– Information about sexual orientation and health status is regarded as sensitive personal data according to European law, and has to be treated with great care. In our opinion, Grindr fails to do so, says Finn Myrstad, director of digital services in the Norwegian Consumer Council.
– We expect the company to ensure that its users receive both the privacy protection and security that they are entitled to. This also applies to how the information is used by Grindr’s service partners.
Based on the exposed issues, the Consumer Council is now filing a complaint against the company to the Norwegian data protection authority for breaching the data protection act.
Sharing sensitive personal data
The test performed by SINTEF shows that HIV-status is shared with two companies that provide services regarding analytics and targeted messaging. Grindr also shares information about sexual orientation, geolocation and sexual preferences with several other third parties.
– It is very disconcerting that users risk losing control over this kind of information. This is information that could be abused for surveillance, discriminatory, and marketing purposes, Finn Myrstad says.
When Grindr transmits sensitive personal data to third parties for advertising purposes, this is outside of the original purposes for the data collection, which constitutes a breach of the principle of purpose limitation.
Lack of security
The technical analysis shows that Grindr transmits sensitive personal data, such as group-affiliation (“tribes”), sexual orientation, and sexual preferences, without encrypting the traffic.
– The company makes it easy for others to gain access to information about its users, which is in breach of both European law, and the users’ expectations about security, Finn Myrstad says.