Popular apps leaking personal data, new report claims

Norwegian consumer organisation files GDPR complaint against Grindr, adtech firms

Data on people’s health, sexual orientation, location and interests were among information being shared by the apps, a situation that consumers may not be aware of, a new report said. Photograph: iStock
Data on people’s health, sexual orientation, location and interests were among information being shared by the apps, a situation that consumers may not be aware of, a new report said. Photograph: iStock

Consumer groups have called for an immediate investigation into online advertising companies following allegations there were “systemic” breaches of GDPR involving some of the most popular mobile apps.

Data on people’s health, sexual orientation, location and interests were among that being shared by the apps, a situation that consumers may not be aware of, a new report said.

The information was revealed in a report published by the Norwegian Consumer Council found apps were sharing and processing large amounts of user data that appeared to be illegal under General Data Protection Regulations (GDPR), which came into force in May 2018 and provide stronger protection for personal data. The 10 apps were transmitting data to at least 135 different third parties involved in advertising or behavioural profiling.

The group commissioned cybersecurity company Mnemonic to perform a technical analysis of the data traffic from 10 mobile apps, including dating apps Tinder, Grindr, OK Cupid and child-focused app Talking Tom 2. The report also looked at data sharing from fertility apps such as Clue and My Days.

READ SOME MORE

The report said the adtech industry was operating with “out of control data sharing and processing”.

“ The digital marketing and adtech industry has to make comprehensive changes in order to comply with European regulation, and to ensure that they respect consumers’ fundamental rights and freedoms,” it said.

Norwegian consumer organisation Forbrukerrådet has filed several GDPR complaints off the back of the report, including five online advertising companies and one against dating app Grindr. The group said the five ad-tech companies and Grindr do not have a valid legal basis to process and share the personal data that they are receiving.

Norway is not part of the EU, but is part of the European Economic Area and adopted GDPR in 2018.

The report has also been sent to the Office of the Data Protection Commissioner in Ireland.

"The report provides compelling evidence about how these so-called ad-tech companies collect vast amounts of personal data from people using mobile devices, which advertising companies and marketeers then use to target consumers with personalised ads, without a valid legal base and without consumers knowing it," BEUC, the European Consumer Organisation said.

Consumer organisations said they had “serious concerns” that consumers had no realistic way of stopping their data from being hoovered up and exploited by the ad-tech industry.

"Consumers carry their mobile devices everywhere and use them for a myriad of reasons. What people do not know is that scores of companies with whom they have no relationship hoover up all sorts of personal data through software installed inside their apps. The study shows that most of the time there is no legal basis for this unrestrained surveillance, and it also leaves consumers vulnerable to discriminatory practices or to manipulation," said Monique Goyens, Director General of the European Consumer Organisation.

“The EU’s data protection law is a powerful tool to defend consumers against companies who do not respect their privacy. Data protection authorities need to take action against those who break the rules.”

Ciara O'Brien

Ciara O'Brien

Ciara O'Brien is an Irish Times business and technology journalist