Popular dating apps could be in breach of GDPR

Working on the basis of matching or filtering users based on personal information, dating platforms require a chunk of uniquely personal information from members. In return, those using them expect reputable services to protect that data and be upfront about how it’s used. 

But a study by the Norwegian Consumer Council (NCC) has shed a spotlight on the data disclosure and management practices of some of the most popular dating apps— including Grindr, OkCupid, and Tinder— and has found that many could be in breach of European data laws. 

The NCC states these platforms are spreading user information, including sexual preferences, behavioral data and precise location to advertisers, without sufficient disclosure to users or controls to manage the data they share, which would put them in breach of GDPR (General Data Protection Regulation). 

The organization has since filed a complaint to regulators to undertake investigations into whether any of the firms are in breach of data regulations. In what should be taken as a wake-up call for members of the platform economy— particularly as a younger generation places increasing significance on data privacy in regard to brands they trust— if the companies are found to be in breach, they could face a fine of up to 4 percent of global revenue. 

‘Unexpected third parties’

Running the study from June to November last year, the study sought to investigate how personal data is handled 10 of the most popular Android apps. 

These were selected based on those most popular in the Google Play Store in categories where “sensitive category personal data were deemed likely to be processed,” such as information about health, religion, children and sexual preferences. 

Alongside the three dating apps, the list included period trackers Clue and MyDays; religious app Muslim: Qibla Finder; and children’s app My Talking Tom 2. 

The NCC found that the majority of the ten apps were transmitting data to “unexpected third parties”, without sufficient clarity disclosed to users regarding where their information was being transmitted, and for what purpose. 

Working with cybersecurity firm Mnemonic, analysis of traffic revealed that several of the apps shared location data with a large number of partners— more than 70 in the case of makeup app Perfect365. 

Dating app Grindr was one of the worst offenders, as it failed to share clear information regarding how it shares data with non-service provider third-parties; share clear information about how user data is used for targeted ads, and provide in-app options to reduce data sharing with third parties. 

Data shared included a user’s IP address, Advertising ID, GPS location, age, and gender. Twitter’s ad tech subsidiary MoPub was used as a mediator for much of this data sharing and was observed passed personal data to a number of other advertising third parties including major ad techs AppNexus and OpenX. 

Many of these third parties reserve the right to share the data they collect with a very large number of partners. NCC pointed out in the report, for example, that AppNexus could provide data such as IP address or advertising ID to parent company AT&T. A user could then, in theory, be targeted with personalized TV advertising based on their interaction with an app. 

“AT&T can use the data from the online tracking industry in combination with first-party data from its TV boxes, in order further to refine its targeted advertising.”

The dating app OkCupid shared highly personal data about sexuality, drug use, political views, and more with the analytics company Braze. Google’s advertising service DoubleClick, meanwhile, was receiving data from eight of the apps, while Facebook was receiving data from nine. 

A fair trade-off?

Across the 10 apps it investigated, the study revealed that approaches to gaining consent from users were inconsistent. While MoPub claims to rely on consent in order to process personal data, its partners don’t always use consent as a legal basis. 

If an individual wanted to withdraw their data, therefore, they would have to track down each partner involved to ensure it is not shared which, NCC claimed, illustrated a “lack of consumer control when data is being shared widely across the ad tech industry.”

Where users do have control, such as not providing location data from their device, partners such as AppNexus can infer a user’s location based on IP address. The report added that with consent a core component of GDPR, many ad tech firm’s privacy policies were “incomprehensible”. 

If the companies are found to be in breach of the GDPR, they could face fines of up to 4 percent of their global revenue. 

“The multitude of violations of fundamental rights are happening at a rate of billions of times per second, all in the name of profiling and targeting advertising,” the NCC concluded. 

“It is time for a serious debate about whether the surveillance-driven advertising systems that have taken over the internet, and which are economic drivers of misinformation online, is a fair trade-off for the possibility of showing slightly more relevant ads.”