Privacy Tip #222 – The Dating App Privacy Secret
I don’t know much about dating apps. I met my husband decades ago, long before the Internet, and the old-fashioned way—in college. But I know people who have used them, have been happy with them, have found their life partner through them, have funny stories about using them and the people they met through them. I even know about swiping left and right.
I know there are different apps depending on your sexual orientation, sexual preferences, whether you are looking for a long-term relationship or just a hook up. I also wrote extensively on the blog when Ashley Madison experienced its notorious data breach. But the recent stories in the news about dating apps compelled me to make sure that those who are using dating apps are aware of how their information is being used.
It is clear that when someone decides to use a dating app, they have to provide a lot of personal information so the app’s algorithms can properly match them with others that may be of interest. I also know that most people who use dating apps do not believe their personal data are being shared, sold or used to profile them.
According to several news stories this week, the most popular dating apps are precisely tracking users and disclosing highly personal and sensitive user information to third parties, and there are allegations that this tracking and sharing violates privacy laws.
For instance, the New York Times (Times), citing a recent report released by the Norwegian Consumer Council, reported on January 15th that popular dating apps are disclosing “dating choices and precise location to advertising and marketing companies” and that “Grindr, the world’s most popular gay dating app, transmitted user-tracking codes and the app’s name to more than a dozen companies, essentially tagging individuals with their sexual orientation.” Another assertion was that OkCupid shared “ethnicity and answers to personal profile questions—like ‘have you used psychedelic drugs?’ to a firm that helps companies tailor marketing messages to users.” According to the Times, it found that “the OkCupid site had recently posted a list of more than 300 advertising and analytics ‘partners’ with which it may share users’ information.”
When these dating apps share this sensitive information with marketing and advertising companies, those companies are free to share it with lots of other businesses, which essentially means that this highly sensitive information can be shared well beyond what is intended by the user, and is being used to profile them.
In response to this proliferation of sensitive information, this week Forbruker Radet filed a complaint in Oslo against Grindr and five other tech companies alleging violation of the GDPR.
The 25-page Complaint lists in detail the tracking capabilities of Grindr and other apps, and provides a detailed and quite interesting tale of the data sharing between Grindr and Twitter’s MoPub, and MoPub’s sharing of the data with AppNexus and OpenX. If you have never heard of these companies, I recommend you read the Complaint. It is a detailed and easy to understand sordid trail of how personal information is shared in data dumps and the precise nature in which these data dumps then can aggregate data and identify the user with keywords such as “social network, gay, bi, bi-curious, chat, dating, nearby….”
In the U.S., a coalition of consumer advocacy groups has sent letters to U.S. regulators, including the California Attorney General, requesting investigations into these practices, to determine whether they violate state or federal law. With the California Consumer Privacy Act now in effect as of January 1st, it will be interesting to see if the California AG takes the lead.