In response to reports that the LGBTQ dating app Grindr shared information about users’ HIV statuses with third parties, Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.), members of the Senate Commerce, Science, and Transportation Committee, have sent a letter to the CEOs of Grindr and third parties Apptimize and Localytics, inquiring about their policies for protecting the sensitive information of Grindr’s millions of users.
According to media reports, notably reporting on the website Buzzfeed, that was recounted by the senators, Grindr “is sharing the most personal and sensitive information of its approximately 3.6 million active daily users without their informed consent.”
The data allegedly includes personally identifiable and sensitive user information such as HIV status, email address, telephone numbers, precise geolocation, sexuality, relationship status, ethnicity, and “last HIV tested date.”
“Simply using an app should not give companies a license to carelessly handle, use, or share this type of sensitive information,” the Senators wrote. “Grindr and those with whom it shares its users’ sensitive information has an obligation to both protect this data and ensure users have meaningful control over it.”
In the letters, Senators Markey and Blumenthal ask the companies a series of important privacy and data-security questions, including whether they obtain affirmative opt-in consent prior to using, sharing, or selling users’ sensitive information; what privacy requirements they apply to third parties with whom they share user data; and what data-security practices they adopt to protect this sensitive information from unauthorized breaches.
“Although the reports suggest that Grindr shares profile information with third parties to optimize the app and send targeted advertisements, this sensitive information could be misused if appropriate protections are not in place,” they wrote, fretting that collected data could link individuals to their sexuality and HIV status
“In the wrong hands, this information could lead to unlawful discrimination or worse,” the letter says. “Simply using an app should not give companies a license to carelessly handle, use, or share this type of sensitive information.”
Markey and Blumenthal demanded answers to a series of questions by April 17. Among them:
Does Grindr obtain user’s affirmative opt-in consent to use, share, or sell their data?
What requirements does the company impose on third parties with whom they share user data?
How long are third parties able to retain user data? What prevents them from selling or sharing this data, or using it for an unapproved purpose?
Do users have ability to opt-out from sharing data with third parties?
When sharing user information, do you practice strong de-identification or anonymization, such that de-identified personal information cannot be reasonably linked to a person or device?
How is information or data related to former users maintained of minimized. What are data security policies for data collected by former users?
Do you ever notify user of the types of information collected, how and for what purposes you use and share this information, and with whom that information is shared or sold?
Do you notify users within 30 days of a breach? Do you notify them of any mitigating action they should take?
Do you have a clear, user friendly, easily accessible, and responsive complaint process for users who have reason to believe their privacy has been violated?
The senators also asked Grindr to identify and detail data security practices and policies.