The popular LGBTQ dating app Grindr has recently ran into trouble with the European Union’s General Data Protection Regulation (GDPR) law in two different cases. These incidences illustrate that the EU is dedicated to enforcing the GDPR for the protection of individual users. It also illustrates how organizations who run dating apps need to be careful to clearly understand the GDPR and execute processes in a way that lie within its confines.
The Initial Problem
In January of this year, the Norwegian Data Protection Authority found that Grindr committed unauthorized disclosure of user data including location and other factors to five organizations who then further provided the information to over 100 entities.
What is the GDPR?
The GDPR is legislation passed by the European Union in 2016 that seeks to provide protection for user privacy. It governs the use of user data by companies both in and out of the European Union. It is largely considered to be the most strenuous data protection policy currently in effect in the world.
GDPR covers a variety of principles. Perhaps the most essential is that people must give specific consent to how their data will be collected and used. Organizations also are required to protect the interests of users in how data is utilized. Specifically, data policies must be provided to users in transparent, plain language. People are also given a right to access their personal data and find out how this data is being utilized by a company. Finally, individuals have a right to be able to object to the use of their data for marketing and other non-service related uses.
Grindr’s Current Incident
Grindr has once again allegedly run afoul of GDPR policies, potentially in a much more significant manner. This situation deals not with how they are using data but rather with the requirements they set forth for users who want to learn more about how their data is being used.
The complaint was sent forth by None of Your Business, a nonprofit consumer advocacy group. This group represents an individual who claims to have been denied access to his personal data for failing to submit the information required by Grindr. Grindr claims that it is seeking to ensure that data is protected by doing its due diligence policy to verify the user’s request.
The issue at odds relates to the specific information that Grindr is requesting of a user. In order to be informed about how their information is used, users are required to submit a selfie while holding their passport and a piece of paper with their email address. As an app where users pride themselves on anonymity and often reveal significant sexual information, the complaint alleges that requiring this information is a step too far for a platform that promises anonymity as a feature of its product.
What Are the Main Legal Issues?
There are two major things to consider in evaluating Grindr’s blanket policy of requiring a selfie of a user holding their passport. First, GDPR requires companies to engage in a case by case determination on whether or not there exists a reasonable doubt that the identity of a user making a request is not valid. By having a general policy requiring provision of further information, it seems that Grindr is clearly in violation of the GDPR.
Additionally, it seems a bit confusing that Grindr requires a passport of a user. During registration, users do not provide their names to the app. Thus, there is no reasonable way that Grindr would be able to verify a user’s identity if their passport is submitted. Thus, it seems as if Grindr has created a situation where inquiring about one’s data requires at least a partial disclosure of one’s identity as an LGBTQ person, creating a concerning policy.
Based upon the information made public thus far, it would appear that Grindr has not learned from its initial failure to protect user information and identities. This is a particularly concerning situation in an era where user privacy is already a major concern. The stakes become even higher given the sensitive content that users provide to the app in terms of their sexual information.
The successive failures of Grindr to protect users’ data illustrate that the company does not seem to be learning its lesson from prior incidents. In an era when companies are charged with building trust with their users, Grindr does not seem to have taken a path that establishes much goodwill. In fact, these two situations create a distinct concern about the potential for future violations. Grindr users have every right to expect better from the company and any leeriness to provide them with personal data can be seen as reasonable based on the existence of these two incidents.