Study finds Grindr, OKCupid and Tinder sharing sensitive data (updated)

Twitter's ad unit has also been blamed for playing a part.

Some of the most popular dating apps have been accused of playing fast and loose with particularly sensitive data. The Norwegian Consumer Council has published a report accusing Grindr, OKCupid and Tinder of spreading various degrees of information about GPS location, sexuality and other personal information in irresponsible ways. While Grindr has vowed not to share HIV statuses and some sexual gropu identification with ad partners, it transmits user tracking info and the app's name to over a dozen companies, effectively identifying users as LGBT. OKCupid even sent data on drug use, ethnicity and political views to the analytics firm Braze.

The report also accused ad tech companies of generally serving as go-betweens, particularly Twitter's MoPub. It's used as a "mediator" for Grindr's personal data, the Consumer Council said, passing it along to companies like AT&T's AppNexus and OpenX. They, in turn, reserve rights to share that info to a wide variety of companies. MoPub lists over 160 partners in total -- it's "impossible" for users to offer true consent on how each of those companies uses their data, according to the Consumer Council.

Moreover, most of the apps in the study (including non-dating apps like Muslim - Qibla Finder and the period tracker Clue) don't provide clear info about what you're consenting to or any in-app settings to control what you're sharing. You frequently have to wade through legal documents to understand what's happening, or contact the companies directly to withdraw consent. Grindr and others also tend to use a "mix of legal bases" to handle data collection, making it difficult to know just what methodology is being applied and when.

Accordingly, the Consumer Council and the privacy group Noyb are filing GDPR complaints against Grindr, Twitter, AppNexus, OpenX and two other ad tech firms, AdColony and Smaato. The two privac advocate groups want to "shift the significant power imbalance" between users and third parties and ensure that people can make "informed choices" about how their data is shared, the Consumer Council's Finn Myrstad said.

The companies involved haven't addressed the individual nuances of the complaint, but unsurprisingly disputed its general premise in statements to the New York Times. OKCupid and Tinder owner Match Group claimed that it honored privacy laws and had contracts ensuring user data security. Grindr said it valued privacy, had protections for personal info and outlined its practices in its privacy policy. Clearly, the report writers disagree -- and the European Union won't care what the companies claim if it finds privacy violations.

Update 1/14 7:10PM ET: Braze unsurprisingly objected to the Consumer Council's findings. It insisted to Engadget that it took users' data privacy and security "very seriously." It also maintained that it honors GDPR and other privacy rules, that its customers are required to follow the law (by posting privacy policies and terms of use) and that it neither sells data nor uses it for anything other than intended purposes. You can read its statement below. However, that's not really the main issue here -- it's that Braze is receiving data customers might not want to share in the first place.

"Braze takes the security and privacy of its customers' data very seriously and discloses, in compliance with applicable privacy law, how it processes data. We give our customers total and absolute control over what data they share with Braze, and we only collect first-party data. Braze also complies with GDPR, CCPA and other privacy laws, and proactively informs customers of the stringent privacy requirements of the Apple App Store and Google Play policies.

"Our customers collect data from users of their apps, and we contractually require them to comply with the law by posting privacy policies and Terms of Use in connection with those apps. Customers then use Braze to create better customer experiences based on user preferences. All of our customers decide what data is sent to Braze. We do not sell personal data. We disclose how we use data and provide our customers with tools native to our services that enable full compliance with GDPR and CCPA rights of individuals. We only access customer data to provide the specific services outlined in our contracts with customers and for no other purpose."