comprehensive profiles about individual consumers," the NCC said in a statement. "In turn, these profiles and groups can be used to personalise and target advertising, but also for other purposes such as discrimination, manipulation, and exploitation." 

Advertisement - Article continues below
Advertisement - Article continues below

The apps tested were Tinder, OkCupid, Grindr, and Happn, as well as Muslim: Qibla Finder, My Talking Tom 2, Perfect365, and Wave Keyboard. 

According to the report, the apps shared the Android Advertising ID — which tracks users across different services — to 70 third parties. However, there was more data shared, including GPS location, IP address, gender and age. 

For example, dating app Grindr shared IP address, GPS location, age and gender, as well as the Advertising ID, with advertising companies such as AppNexus and OpenX via Twitter's adtech arm MoPub, the report said. "Many of these third parties reserve the right to share the data they collect with a very large number of partners," the report added.

The NCC has since filed a data protection complaint against Grindr with local authorities. Grindr told The New York Times that it valued user privacy and protects their information. Last year, Grindr said it would stop sharing the HIV status of its users, following a report such data was being sent to analytics companies. 

The report also showed OkCupid shared personal data including sexuality with analytics company Braze, while period tracker app MyDays shared GPS location with advertising firms, the report noted — it's unclear why a menstruation calendar would need to pinpoint your location from space in the first place. 

"The apps mentioned in the report help us with everything from dating, to monitoring our menstrual cycles," notes Harriet Kingaby, of Consumers International, which is affiliated with NCC. "These services can certainly benefit consumers but there is little to no choice about the level of data sharing involved when they use them and they cannot protect themselves from the unintended consequences of this sharing."

Advertisement - Article continues below

The NCC report follows similar research by Privacy International that also concluded apps are not meeting GDPR requirements by sharing too much personal information without consent. 

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
General Data Protection Regulation (GDPR)

Data protection fines hit £100m during first 18 months of GDPR

20 Jan 2020