Dating apps including Grindr, OkCupid and Tinder leak personal information to advertising tech companies in possible violation of European data privacy laws, a Norwegian consumer group said in a report Tuesday.
The Norwegian Consumer Council said it found “serious privacy infringements” in its analysis of how shadowy online ad companies track and profile smartphone users.
The council, a government-funded nonprofit group, commissioned cybersecurity company Mnemonic to study 10 Android mobile apps. It found that the apps sent user data to at least 135 different third party services involved in advertising or behavioural profiling.
“The situation is completely out of control,” the council said, urging European regulators to enforce the continent’s strict General Data Privacy Regulation, or GDPR. It said the majority of the apps did not present users with legally-compliant consent mechanisms. The council took action against some of the companies it examined, filing formal complaints with Norway’s data protection authority against Grindr, Twitter-owned mobile app advertising platform MoPub and four ad tech companies. Grindr sent data including users’ GPS location, age and gender to the other companies, the council said. Twitter said it disabled Grindr’s MoPub account and is investigating the issue “to understand the sufficiency of Grindr’s consent mechanism.”
It is difficult in today\’s society with social media applications for people to actually read the privacy or end user agreements and to understand what is happening with their name, address, pictures, contacts and GPS location once the data is entered into or collected by an app.
On a lot of social media apps that are not charging users for their service, the users are undoubtedly the product. Their information is collected and sold off to third-party organizations for revenue for the social media app. Only in recent years are governments finally taking actions such as the General Data Privacy Regulations (GDPR) in the UK and recently, the California Consumer Protection Act (CCPA). These laws are putting the end user first and looking to the social media app companies to secure, protect and restrict the sharing of user data, or else face financial implications.
Some organizations such as Twitter are taking a step in the right direction when it comes to protecting their customers by disabling plugins that violate their privacy terms, and are blocking the sharing of information to third parties without permission.
Social media application organizations that collect information about their users and do not provide a robust security program to protect or secure that information are putting undue and unnecessary risk and exposure on their users. This significantly increases users\’ vulnerability to identity theft, spear phishing emails and other possible harms.