Twitter says it suspended Grindr, the gay dating app, from its ad network after a report revealed privacy concerns with how the app shared personal data with marketing partners.
The new report, commissioned by the Norwegian Consumer Council, alleged that Grindr transmitted personal information on its estimated 3 million daily users worldwide to ad tech partners, including Twitter’s MoPub, which is a mobile ad network that helps apps make money by filling their ad inventory. The report also names other advertising platforms OpenX and AppNexus, which help brands bid on ads through platforms like MoPub to appear on apps like Grindr. AppNexus is a part of Xandr, the advertising and analytics division of AT&T.
“Twitter’s MoPub managed data transmissions that included personal data of a Grindr user,” according to researchers from Mnemonic, a Norwegian security firm that studied the app and ad tech partners. “Simultaneously, a number of other third parties were observed receiving personal data directly through their SDK integrations in the Grindr app.”
The dating app caters to the gay community and could collect personal details on sexual preferences, gender identity and health issues. Grindr was accused of sharing data like age, gender, location, and device information with Twitter’s MoPub.
After the report was made public, first reported in The New York Times, Twitter said it would investigate how Grindr obtained permission from users to share their data, which is at the heart of the complaint. "We are currently investigating this issue to understand the sufficiency of Grindr's consent mechanism,” a Twitter spokeswoman said in an e-mail statement. “In the meantime, we have disabled Grindr's MoPub account.”
The New York Times also highlighted potential problems with other dating apps, like OK Cupid and Tinder, sharing personal information with marketing partners. U.S. privacy watchdogs have since called for regulators and lawmakers here to investigate dating and health apps, based on the reports findings.
The EU allows companies to collect and share data with third parties if they receive the proper consent of users. In the U.S., there are similar laws to GDPR, like California’s Consumer Privacy Protection Act, which regulates how companies collect and sell personal information. Governments and regulators have been addressing data and privacy issues more urgently as security threats become increasingly pressing. There have been costly hacks of private companies that leak personal information leaving people susceptible to fraud. Also, the widespread abuse of online data was seen as one of the factors that left democratic elections vulnerable to foreign interference, particularly the U.S. presidential election in 2016.
New privacy regimes are upending the digital advertising ecosystem. While much of the attention has focused on the biggest internet companies, Facebook and Google, the rules are affecting all the companies that process online data, bid on ad inventory on websites and apps, and analyze web traffic.
Companies are duking it out in the courts in Europe as they argue over interpretations of GDPR, like how to properly attain consumer consent. In California, companies are advancing differing opinions over what it means to “sell” data.
The latest report on Grindr highlights the uncertainty around GDPR. The report alleges that Grindr does not follow the proper consent procedures to share data with MoPub and its partners OpenX and AppNexus. It also claims that targeted digital advertising does not fall under a “legitimate” business interest.
“Twitter’s MoPub relies on the invalid consent collected from the app, in this case Grindr,” according to the report.
The authors of the report did not immediately respond to request for comment. Grindr and OpenX did not respond to requests for comment, and Xandr declined to comment on behalf of AppNexus.
The report calls for a fines of Twitter, OpenX, AppNexus and Grindr. Under the GDPR, the maximum fine for a violation is up to 4 percent of annual revenue. In Twitter’s case, that would amount to an estimated $120 million, based on $3 billion revenue from 2018.