A Norwegian study called “Out Of Control” was published today 14 January 2020, reporting how the AdTech industry is using Mobile Applications, including online dating platforms, such as Tinder, Grindr, Clue or OKCupid are massively collecting user data through mobile apps and sharing personal and sensitive personal data to third parties without the user’s consent, information and alleging clear violations of the GDPR.
Two reports are available which includes:
- a general overview called OUT OF CONTROL: How consumers are exploited by the online advertising industry; and
- a technical report called “OUT OF CONTROL” – A REVIEW OF DATA SHARING BY POPULAR MOBILE APPS.
The 186 pages report shows how consumers are exploited by the online advertising industry.
WHAT THE REPORT CONTAINS
This Norwegian study, coordinated with 10 other associations, including the Swiss French speaking division of the Swiss Consumer Federation, reports how consumers are exploited by the Adtech industry via mobile Apps using dating platforms. The disclosure of personal data, involved, in some case, even HIV status of member of online dating platforms for target advertising, even using personal data for discrimination.
The first report (non technical) talks about interesting elements.
(1) Profiling and targeted advertising, and how the players of the adtech industry are organized to get the most of personal data, especially to monetize it.
(2) the harmful effects of profiling and behavioural advertising, such as discrimination, manipulation, lack of trust, asymmetries in the digital world, fraud, freedom of expression, etc.;
(3) the data flows with third parties and how the transfer mechanisms between mobile Apps and third parties work to allow “shadow companies” to use such data to make profits;
(4) information (transparency) and pretended choices for users.
(5) a legal analysis of the requirements and potential violations of the GDPR and the actions that the Council suggests to take.
WHAT THE LEGAL ANALYSIS EXPLAINS
The legal analysis provides 2 elements that are of interests: (1) the roles and responsibilities of the parties (controllers, processors and joint controllers); and (2) what legal bases could or should be used.
The report explains that in terms of roles and responsibilities:
- consumers are data subjects;
- app providers are controllers,
- AdTech third parties receiving personal data from the apps are either processors, separate controllers, or joint controllers, depending on how and under what terms they use the personal data;
- third parties providing basic analytics or error logging functions for the app provider may be considered a data processor if it is acting only upon the instructions of the publisher ;
- marketers that are involved in the purchase of targeted advertising can be considered joint controllers, even if they do not actually process personal data themselves, as long as they define the means purposes of the processing.
Choosing the right legal ground is key. The report refers (p. 168) to the EDPS and art. 29WP’s opinion that “the opt-in consent would almost always be required […] for tracking and profiling for purposes of direct marketing, behavioural advertisement, location-based advertising or tracking-based digital market research“. This means that, unless there is another legal basis, such as the legitimate interest of the company processing the data, consent is the only way to justify this processing activity. In some cases, explicit consent should even be necessary) to comply with the GDPR. This report suggests that controllers may have failed to comply will all consent and transparency requirements (no bundled consent, not passing consent to third parties, not freely given, not unambiguous, etc.), exploiting user personal data for the benefit of shadow companies, monetizing their data through the lucrative business model of adtech industries.
THREE COMPLAINTS TO DATA PROTECTION AUTHORITIES
As a result, 3 complaints have been filed to Data Protection Authorities by the Norwegian Consumer Council against Grindr and five other companies, such as Twitter’s MoPub, AT&T, AppNexus, OpenX, AdColony and Smaato.
The first complaint (available here) is filed against Grindr, AppNexus Inc and OpenX Software Ltd.. To take the example of Grindr, the report outlines that the following personal data are collected:
- chat message text, chat message images,
- e-mail address, display name, “About Me”, age, height, weight,
- body type, position, ethnicity, relationship status,
- “My Tribes”, “I’m Looking For”,
- gender, pronouns,
- HIV status, last tested date,
- profile picture, linked Facebook data, linked Twitter data, linked Instagram data,
- location data, IP address, and device ID, such as Google Advertising ID
Such categories of personal data are shared with 3rd party analytics and advertising companies performing behavioral advertising on the free versions of the Apps.
NOW DATA PROTECTION AUTHORITIES WILL INVESTIGATE
This would be now to data protection authorities to handle this case and the analyse whether the Out of Control report and the complaint demonstrate a violation the GDPR from online dating platform. This will require some time to investigate and we will for sure stay tuned to understand what future actions will the authorities take to investigate and potentially sanction companies that are infringing the GDPR. It would also be interesting to see, as some controllers are located outside the EU, how the sanctions, should there be any are going to be enforced outside Europe. Maybe through the EU local representative? —