A Norwegian study called « Out Of Control » was published today 14 January 2020, reporting how the AdTech industry is using Mobile Applications, including online dating platforms, such as Tinder, Grindr, Clue or OKCupid are massively collecting user data through mobile apps and sharing personal and sensitive personal data to third parties without the user’s consent, information and alleging clear violations of the GDPR.

Two reports are available which includes:

1. a general overview called OUT OF CONTROL: How consumers are exploited by the online advertising industry; and
2. a technical report called “OUT OF CONTROL” – A REVIEW OF DATA SHARING BY POPULAR MOBILE APPS.

The first 186 pages report shows how consumers are exploited by the online advertising industry.

WHAT THE REPORT CONTAINS

This Norwegian study, coordinated with 10 other associations, including the Swiss French speaking division of the Swiss Consumer Federation, reports how consumers are exploited by the Adtech industry via mobile Apps using dating platforms. The disclosure of personal data, involved, in some case, even HIV status of member of online dating platforms for target advertising, even using personal data for discrimination. 

The first report (non technical) talks about (1) Profiling and targeted advertising, and how the players of the adtech industry are organized to get the most of personal data, especially to monetize it; (2) the harmful effects of profiling and behavioural advertising, such as discrimination, manipulation, lack of trust, asymmetries in the digital world, fraud, freedom of expression, etc.; (3) the data flows with third parties and how the transfer mechanisms between mobile Apps and third parties work to allow « shadow companies » to use such data to make profits; (4) information and pretended choices for the users; (5) a legal analysis of the requirements and potential violations of the GDPR.

WHAT THE LEGAL ANALYSIS EXPLAINS

The legal analysis provides 2 elements that are of interests: (1) the roles and responsibilities of the parties (controllers, processors and joint controllers); and (2) what legal bases could or should be used.

Different parties

The report explains that in terms of roles and responsibilities:

• the consumer is the data subject;
• the app providers are controllers,
• the AdTech third parties receiving personal data from the apps are either processors, separate controllers, or joint controllers, depending on how and under what terms they use the personal data;
• third parties providing basic analytics or error logging functions for the app provider may be considered a data processor if it is acting only upon the instructions of the publisher ;
• marketers that are involved in the purchase of targeted advertising can be considered joint controllers, even if they do not actually process personal data themselves, as long as they define the means purposes of the processing.

Legal bases

The report refers (p. 168) to the EDPS and art. 29WP’s opinion that « the opt-in consent would almost always be required […] for tracking and profiling for purposes of direct marketing, behavioural advertisement, location-based advertising or tracking-based digital market research. ». This means that unless there is another legal basis, such as the legitimate interest of the company processing the data, consent is the only way to justify this processing activity (in some cases explicit consent should even be necessary) to comply with the GDPR.

THREE COMPLAINTS TO DATA PROTECTION AUTHORITIES

As a result, 3 complaints have been filed to Data Protection Authorities by the Norwegian Consumer Council against Grindr and five other companies, such as Twitter’s MoPub, AT&T, AppNexus, OpenX, AdColony and Smaato.

The first complaint (available here) is filed against Grindr, AppNexus Inc and OpenX Software Ltd.. To take the example of Grindr, the report outlines that the following personal data are collected:

• chat message text, chat message images,
• e-mail address, display name, “About Me”, age, height, weight,
• body type, position, ethnicity, relationship status,
• “My Tribes”, “I’m Looking For”,
• gender, pronouns,
• HIV status, last tested date,
• profile picture, linked Facebook data, linked Twitter data, linked Instagram data,
• location data, IP address, and device ID, such as Google Advertising ID

Such categories of personal data are shared with 3rd party analytics and advertising companies performing behavioral advertising on the free versions of the Apps.

More information on the study on the web page of the « Out of Control » report, with the standard report and the technical report accessible here.