A Norwegian report has accused several major applications, including Tinder, Grindr and OkCupid, of illegally sharing the personal data of their users to a variety of third parties.

Forbruker Radet, the Norwegian consumer council, claims that a commissioned cybersecurity company called Mnemonic unearthed 135 separate data shares to third parties during its 10 app test and, as a result, has called for authorities to enforce General Data Protection Regulation (GDPR) more strictly.

The data transmitted included information about sexuality, drug use, political views as well as IP addresses and GPS locations. 

What they found

The most disturbing findings found were those on dating site OkCupid, where the report found the app was sending consumers' personal information about sexuality, drug use, political views, and more with the analytics company Braze.

Dating giant Tinder was found to be sending users' GPS positions and target gender to analytics company Appsflyer and customer engagement platform Leanplum.

Another dating app, Grindr was also at the heart of the technical analysis and, like Tinder, was found to be sharing information such as GPS position, IP address and relationship type to a total of 13 third-party sites. 

MyDays, an app that helps women track their menstruation cycle, was seen to be sending GPS coordinates and Wi-Fi access points, as well as a list of installed apps on the consumers' phone to their list of third-party companies. 

All 10 apps analysed were seen to be sending advertising IDs, which allow companies to track consumers across different services, to at least 70 different third parties including Amazon and Facebook. 

Calls for stricter enforcement of GDPR

As a result of their findings, the Norwegian consumer council has called for GDPR to be regulated more stringently. 

GDPR was first implemented in May 2018 by the European parliament and members of the EU and is designed to protect data and privacy within the EU and EEA areas as well as the transfer of personal data outside it. 

Simon McDougall, executive director for technology and innovation at the ICO, a UK independent authority set up to uphold information rights, has responded to the emergence of this report by saying: "Over the past year, we have prioritized engagement with the adtech industry on the use of personal data in programmatic advertising and real-time bidding.

"Throughout the last year, we have been clear that if change does not happen, we would consider taking action. We will be saying more about our next steps soon – but as is the case with all of our powers, any future action will be proportionate and risk-based."

What next?

Finn Myrstad, Director of Digital Policy at Forbruker Radet, has confirmed the body has lodged legal complaints against six of the companies involved in the report and await to see what the authorities will do. 

In the meantime, he said: "There are already plenty of business models that can serve ads to apps and websites that are not so invasive – for example, contextual advertising, which doesn't need personal data at all." Myrstad has called for businesses to use these types of adverts instead of the more invasive ones currently being used."