Twitter has suspended Grindr from its ad platform after a study claimed the dating app was passing significant amounts of private information to advertisers without explicit consent from users.
The study, carried out by the Norwegian Consumer Council (NCC), found that the online advertising industry was “systematically breaking the law”, transmitting personal data and tracking users in ways that are banned under the GDPR, the EU’s data law.
Grindr told users that they needed to check with partners to find out how their data was used, but only named one such partner, MoPub, an ad network owned by Twitter. MoPub, in turn, lists more than 160 partners to which data may be passed.
“By stating that it does ‘not control the use of these tracking technologies’, and by asking users to read the privacy policies of any third-party companies that may receive personal data, Grindr is attempting to shift accountability for the advertising technologies that it is using away from itself,” the report concluded.
Max Schrems, founder of the European privacy non-profit organisation Noyb, told the NCC: “Every time you open an app like Grindr, advertisement networks get your GPS location, device identifiers and even the fact that you use a gay dating app. This is an insane violation of users’ EU privacy rights.”
Following the publication of the report, the council filed formal complaints of GDPR breaches against Grindr and MoPub, as well as four other ad tech firms.
Twitter said it would investigate the allegations saying Grindr provided data with inadequate consent, and suspended the app from MoPub. “We are currently investigating this issue to understand the sufficiency of Grindr’s consent mechanism,” Twitter said. “In the meantime, we have disabled Grindr’s MoPub account.”
Every app assessed had some privacy problems, however, leading the report’s authors to conclude that the problem was endemic. “Because of the scope of tests, size of the third parties that were observed receiving data and popularity of the apps, we regard the findings from these tests to be representative of widespread practices.”
The tests, which were carried out on Android devices, showed that every single app shared data with third parties. Eight of the 10 also shared data with Google’s ad service, while nine of them shared data with Facebook.
“We urge data protection authorities to enforce the GDPR,” the NCC concluded, “and for advertisers and publishers to look toward alternative digital advertising methods that respect fundamental rights.”
Finn Myrstad, the NCC’s digital policy director, told the New York Times, which first reported the study: “Any consumer with an average number of apps on their phone – anywhere between 40 and 80 apps – will have their data shared with hundreds or perhaps thousands of actors online.”
“In addition, Grindr is currently implementing an enhanced consent management platform with OneTrust to provide users with additional in-app control regarding their personal data. As always, Grindr users have individual control over exactly what information they choose to provide in their profiles. We have also further enhanced our information security policy as part of our ongoing commitment to safeguard our users’
“So while we reject a number of the report’s assumptions and conclusions, we welcome the opportunity to be a small part in a larger conversation about how we can collectively evolve the practices of mobile publishers and continue to provide users with access to an option of a free platform. As the data protection landscape continues to change, our commitment to user privacy remains steadfast.”
This article first appeared in TheGuardian.