This article is more than 1 year old
EPIC urges watchdog to probe Grindr's data privacy – or alleged lack thereof
Dating app kept sensitive info even after peeps deleted accounts, complaint claims
Grindr isn't doing a very good job protecting its users' private information, including their NSFW photos, according to the Electronic Privacy Information Center (EPIC), which wants the FTC to investigate potentially unlawful practices by the LGBTQ+ dating app.
On Wednesday, EPIC filed a complaint with the US government watchdog over Grindr's "apparent failure to safeguard users' sensitive personal data." This includes both present and past users who have since deleted their accounts, according to the complaint. Despite promising in its privacy policy to delete personal info if customers remove their account, Grindr allegedly retained and disclosed some of this data to third parties.
Considering that people trust the dating app with a ton of very sensitive information — this includes their sexual preferences, self-reported HIV status, chat history, photos including nudes, and location information — "learning that Grindr breaks the promises it makes to users would likely affect a consumer's decision regarding whether to use Grindr," the complaint states [PDF].
Grindr, for its part, says privacy is of the uppermost importance to it, and that these "unfounded" claims stem from allegations made by a disgruntled ex-worker. So that's all right then.
"Privacy is a top priority for Grindr and the LGBTQ+ community we serve, and we have adopted industry-leading privacy practices and tools to protect and empower our users," a spokesperson told The Register.
"We are sorry that the former employee behind the unfounded allegations in today's request is dissatisfied with his departure from the company; we wish him the best."
The former employee in question is Grindr's ex-chief privacy officer Ron De Jesus. In June, De Jesus filed a wrongful termination lawsuit [PDF] against his former bosses that also accused the dating app of violating privacy laws.
According to the lawsuit, De Jesus was "leading the charge to keep Grindr compliant with state, national, and international laws" after Norway's data protection agency fined the dating app biz about $12 million in December 2021 and a Wall Street Journal article in May 2022 accused the application developer of selling users' location data.
- LGBTQ+ folks warned of dating app extortion scams
- Catholic clergy surveillance org 'outs gay priests'
- Amazon had secret algorithm to hike prices, claims FTC
- Game on: FTC tries again to block Microsoft Activision merger
But despite De Jesus' attempts, "Grindr placed profit over privacy and got rid of Mr De Jesus for his efforts and reports," the lawsuit alleges.
EPIC's complaint, which highlights De Jesus' allegations, asks the FTC to look into potential violations of privacy law, including detection data retention and disclosure practices.
It also accuses Grindr of violating the Health Breach Notification Rule (HNBR). The dating app is subject to the HNBR because it asks users to self-report health data including HIV status, last-tested date, and vaccination status. By sharing these records with third parties and retaining health data after users deleted their accounts, Grindr allegedly breached the HNBR, EPIC says.
The privacy advocates at EPIC want the FTC to make Grindr comply with the laws and stop any "unlawful or impermissible" data retention practices. Additionally, the complaint calls on the federal agency to force Grindr to notify any users' whose data was misused, and impose fines against the dating app for any violations of the HBNR. ®