A report published by the Norwegian Consumer Council claims that a number of mobile apps are spreading highly sensitive user information to advertising companies, which may violate privacy laws.
The Norwegian Consumer Council has carried out an in-depth investigation into how mobile apps share data with third-parties for advertising purposes. Overall, 10 Android apps were tested, including dating apps Grindr, Happn, OKCupid, and Tinder, period tracking apps Clue and MyDays, make up app Perfect365, religious app Qibla Finder, children’s app My Talking Tom 2, and keyboard app Wave Keyboard. Only Android apps, and only the most popular ones have been tested. The investigation has revealed that the tested apps collect sensitive information such as exact location, sexual orientation, religious and political beliefs, etc., and share it with at least 135 third-party companies.
According to the report, a majority of the apps were found to be sharing user data with third-parties without clearly informing users about how their data is handled. For example, dating app Grindr shared user data with a large number of third parties that are involved in advertising and profiling. The shared data includes IP address, Advertising ID, GPS location, age and gender. Another dating app OKCupid allegedly shared highly sensitive data about sexuality, drug use, religion, political views, etc. Users were not informed in a clear manner about how their information is used or where it’s sent to.
When analyzing Grindr, Tinder and OKCupid, three of the most popular dating apps, the researchers noted that they in particular have the most privacy issues. The apps do not comprehensively inform their users that their information is shared with non-service provider third-parties for advertising purposes, nor do they provide in-app options to reduce data sharing with said parties.
Image: Norwegian Consumer Council
Under GDPR, users need to consent to data sharing
In accordance with GDPR, users must be provided with clear and comprehensible information about what they are consenting to. Most of the apps investigated in the study do not comprehensively explain what users are consenting to and do not offer in-app settings that allow users to control what is shared. Instead, users have to go through complicated legal documents to understand how their information is shared. Users also cannot easily retract consent, and instead would need to contact companies directly in order to withdraw it. Furthermore, GDPR states that users must give their explicit consent by opting in to data sharing, instead of having to opt out. In the cases detailed in the report, neither apps nor third-parties collect valid consent, which suggests GDPR violations.
“The extent of tracking and complexity of the adtech industry is incomprehensible to consumers, meaning that individuals cannot make informed choices about how their personal data is collected, shared and used,” the report says.
The Norwegian group has filed complaints against Grind, Twitter, AppNexus, OpenX and two other ad tech firms, requesting regulators to investigate possible violations of the European protection law. If the companies are found to have violated GDPR, they would be facing fines of up to 4% of their annual revenue.
“Our legal analysis of these finding show that a large amount of this data sharing and processing appears to be illegal under the General Data Protection Regulation.”