Jan 15, 2020 - Technology

Dating apps, menstrual trackers accused of violating European data privacy law

In this illustration, a mouse clicks on a billboard and hovers over the word 'privacy'

Illustration: Sarah Grillo/Axios

Grindr, OkCupid, Tinder, Qibla Finder and MyDays X are among 10 apps feeding user data — such as ethnicity, location, gender and age — to digital ad companies, nonprofit Norwegian Consumer Council found in a report released on Tuesday.

Why it matters: These dating, prayer guidance and menstrual cycle or fertility tracking apps collect information from some of the most intimate parts of users' lives. The council argues that sharing this data violates a European data protection law that went into effect last year.

What they found: OkCupid sent user data about sexual desires, drug and alcohol use, and political views to analytics company Braze, as well as users' ethnicity and GPS coordinates.

  • Tinder shared users' GPS location and "target gender" — or data on sexual orientation. Facebook and Salesforce got information to track users across different services through advertising IDs, which don't necessarily attach names to data.
  • Grindr, an LGBTQ dating site, shared users' location to AT&T's AppNexus, Twitter's MoPub, OpenX, AdColony and others.
  • MyDays, a period tracker and fertility app, provided users' IP addresses, GPS location and WiFi access point information.

Flashback: Grindr changed its policy of sharing users' HIV status with its third-party vendors last year after initially defending its position.

Our thought bubble, via Axios' Ina Fried: There’s a fundamental disconnect between the amount of information one would normally share with an online service and the information needed to find a compatible mate.

What they're saying: "I think most American, most people, don't realize how much data your phone is generating about you and your life every single day," John Demers, assistant attorney general for national security at the Justice Department, told NBC News. NBC analyzed four popular dating apps, including Grindr and Tinder, to see what information is collected.

  • The Match Group, which owns Tinder and OkCupid, said in a statement that it only shares information in line with the California Consumer Privacy Act and the GDPR, and doesn't commercialize users' data. Match Group's products were not named in NCC companion complaints filed with the Norwegian Data Protection Authority.
  • Grindr did not respond to request for comment. The company told the New York Times in a statement on Tuesday that it had not received a copy of the report and could not comment on its content.

What's next: The council's formal complaints against Grindr, Twitter's ad platform and AT&T's AppNexus could mean fines — like the $57 million penalty slapped on Google in 2018 over telling users how their data is collected.

Go deeper: Location data is ground zero in privacy wars

Editor's note: This piece has been updated with a Match Group statement that its products were not named in NCC companion complaints.

Go deeper