Filing complaint against Grindr’s sharing users’ HIV-status and sexual preferences

3. april, 2018

Grindr shares its users’ sexual preferences with several third party companies, and waive their responsibility for how this data is being used. HIV-status is also shared with two analytics services. The NCC is filing a complaint to the Data Protection authority against Grindr for being in breach of European and Norwegian data protection law.

The Consumer Council has looked at the Grindr privacy policy, and have gained access to a technical test performed by the Norwegian research institute SINTEF on behalf of the Swedish broadcaster SVT. The Consumer Council is critical about how the company is sharing and protecting sensitive personal data.

– Information about sexual orientation and health status is regarded as sensitive personal data according to European law, and has to be treated with great care. In our opinion, Grindr fails to do so, says Finn Myrstad, director of digital services in the Norwegian Consumer Council.

– We expect the company to ensure that its users receive both the privacy protection and security that they are entitled to. This also applies to how the information is used by Grindr’s service partners.

Based on the exposed issues, the Consumer Council is now filing a complaint against the company to the Norwegian data protection authority for breaching the data protection act.

Sharing sensitive personal data

The test performed by SINTEF shows that HIV-status is shared with two companies that provide services regarding analytics and targeted messaging. Grindr also shares information about sexual orientation, geolocation and sexual preferences with several other third parties.

– It is very disconcerting that users risk losing control over this kind of information. This is information that could be abused for surveillance, discriminatory, and marketing purposes, Finn Myrstad says.

When Grindr transmits sensitive personal data to third parties for advertising purposes, this is outside of the original purposes for the data collection, which constitutes a breach of the principle of purpose limitation.

– If such data sharing is to be in accordance with European law, the service has to obtain a separate and clearly given consent from the user. Grindr, who only mention sharing user data in their privacy policy, does not obtain clear consent, Myrstad says.

Lack of security

The technical analysis shows that Grindr transmits sensitive personal data, such as group-affiliation (“tribes”), sexual orientation, and sexual preferences, without encrypting the traffic.

– The company makes it easy for others to gain access to information about its users, which is in breach of both European law, and the users’ expectations about security, Finn Myrstad says.