A study conducted by the Norwegian Consumer Council (NCC) found that “10 apps collect sensitive information including a user’s exact location, sexual orientation, religious and political beliefs, drug use and other information and then transmit the personal data to at least 135 different third-party companies.” The study went on to state, “The extent of tracking and complexity of the adtech industry is incomprehensible to consumers, meaning that individuals cannot make informed choices about how their personal data is collected, shared and used.” The NCC stated that such data sharing violates the EU’s General Data Protection Regulation (GDPR).
American consumer groups advocating for the protection of private information have encouraged U.S. lawmakers and regulators to act based on the revelations from the Norwegian study. Public Citizen has asked Congress to use the study and GDPR as a guide for new legislation..
“These apps and online services spy on people, collect vast amounts of personal data and share it with third parties without people’s knowledge. Industry calls it adtech. We call it surveillance,” Burcu Kilic, a lawyer leading Public Citizen’s digital rights program, said. “We need to regulate it now, before it’s too late.”
Grindr, the “world’s largest social networking app for gay, bi, trans, and queer people,” uses MoPub advertising software owned by Twitter, “which collects and processes personal information and unique identifiers such as a phone’s ID and IP address.” This allows advertisers to trace consumers from device to device. In response, Twitter has suspended Grindr’s MoPub account while it investigates in response to the study.
Using Grindr reveals information about a user’s sexual orientation to advertisers due to the nature of the app. Grindr also sent user location information to marketing companies, who could share it with other companies. This is not the first time the app has shared personal user information. Grindr was criticized in 2018 when a Norwegian nonprofit discovered the app shared users’ HIV status to two outside companies. After the report became public, Grindr said it stopped that practice.
“Grindr only lists Twitter’s MoPub as an advertising partner, and encourages users to read the privacy policies of MoPub’s own partners to understand how data is used. MoPub lists more than 160 partners, which clearly makes it impossible for users to give an informed consent to how each of these partners may use personal data,” the report states.
Popular dating site OKCupid shared information about a user’s ethnicity, sexuality, drug use, political leanings and other personal details to Braze, an analytics company. This information could then be shared with more than 300 advertising or analytics partners. Match Group, which owns OKCupid and Tinder, stated that privacy was important to the company. “All Match Group products obtain from these vendors strict contractual commitments that ensure confidentiality, security of users’ personal information and strictly prohibit commercialization of this data,” a spokesperson for the company told NPR.