Legal Document
In re Grindr, LLC
Calling on the Federal Trade Commission to investigate Grindr’s data retention and disclosure practices.
On October 4, 2023, EPIC filed a complaint with the Federal Trade Commission (FTC) urging the Commission to investigate Grindr’s privacy practices. EPIC’s complaint highlights Grindr’s checkered history of protecting the privacy and safety of its users and the troubling allegations made by Grindr’s former Chief Privacy Officer Ronald De Jesus in his June 2023 wrongful termination lawsuit against Grindr. As the complaint sets out, Grindr appears to have failed to safeguard users’ sensitive personal data, including the data of users who have deleted their accounts—an unfair and deceptive trade practice prohibited by Section 5 of the FTC Act. The company also appears to have violated the Health Breach Notification Rule (HBNR). EPIC’s complaint urges the FTC to open an investigation into Grindr’s handling of personal data, to enjoin any unlawful data practices confirmed in its investigation, and to impose penalties against Grindr for any violations of the HBNR.
Background
Overview
Grindr is an LGBTQ+ dating app with 13 million monthly active users. The platform describes itself as “the world’s largest social networking app for gay, bi, trans, and queer people.” Grindr’s privacy policies emphasize the company’s commitment to putting users in control of their personal data. Specifically, Grindr’s data retention policy states: “If you decide to delete your account, your Personal Information will no longer be made available via the Services and will generally be deleted within 28 days.” When users delete their Grindr accounts, the Grindr app displays two messages stating that user’s data will be permanently deleted. Grindr’s data retention policy also prohibits third-party providers from indefinitely retaining user data, and the Privacy and Cookies Policy states that Grindr will notify users if their data is improperly retained by users.
Grindr solicits sensitive health information from users, including HIV status, last tested date, and vaccination status. While Grindr’s policies state that it shares health information with third-party providers, the company asserts that it only shares HIV status, last tested date, and vaccination status with necessary service providers such as companies that host Grindr’s data, process data access requests initiated by users, or send testing reminders to users. Grindr states that it does not disclose health information to advertising companies.
Despite Grindr’s commitments to users, the company has repeatedly failed to fulfill its privacy promises. In 2018, Grindr came under fire for disclosing users’ HIV statuses to third-party businesses. In 2021, Norway’s Data Protection Authority fined Grindr over $7 million for illegally disclosing user data to advertisers. A 2022 Wall Street Journal article found that Grindr sold location data to ad networks. In one case, the Catholic publication The Pillar bought commercially available location data from a third-party data broker that enabled The Pillar to track individual Grindr usage. Using the data, the publication outed a senior official of the U.S. Conference of Catholic Bishops as a user of the app, forcing him to resign. It later promised to stop disclosing that information. Beyond its mishandling of users’ personal data, Grindr has also put user safety at risk by failing to remove abusive and fraudulent profiles.
In June 2023, Grindr’s former Chief Privacy Officer Ronald De Jesus filed a wrongful termination lawsuit against Grindr alleging that Grindr fired him in retaliation for highlighting Grindr’s privacy violations and pushing the company to correct its privacy practices. His wrongful termination complaint against Grindr details the company’s alleged failure to address multiple privacy violations, including the following:
- Even after users delete their accounts, Grindr continues to store user data, including sensitive data like private messages, users’ self-reported HIV status, vaccination status, sexual preferences, and billions of images, including naked photos;
- Grindr’s retention of user data after users delete their accounts violates Grindr’s Data Retention Policy and multiple state privacy laws;
- Grindr uses OneTrust, a third-party consent management platform, and Amplitude, and third-party data analytics tool; these tools were implemented to enable the collection of user data without user consent;
- Third-party systems store Grindr users’ data indefinitely, and users are not notified about this third-party data retention;
- Grindr failed to conduct security reviews and audits on its systems containing sensitive user data, including health information like HIV status and vaccination status;
- Grindr employees and the employees of Grindr’s third-party providers have unmonitored access to all Grindr users’ personal profiles, including their profiles, email addresses, favorited profiles, messages, and photos; and
- Grindr allows its ad partners to collect users’ personal data immediately after an ad is shown to the user rather than when the user clicks on or interacts with the ad; users are not required to consent nor are allowed to opt-out of this data collection. Because some ads focused on HIV prevention medication, De Jesus indicated that this data collection could be used to identify users who were interested in the medication, implicating sensitive health information.
