Dating app Grindr found itself under fire this week, after Norwegian research group SINTEF revealed that the HIV status of the app’s users was being sent to Apptimize and Localytics, two app optimization services.
People on Grindr can choose to include their HIV status in their profile along with other personal information. However, it’s unlikely that users realise that this highly sensitive information is being shared with other organizations.
Grindr is not selling this data; instead, it is sharing packets of user information with Apptimize and Localytics, who test and improve mobile services. The data was shared via an encrypted transmission, but this is unlikely to be much consolation to the individuals concerned, as they were not informed that this information was being accessed by third parties at all.
Grindr’s CEO told Buzzfeed that the data-sharing did not contravene any privacy agreements:
The limited information shared with these platforms is done under strict contractual terms that provide for the highest level of confidentiality, data security, and user privacy.
However, this week the Norwegian Consumer Council filed a complaint against Grindr, questioning whether these practices break any European Laws. The complaint includes the following:
Information about sexual orientation and health status are sensitive personal data according to European legislation. Grindr processes sensitive personal data, such as HIV-status, sexual orientation, and sexual preferences. This complaint concerns how Grindr shares and protects these sensitive personal data.
In the view of the Consumer Council, information about sensitive personal data being shared with third parties should not be hidden away in long terms of service and privacy policies. The Consumer Council cannot see that Grindr fulfill the conditions for gathering an informed and explicitly given consent.
The app does not provide an opportunity to not share personal data with third parties.
Under European law, Grindr would have to gain clear and separate consent for their personal information to be shared, and the complaint argues that it fails to do so.
Grindr’s reputation as a privacy-conscious company may have already taken a hit with this week’s news, but this complaint could spell even more trouble and a major fine if they’re found to have failed to comply with European law.