A group of civil rights and consumer groups is urging federal and state regulators to examine a number of mobile apps, including popular dating apps Grindr, Tinder and OKCupid for allegedly sharing personal information with advertising companies.
The push by the privacy rights coalition follows a report published on Tuesday by the Norwegian Consumer Council that found 10 apps collect sensitive information including a user's exact location, sexual orientation, religious and political beliefs, drug use and other information and then transmit the personal data to at least 135 different third-party companies.
The data harvesting, according to the Norwegian government agency, appears to violate the European Union's rules intended to protect people's online data, known as the General Data Protection Regulation.
In the U.S., consumer groups are equally alarmed. The group urging regulators to act on the Norwegian study, led by government watchdog group Public Citizen, says Congress should use the findings as a roadmap to pass a new law patterned after Europe's tough data privacy rules that took effect in 2018.
"These apps and online services spy on people, collect vast amounts of personal data and share it with third parties without people's knowledge. Industry calls it adtech. We call it surveillance," said Burcu Kilic, a lawyer who leads the digital rights program at Public Citizen. "We need to regulate it now, before it's too late."
The Norwegian study, which looks only at apps on Android phones, traces the journey a user's personal information takes before it arrives at marketing companies.
For example, Grindr's app includes Twitter-owned advertising software, which collects and processes personal information and unique identifiers such as a phone's ID and IP address, allowing advertising companies to track consumers across devices. This Twitter-owned go-between for personal data is controlled by a firm called MoPub.
"Grindr only lists Twitter's MoPub as an advertising partner, and encourages users to read the privacy policies of MoPub's own partners to understand how data is used. MoPub lists more than 160 partners, which clearly makes it impossible for users to give an informed consent to how each of these partners may use personal data," the report states.
This is not the first time Grindr has become embroiled in controversy over data sharing. In 2018, the dating app announced it would stop sharing users' HIV status with companies following a report in BuzzFeed exposing the practice, leading AIDS advocates to raise questions about health, safety and personal privacy.
The latest data violations unearthed by the Norwegian researchers come the same month California enacted the strongest data privacy law in the U.S. Under the law, known as the California Consumer Privacy Act, consumers can opt out of the sale of their personal information. If tech companies do not comply, the law permits the user to sue.
In its letter sent Tuesday to the California attorney general, the ACLU of California argues that the practice described in the Norwegian report may violate the state's new data privacy law, in addition to constituting possible unfair and deceptive practices, which is unlawful in California.
A Twitter spokesperson said in a statement that the company has suspended advertising software used by Grindr highlighted in the report as the company reviews the study's findings.
"We are currently investigating this issue to understand the sufficiency of Grindr's consent mechanism. In the meantime, we have disabled Grindr's MoPub account," a Twitter spokesperson told NPR.
The study found the dating app OKCupid shared details about a user's sexuality, drug use, political views and more to an analytics company called Braze.
The Match Group, the company that owns OKCupid and Tinder, said in a statement that privacy was at the core of its business, saying it only shares information to third parties that comply with applicable laws.
"All Match Group products obtain from these vendors strict contractual commitments that ensure confidentiality, security of users' personal information and strictly prohibit commercialization of this data," a company spokesman said.
Many app users, the study noted, never try to read or understand the privacy policies before using an app. But even if the policies are studied, the Norwegian researchers say the legalese-filled documents sometimes do not provide a complete picture of what is happening with a person's personal information.
"In other words, it is practically impossible for the consumer to have even a basic overview of what and where their personal data might be transmitted, or how it is used, even from only a single app."