Popular Apps Share Intimate Details About You With Dozens of Companies

A new study shows how information about your sexuality, religion, and location is sent straight from phones to data brokers

By Thomas Germain

January 14, 2020

A new study shows how popular apps, including Grindr, OkCupid, Tinder, and the period-tracking apps Clue and MyDays, share intimate data about consumers with dozens of companies involved in the advertising business.

The details include data that could indicate users’ sexual orientations and religious beliefs, along with information such as birthdays, GPS data, and ID numbers associated with individual smartphones, which can help tie all the data back to a single person.

The study, conducted by an advocacy group called the Norwegian Consumer Council, examined 10 apps and found that they were collectively feeding personal information to at least 135 companies.

The list of companies receiving the information includes household names such as Amazon, Facebook, and Google, but the majority are little-known outside the tech industry, such as AppsFlyer, Fysical, and Receptiv.

The data-sharing isn’t limited to these apps, the researchers say.

“Because of the scope of tests, size of the third parties that were observed receiving data, and popularity of the apps, we regard the findings from these tests to be representative of widespread practices,” the report says.

Many of the companies involved make money compiling details about individual consumers to build comprehensive profiles in order to target personalized ads.

“However, there are increasingly other uses beyond targeted advertising,” says Serge Egelman, a digital security and privacy researcher at the University of California, Berkeley, who studies how apps gather consumer data.

Hedge funds and other businesses buy location data to analyze retail sales and plan investments, and political campaigns use reams of personal data from mobile devices to identify potential supporters for targeted outreach.

In the wrong hands, databases of information that include details like sexual orientation or religious affiliation could leave consumers vulnerable to discrimination and exploitation, the NCC says. It’s all but impossible to determine where all the data ends up.

The NCC says its study uncovered numerous violations of Europe’s sweeping privacy law, the General Data Protection Regulation (GDPR), and practices within LGBTQ+ dating app Grindr were particularly egregious. The organization is filing an official complaint against the company and a number of other businesses that received data from Grindr.

The same problems extend to American consumers.

“There’s no reason to think these apps and countless others like them behave any differently in the United States,” says Katie McInnis, policy counsel at Consumer Reports, which is joining more than 20 other organizations to call for action from regulators. “American consumers are almost certainly subjected to the same invasions of privacy, especially considering there are hardly any data privacy laws in the U.S., particularly at the federal level.”

The NCC analyzed Android apps—all available on iPhones as well—chosen because they were likely to have access to highly personal information.

They included the dating apps Grindr, Happn, OkCupid, and Tinder; the period tracking and reproductive health tracking apps Clue and MyDays; a popular makeup and photo editing app called Perfect365; the religious app Qibla Finder, which shows Muslims which direction to face while praying; the children’s game My Talking Tom 2; and the keyboard app Wave Keyboard.

Every app in the study shared data with third parties, including personal attributes such as gender and age, advertising IDs, IP addresses, GPS locations, and users’ behavior.

For instance, a company called Braze received intimate details about users from OkCupid and Grindr, including information users submitted for matchmaking, such as details about sexuality, political views, and drug use.

Perfect365, which counts Kim Kardashian West among its fans, sent user data, sometimes including GPS location, to more than 70 companies.

Consumer Reports reached out to Grindr and Match Group, which owns OkCupid and Tinder. The companies did not respond to CR’s questions prior to publication. A Perfect365 representative told Consumer Reports that the company “is in compliance with the GDPR” but did not respond to specific questions.

App privacy policies often make it clear that data is shared with third parties, but experts say it’s impossible for consumers to get enough information to give meaningful consent.

For example, Grindr’s privacy policy says its advertising partners “may also collect information directly from you.” Grindr’s policy goes on to explain that the ways those third parties choose to use or share your data is governed by their own privacy policies, but it doesn’t name all those other companies, in case you wanted to investigate further.

At least some of those other businesses, including Braze, say they may pass your information on to additional companies, in what amounts to an invisible chain reaction of data-sharing. Even if you had time to read all the privacy policies you’re subject to, you wouldn’t know which ones to look at.

“These practices are both highly problematic from an ethical perspective, and are rife with privacy violations and breaches of European law,” Finn Myrstad, director of digital policy at the NCC, said in a press release.

The U.S. doesn’t have a national privacy law equivalent to the GDPR, but California residents may have new rights that could be used prevent some of the practices outlined by the NCC, thanks to the California Consumer Privacy Act, which went into effect Jan. 1.

But whether or not the CCPA will actually protect consumers all depends on how the California attorney general interprets the law. The attorney general’s office is set to release guidelines for the CCPA in the next six months.

“The report makes it clear that even if you have laws on the books that protect consumer privacy rights and preferences, that doesn’t really matter unless you have a strong cop on the beat,” McInnis says.

Consumer Reports is signing on to letters with nine other U.S.-based advocacy groups calling on Congress, the Federal Trade Commission, and the California, Oregon, and Texas attorneys general to investigate, and asking that regulators take this new information into consideration as they work toward future privacy regulation.

There are lessons here for consumers as well.

“A big problem is that consumers generally worry about the wrong things,” Berkeley’s Egelman says. “Most people really care about apps secretly recording audio or video, which doesn’t really happen all that often, but then don’t understand all the things that are being inferred about them just based on their location data and the persistent identifiers that uniquely identify their devices.”

Consumers can take a number of steps to protect their privacy. These include adjusting privacy settings for Facebook and Google, limiting which apps have permission to access things such as location information, and deleting old accounts you’re no longer using. You may not be able to solve the problem entirely, but you don’t have to wait for federal regulators to make meaningful changes that will protect your privacy.

For more information, check out Consumer Reports’ Guide to Digital Security & Privacy, or follow our steps for 30-second privacy fixes you can tackle right now.

Thomas Germain

Thomas Germain was previously a technology reporter at Consumer Reports, covering several product categories and reporting on digital privacy and security issues. He investigated the sharing of sensitive personal data by health-related websites and the prevalence of dark patterns online, among other topics. During his tenure, Germain’s work was cited in multiple actions by the Federal Trade Commission.