Grindr hit with privacy complaint in Europe over sharing user data

The Norwegian Consumer Council has filed a privacy complaint about Grindr, arguing it’s in breach of national and European data protection laws after it emerged the dating app has been sharing personal information about its users with third parties.

As we reported earlier, Norwegian research outfit SINTEF analyzed the app’s traffic and found that — if set — a user’s HIV status is included in packets sent to two app optimization firms, Apptimize and Localytics.

This data was sent via an encrypted transmission. But users were not informed their HIV status was being shared.

Grindr has claimed HIV status data is being shared only for testing and platform optimization purposes — and that the third parties in question are “under strict contractual terms that provide for the highest level of confidentiality, data security, and user privacy”.

But, in SINTEF’s assessment, it is not strictly necessary to transmit such data for analytics and functionality testing (A/B testing) purposes.

As well as HIV statuses, SINTEF found Grindr transmits a raft of other personal data points to third party ad firms — this time via unencrypted transmissions — namely: precise GPS position, gender, age, “tribe” (aka group-affiliation, e.g. trans, bear), intention (e.g. friends, relationship), ethnicity, relationship status, language and device characteristics.

The Council is objecting to both the sharing of highly sensitive HIV statuses and other personal information with third parties without Grindr gaining explicit user consent for the data to be handed off to others.

“Information about sexual orientation and health status is regarded as sensitive personal data according to European law, and has to be treated with great care. In our opinion, Grindr fails to do so,” said Finn Myrstad, director of digital services at the Council in a statement on its action.

“We expect the company to ensure that its users receive both the privacy protection and security that they are entitled to. This also applies to how the information is used by Grindr’s service partners.”

The Council argues that by transmitting sensitive personal data to third parties for ad purposes this is outside the original purposes for the data collection — thereby constituting a breach of the principle of purpose limitation.

To be legal under European law Grindr would need to gain separate and clear consent from users for their personal info to be shared, it argues.

“If such data sharing is to be in accordance with European law, the service has to obtain a separate and clearly given consent from the user. Grindr, who only mention sharing user data in their privacy policy, does not obtain clear consent,” Myrstad asserts.

The Council is basing its complaint on the published report from the technical test by SINTEF (available on Github) and Grindr’s privacy policy, dated August 9, 2017.

In the complaint it also takes aim at Grindr for adding what it describes as an “unfortunate” disclaimer to its privacy policy which warns users their personal data may be processed in other countries — “including the United States, where laws regarding Personal Data may be less stringent than the laws in your country”.

“The Consumer Council regard this disclaimer as unfortunate, especially when Grindr is transferring sensitive personal data about European users. European users of the app have the right to have their personal data protected according to European law,” it writes. “The Consumer Council cannot see that Grindr is registered under the trans-Atlantic data transfer agreement Privacy Shield, which is meant to ensure that personal data that is transferred to the United States is protected in line with European data protection law. The Consumer Council see this as a cause for concern regarding whether the privacy rights of European Grindr users are sufficiently respected.”

It also argues Grindr is not gaining sufficient consent from users to their personal data being processed because the app asks for consent to the terms of service as a whole — i.e. “without individual elements being emphasized or singled out”.

“In the view of the Consumer Council, information about sensitive personal data being shared with third parties should not be hidden away in long terms of service and privacy policies. The Consumer Council cannot see that Grindr fulfill the conditions for gathering an informed and explicitly given consent,” it adds.

We’ve reached out to Grindr for comment and will update this story with any response.