The adtech industry has once again been caught with its trousers down over alleged mass abuse of personal data following claims the world’s most popular apps, including Grindr, OkCupid and Tinder, are handing out sensitive user information willy-nilly to ad companies, in an “insane violation” of GDPR.
A study conducted by the Norwegian Consumer Council (NCC), tracked the activity of ten apps between June and November last year in order to identify how personal information – including sexual preferences, behavioural data, and location – is transmitted from these apps to commercial third parties.
The apps tested include the dating apps Grindr, Happn, OkCupid, and Tinder; period tracker apps Clue and MyDays; makeup app Perfect; religious app Muslim: Qibla Finder; children’s app My Talking Tom 2; and keyboard app Wave Keyboard.
The ten apps were chosen because they were the most popular apps on Google Play at the time in “certain categories where sensitive category personal data were deemed likely to be processed”.
Only the Android versions of these apps were tested, with NCC explaining that this was due to Android being the largest mobile operating system worldwide, in addition to Google being a major player in the adtech industry.
In the tests, most of the apps were found to transmit data to “unexpected third parties”, with users not being clearly informed about where their information was being sent, and how it was being used. The ten apps were transmitting user data to at least 135 third parties involved in advertising and behavioural profiling.
The report claims that Grindr was one of the worst offenders, with a “triple whammy” of issues. Not only does it fail to provide details about how it shares data with non-service provider third parties, it does not show how user data is used for targeted ads or provide in-app options to reduce data sharing with third parties.
Twitter-owned MoPub acted as a mediation network for the Grindr app, facilitating personal data transmissions to other third parties, who then used the data to determine whether they wanted to purchase advertisements directed toward Grindr users.
According to the study, MoPub’s advertising partners could also potentially distribute that user data to other companies under certain situations despite not receiving explicit consent from Grindr’s users. For example, one of MoPub’s partners, AppNexus, could potentially provide data such as users’ IP addresses and advertising IDs to other companies such as its parent entity AT&T to sell and target ads, the study said.
The report states: “In the cases described in this report, none of the apps or third parties appear to fulfil the legal conditions for collecting valid consent. The multitude of violations of fundamental rights are happening at a rate of billions of times per second, all in the name of profiling and targeting advertising.
“The adtech industry is operating with out-of-control data sharing and processing, despite that it should limit most, if not all, of the practices identified throughout this report.
“It is time for a serious debate about whether the surveillance-driven advertising systems that have taken over the internet, and which are economic drivers of misinformation online, is a fair trade-off for the possibility of showing slightly more relevant ads.”
The Norwegian group has since filed complaints asking for domestic regulators to undertake investigations into Grindr and five ad tech companies for violations of GDPR.
Privacy campaigner Max Schrems, who has been a thorn in the side of Facebook for years, worked with the NCC on the complaints. He said: “Every time you open an app like Grindr, advertisement networks get your GPS location, device identifiers and even the fact that you use a gay dating app. This is an insane violation of users’ EU privacy rights.”
Digital ad body acts over ‘mass unlawful use of data’
ICO ‘cosies up’ to industry in bid to tackle adtech issue
ICO urged to act now on adtech or be seen as soft touch
ICO: online ad industry ‘leaving millions at risk of harm’
Germans unleash GDPR blitz on behavioural ad giants
Google Ad Exchange probe threatens online ad mayhem
Adspend nears £24bn with surge in data-driven activity
Irish data regulator launches inquiry into adtech giant
New Govt probe to scrutinise behavioural data market
ICO taps up industry for probe into programmatic ads