Lawsuit accuses Grindr of illegally sharing users' HIV status
LGBTQ+ dating app's maker previously denied selling sensitive user data
Hundreds have joined a UK class action lawsuit against LGBTQ+ dating app Grindr, seeking damages over a historical case of the company allegedly forwarding users' HIV status as well as other sensitive data to third-party advertisers.
A total of 670 individuals have joined the class action, filed today in England's High Court, and lawyers Austen Hays believe the number could rise into the thousands.
The lawsuit alleges Grindr violated UK data protection law by sharing user data without their consent and focuses largely on alleged data disclosures that took place before April 3, 2018, and between May 25, 2018 and April 7, 2020.
As El Reg reported at the time, researchers at SINTEF published information in 2018 that appeared to show Grindr was bulk sending users' sensitive information to analytics companies Localytics and Apptimize.
This data included a user's HIV status and their last test date, their sexual preferences, and their GPS location – all of which were added to public profiles by users and later gathered up by Grindr's trackers.
The discovery that the data may have been shared with analytics firms led to heavy criticism of the app maker, which at the time didn't apologize for its alleged role in the furor, but did alter its privacy policy soon after.
Its then-CTO Scott Chen said Grindr would never sell the kind of sensitive data researchers specified to third parties, and reminded users that any information they themselves added to their profile would become public.
Users branded the response "sloppy," and deemed the alleged incident to be a "gross violation of privacy." Critics said that the information was added to a public profile in aid of meeting a likeminded person, and that no reasonable user would expect their data to be misused in the way it was.
Austen Hays, the law firm bringing the case to Grindr, told The Register: "The claim filed today in the English Court states that Grindr unlawfully processed and shared users' data with third parties, including advertising companies Localytics and Apptimize. This would allow a potentially unlimited number of third parties to target and/or customize advertisements to its users. Austen Hays further claims that these third parties either served the advertisements themselves or acted as "adtech' intermediaries, potentially passing on data to fourth parties.
"Additionally, the claim alleges that third and/or fourth parties may have retained some of the shared data for their own purposes after the advertisement had been served. It further alleges that Grindr received payment or commercial benefits from the third and fourth parties with whom it shared users' personal data as a source of revenue in exchange for such sharing."
The Norwegian Data Protection Authority (NO DPA) fined Grindr 65 million Norwegian kroner in 2020 ($5.9 million at today's exchange rate) for violating GDPR's consent rules.
NO DPA's case didn't mention any violations regarding the sharing of HIV data or information about a user's sexual preferences. However, it ruled that third parties had received a user's GPS location, IP address, advertising ID, age, gender, and the fact that they used the app, and concluded that Grindr had disclosed user data to third parties "for behavioural advertisement without a legal basis."
Grindr appealed the fine, but the original decision was upheld in September 2023 by Norway's Personal Protection Board. A month later, Grindr sued the NO DPA over the validity of its decision.
In addition to the claim brought to Grindr in the UK, the company is also facing flak in the US, as recently as October 2023, again for alleged data protection failings.
The Electronic Privacy Information Center (EPIC) said in October last year it was pushing for the FTC to probe the app maker after finding that it was retaining user data even after accounts were deleted – a practice Grindr's privacy policy explicitly says it wouldn't do.
Grindr told The Register at the time: "Privacy is a top priority for Grindr and the LGBTQ+ community we serve, and we have adopted industry-leading privacy practices and tools to protect and empower our users."
It also said the "unfounded" claims were made by a disgruntled former employee, its ex-chief privacy officer Ron De Jesus. Months earlier, De Jesus filed a wrongful termination lawsuit against the company, which also included allegations of privacy violations.
- EPIC urges watchdog to probe Grindr's data privacy – or alleged lack thereof
- Catholic clergy surveillance org 'outs gay priests'
- LGBTQ+ folks warned of dating app extortion scams
- De-identify, re-identify: Anonymised data's dirty little secret
We asked Grindr to comment on today's news but the US-based company didn't immediately respond.
Chaya Hanoomanjee, managing director at Austen Hays and the lawyer leading the UK claim, said: "Our clients have experienced significant distress over their highly sensitive and private information being shared without their consent, and many have suffered feelings of fear, embarrassment, and anxiety as a result.
"Grindr owes it to the LGBTQ+ community it serves to compensate those whose data has been compromised and have suffered distress as a result, and to ensure all its users are safe while using the app, wherever they are, without fear that their data might be shared with third parties.
"Grindr users who think they may be affected by this breach should join the claim so that we can seek redress for them."
A spokesperson at Grindr sent us a statement:
"We are committed to protecting our users' data and complying with all applicable data privacy regulations, including in the UK. We are proud of our global privacy program and take privacy extremely seriously." ®