Twitter has suspended the dating app Grindr from its ad platform after discovering ‘insane violations’ of the GDPR (General Data Protection Regulation).
According to a study by the NCC (Norwegian Consumer Council), Grindr shared significant amounts of sensitive personal data with advertisers without the explicit consent of users.
Grindr ‘didn’t control’ the way data was used
The report found that Grindr users were told to check with third parties to find out how their personal data was being use.
This in itself is a compliance failure, as any organisation that processes EU residents’ personal data must take accountability for where the data is going and what it’s being used for.
If an organisation shares personal data with a third party, it must therefore have a legitimate reason for doing so – which includes users’ consent – and state what that organisation will be using the information for.
But it gets worse for Grindr, as it only named one third party, MoPub, an ad network owned by Twitter, which in turn lists more than 160 organisations that data might be passed on to.
The report concluded that by claiming that it didn’t control the use of these tracking technologies, instead asking users to read the privacy policies of any third parties that might receive personal data, “Grindr is attempting to shift accountability for the advertising technologies that it is using away from itself”.
Max Schrems, the noted data privacy activist, told the NCC: “Every time you open an app like Grindr, advertisement networks get your GPS location, device identifiers and even the fact that you use a gay dating app. This is an insane violation of users’ EU privacy rights.”
A widespread issue
Grindr wasn’t the only organisation that the NCC called out, though.
Its report found that the online advertising industry was systematically violating the GDPR by sharing personal data and tracking users without their consent.
All 10 apps examined in depth by the NCC shared personal information with third parties, including eight that shared data with Google Ads and nine that shared data with Facebook.
Finn Myrstad, the NCC’s digital policy director, told the New York Times, which first reported the study: “Any consumer with an average number of apps on their phone – anywhere between 40 and 80 apps – will have their data shared with hundreds or perhaps thousands of actors online.”
This is clearly a problem for both individuals who hoped that the GDPR would protect them from practices like this and for the organisations in the report who will no doubt soon be investigated by data protection authorities.
The NCC has already filed formal complaints against Grindr and MoPub, as well as four other ad tech firms.
Meanwhile, Twitter has said it would investigate the allegations against Grindr and has suspended the app from MoPub.
Is your privacy notice in order?
This incident shows how important documentation is for GDPR compliance. In this case, Grindr’s privacy notice was at fault, as it failed to keep data processing in line with the Regulation’s requirements or adequately inform individuals how their data was being used.
You can avoid making the same mistakes thanks to our GDPR Privacy Notice Template.
Written by data protection experts, this template can be easily adapted to suit your organisation, no matter what size it is or industry you’re in.
Those looking for more comprehensive GDPR advice might prefer our GDPR Toolkit. It contains more than 80 customisable policies, covering everything you need to ensure regulatory compliance.
It also includes gap analysis and DPIA (data protection impact assessment) tools to help you address compliance weaknesses, as well as guidance documents and two licences for our GDPR Staff Awareness E-learning Course to help you better understand your compliance requirements.