Norway accused numerous dating behemoths of illegally selling sensitive user data, prompting a new online privacy scandal. A Wednesday research paper titled “Out of Control” presents a comprehensive case against Grindr, Happn, OKCupid, and Tinder’s apparent lack of care for a prominent piece of EU legislation.
These companies have been ignoring the General Data Protection Regulation for nearly two years and now risk crippling fines, said the Norwegian Consumer Council, the watchdog that commissioned the probe from its countrymen at cybersecurity firm Mnemonic.
The investigation revealed everything from lax data management practices to nefariously convoluted terms of use. Furthermore, the aforementioned quartet still isn’t even directly asking users for consent before disseminating their sensitive information to dozens of partners and clients.
The 20-page report already raised vocal concerns on social media, especially as it also places significant blame on Twitter. It turns out the social media platform’s advertising unit MoPub was a slow-to-react enabler of that privacy-violating behavior.
In a public reaction to the ordeal, Tinder and OKCupid’s parent, Match Group, denied allegations of illegal business practices. Unsurprisingly, Happn and Grindr also appear less than keen on admitting to any wrongdoing.
The dating giants aren’t the only ones engulfed in the newest digital privacy debacle; the full summary of “out-of-control” mobile apps is as follows:
GDPR: all bark and no bite?
Somewhat ironically, the watchdog that brought these issues to light doesn’t even come from one of EU member states. Regardless, the NCC’s paper isn’t critical of Brussels for not doing a better job at enforcing GDPR.
While perfect implementation was always impossible, the likes of Grindr and Tinder are hardly fringe digital players. The firms behind the problematic apps that Oslo identified boast hundreds of millions of users worldwide.
In other words, if they can fly under the regulatory radar, it’s difficult to imagine who can’t.
The EU Commission has yet to signal intent to look into the troubling research. GDPR entered into force 20 months ago but has so far yielded mostly noise and minor fines, at least relative to its spirit.
By far its biggest result to date is a $230-million penalty against British Airways. Imposed half a year back in reaction to a massive data breach, even that “victory” now seems as mere theater.
The airline eventually made the most of the Brexit drama, essentially enlisting the UK government’s help in indefinitely prolonging the process led against it.
In theory, if even a fraction of the newly outlined accusations are verified, Match Group could face a maximum fine of around $400 million. That’s because GDPR aims to sanction digital privacy abusers based on their revenues, i.e. figures they can’t easily manipulate.
Regardless, the current state of data protection and GDPR enforcement in Europe is lacking at best. It consequently doesn’t exactly inspire optimism in privacy activists across the Pond where the situation’s arguably even more dire.