The Norwegian Consumer Council has filed a privacy complaint about Grindr, arguing it’s in breach of national and European data protection laws after it emerged the dating app has been sharing personal information about its users with third parties. As we reported earlier, Norwegian research outfit SINTEF analyzed the app’s traffic and found that — if set — a user’s HIV status is included in packets sent to two app optimization firms, Apptimize and Localytics. This data was sent via an encrypted transmission. But users were not informed their HIV status was being shared. Grindr has claimed HIV status data is being shared only for testing and platform optimization purposes — and that the third parties in question are “under strict contractual terms that provide for the highest level of confidentiality, data security, and user privacy” . But, in SINTEF’s assessment, it is not strictly necessary to transmit such data for analytics and functionality testing (A/B testing) purposes. As well as HIV statuses, SINTEF found Grindr transmits a raft of other personal data points to third party ad firms — this time via unencrypted transmissions — namely: precise GPS position, gender, age, “tribe” (aka group-affiliation, e.g. trans, bear), intention (e.g. friends, relationship), ethnicity, relationship status, language and device characteristics. The Council is objecting to both the sharing of highly sensitive HIV statuses and other personal information with third parties without Grindr gaining explicit user consent for the data sharing. “Information about sexual orientation and health status is regarded as sensitive personal data according to European law, and has to be treated with great care. In our opinion, Grindr fails to do so,” said Finn Myrstad, director of digital services at the Council in a statement on its action. “We expect the company to ensure that its users receive both the privacy protection and security that they are entitled to. This also applies to how the information is used by Grindr’s service partners.” The Council argues that by transmitting sensitive personal data to third parties for ad purposes this is outside the original purposes for the data collection — thereby constituting a breach of the principle of purpose limitation. To be legal under European law Grindr would need to gain separate and clear consent from users for their personal info to be shared, it argues. “If such data sharing is to be in accordance with European law, the service has to obtain a separate and clearly…

Source: TechCrunch – Social Grindr hit with privacy complaint in Europe over sharing user data