EPIC files FTC complaint against Grindr's data privacy practices

share on

twitter /
facebook /
linkedin /
- email
- telegram
- whatsapp
- wechat
- pinterest
- line
- snapchat
- reddit

The Electronic Privacy Information Center (EPIC) has called on the Federal Trade Commission (FTC) to investigate LGBTQ+ dating app Grindr for its potentially unlawful retention and disclosure of users’ sensitive personal data, according to official documents seen by MARKETING-INTERACTIVE.

"This complaint concerns Grindr’s apparent failure to safeguard users’ sensitive personal data, including the data of users who have deleted their accounts," wrote EPIC in its complaint. It highlighted that in June 2023, Grindr’s former chief privacy officer filed a wrongful termination lawsuit against Grindr, alleging that the company fired him when he made executives aware of violations of Grindr’s privacy policies.

Don't miss: Grindr enters SPAC deal, outlines expansion and growth plans

It then alleged that Grindr "appears" to have engaged in "unfair and deceptive" trade practices that are in violation of the FTC Act as well as violated the Health Breach Notification Rule (HBNR).

"For the reasons set out below, the Commission should open an investigation, secure an injunction against the offending business practices, issue fines pursuant to the HBNR, and provide such other relief as the Commission sees fit," it said in the complaint.

In official documents, EPIC states that Grindr explicitly promises a "commitment to privacy". The Grindr app also promises users that should they delete their account, their personal information will no longer be made available and will be deleted within 28 days.

Grindr also states that it discloses users’ personal information to a number of third-party providers, but that it only shares HIV status, last tested date, and vaccination status with necessary service providers. These are companies that host Grindr’s data, process data access requests initiated by users, or send testing reminders to users. Grindr states publicly that it does not disclose health information to advertising companies.

It said:

Despite its promises to users, Grindr has a history of violating its users’ privacy and safety.

It then went on to say that to unlock Grindr’s core functionality that allows users to see potential partners in their vicinity, users must share their location data with the app.

A 2022 Wall Street Journal article found that Grindr sold location data to ad networks. In one case, Catholic publication The Pillar bought commercially available location data from a third-party data broker that enabled The Pillar to track individual Grindr usage, it said. Using the data, the publication outed a senior official of the U.S. Conference of Catholic Bishops as a user of the app, forcing him to resign.

EPIC went on to say that Grindr collects sensitive data such as a person's HIV status. "In 2018, Grindr came under fire for disclosing users’ HIV statuses to third-party businesses. It later promised to stop disclosing that information," it said. It also noted that in 2021, Norway’s Data Protection Authority fined Grindr over US$7 million for illegally disclosing user data to advertisers.

"Beyond its mishandling of users’ personal data, Grindr has also put user safety at risk by failing to remove abusive and fraudulent profiles," it said.

EPIC added that Grindr's former chief privacy officer, Ronald De Jesus, knew that the company had committed multiple privacy violations but did not remedy them.

In June 2023, De Jesus filed a wrongful termination lawsuit against Grindr alleging that Grindr fired him in retaliation for highlighting Grindr’s privacy violations and pushing the company to correct its privacy practices. In his lawsuit, De Jesus alleged that Grindr continues to store user data even after a user deletes their profile. He also alleged that Grindr's third-party consent management platforms and third-party data analytics tools were implemented to "enable the collection of user data without user consent".

"Third-party systems store Grindr users’ data indefinitely, and users are not notified about this third-party data retention," it said, adding that Grindr also failed to conduct security reviews and audits on its systems containing sensitive user data.

"Grindr employees and the employees of Grindr’s third-party providers have unmonitored access to all Grindr users’ personal profiles, including their profiles, email addresses, favourited profiles, messages, and photos," EPIC went on to state.

It added that Grindr allows its ad partners to collect users’ personal data immediately after an ad is shown to the user rather than when the user clicks on or interacts with the ad. "Users are not required to consent nor are allowed to opt out of this data collection. Because some ads focused on HIV prevention medication, De Jesus indicated that this data collection could be used to identify users who were interested in the medication, implicating sensitive health information," it said.

According to De Jesus, Grindr executives were notified about all these privacy violations, but they expressed “disinterest [which] escalated into displeasure and contempt.”

De Jesus also alleged that Grindr cancelled or halted the privacy-promoting projects he was working on prior to his dismissal, including the production of a privacy video series and the creation of a privacy centre, which would have been a central hub for privacy resources on Grindr’s website.

According to De Jesus’ complaint, these privacy violations were still happening with the knowledge of Grindr executives when his wrongful termination suit was filed.

EPIC called on the FTC to enjoin any unlawful data practices confirmed in its investigation and to impose penalties against Grindr for any violations of the Health Breach Notification Rule.

“There’s good reason to believe that Grindr has betrayed the trust and violated the privacy of its users,” said EPIC director of litigation, John Davisson. “It’s critical that the Federal Trade Commission step in and conduct a thorough investigation of Grindr’s personal data practices. Grindr users deserve peace of mind that their sensitive personal data will be protected from mishandling and misuse.”

share on