Grindr, which is owned by the Kunlun Group, a company based in Hong Kong, has more than 3.6 million active users. The Norwegian Consumer Council, a nonprofit group in Oslo that first raised concerns about the company’s practices, said the dating app had shared users’ H.I.V. status with two software companies, Apptimize and Localytics. Although the app encrypted the H.I.V. status data, the analysis found that Grindr had shared other highly sensitive details — including users’ romantic aims and self-identified tribes like “leather” or “bear” — with an ad-targeting company without encryption.
In a complaint to the Norwegian data protection agency, the group said Grindr had violated a European data protection law that requires special protections for processing sensitive data including details about health and sex. The group said Grindr had also violated a provision in the law that requires companies to obtain informed consent before using people’s data for new purposes.
In its statement, Grindr said that it worked with software vendors to improve its platform and that, in doing so, it may share details about users’ H.I.V. status or location. The company reminded users that “Grindr is a public forum” and that they should know that data they included in their profiles, including their H.I.V. status, would become public.
“As a result, you should carefully consider what information to include in your profile,” the statement said.
But consumer advocates said Grindr had used intimate personal details for purposes that the app’s users had never signed up for or even knew about.
“It’s totally invisible to the user, which is why they feel betrayed and a loss of control when sensitive data about them is shipped to some third party,” said Justin Brookman, the director of consumer privacy and technology policy at Consumers Union, the advocacy arm of Consumer Reports. “I hope this will get app developers and other companies to rethink their promiscuous data-sharing practices.”