De Jesus alleged that he notified Grindr executives of all of these privacy violations, but the executives responded with “disinterest [which] escalated into displeasure and contempt.” According to De Jesus’ complaint, these privacy violations were still happening with the knowledge of Grindr executives when his wrongful termination suit was filed.
FTC Act: Unfair and Deceptive Trade Practices
EPIC’s complaint identifies apparent unfair and deceptive trade practices that, if true, would constitute violations of the FTC Act. EPIC urges the FTC to investigate Grindr’s handling of personal data, issue injunctions to stop any unlawful data practices, and provide other relief the Commission determines is appropriate.
A. Grindr’s Unfair Retention and Disclosure of User Data
A company engages in an unfair trade practice if “the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”
Grindr’s apparent personal data practices—including its alleged retention and disclosure of user data, its apparent failure to implement adequate data security practices, and its alleged failure to control employee access to user data—are unfair because they cause or are likely to cause substantial injury to consumers which is not reasonably avoidable by consumers and because they are not outweighed by countervailing benefits. Grindr’s alleged data practices likely have caused or will cause substantial injury to Grindr user by exposing users to security breaches of highly sensitive data. Consumers cannot reasonably avoid the harm Grindr inflicts when it allegedly retains and discloses user data in violation of Grindr’s policies. Grindr users reasonably rely on the promises Grindr makes in its policies because Grindr users must agree to these policies when creating a Grindr account, and Grindr failed to notify users about any retention or disclosure of user data in violation of Grindr’s policies. The misuse of user data by Grindr outlined in De Jesus’ complaint is not outweighed by countervailing benefits to consumers or competition. Grindr users have allegedly been exposed to security breaches because of Grindr’s practices, and users whose data was breached after they deleted their accounts could not take part in any possible benefits because they are no longer using Grindr’s app.
B. Grindr’s Deceptive Retention and Disclosure of User Data
Deceptive practices include material representations, omissions, or practices that are likely to mislead a consumer acting reasonably in the circumstances.
Grindr made representations to users through its privacy policies that it would delete user data after each user deleted their account and that it would not permit third parties to indefinitely retain user data. De Jesus’ complaint alleges that, in practice, Grindr failed to delete user data from its own systems after users deleted their accounts. Additionally, third-party providers were permitted to retain user data indefinitely, and Grindr did not ensure that personal information from deleted accounts was removed from third-party providers’ systems. These representations are material because Grindr’s alleged privacy practices are likely to affect a consumer’s decision regarding whether to use Grindr. Grindr allegedly collects and stores sensitive data from users, including information about users’ sexual preferences, self-reported HIV status, chat history with matches, photos users send and receive on the app (including nude images), and location information. Grindr promises to give users control over their personal information and to delete users’ information when users delete their accounts. Learning that Grindr breaks the promises it makes to users would likely affect a consumer’s decision regarding whether to use Grindr. Users were likely to be misled by Grindr’s privacy policies because Grindr does not share its actual data retention and disclosure practices with its users. As former Chief Privacy Officer, De Jesus had access to information about Grindr’s business practices, which apparently demonstrates Grindr’s failure to fulfill the terms of the company’s own privacy policies. However, users and former users have no way of determining whether their data is improperly disclosed or retained unless the company notifies users.
Health Breach Notification Rule
The FTC issued the Health Breach Notification Rule (HBNR) on August 25, 2009. The HBNR requires certain web-based businesses not covered by HIPAA to notify consumers when the security of their electronic health information is breached.
Grindr is subject to the HBNR because it “accesses information in a personal health record” when it prompts users to self-report personal health records like their HIV status, last tested date, and vaccination status. Self-reported HIV and vaccination statuses fulfill the HBNR’s definition of personal health records because the data is stored electronically, the data is linked to individual and identifiable profiles, Grindr allegedly draws information from users from multiple sources (including user inputs, app usage, browser history, etc.), and users share their own data by self-reporting the health information. De Jesus’ complaint alleges that he notified Grindr that third-party providers retained access to user data after users had deleted their accounts in violation of Grindr’s privacy policies. As alleged in De Jesus’ complaint, the third-party providers had proper authority to possess user data while user accounts were active, but the third-party providers’ possession of the data became improper once users deleted their accounts. Grindr apparently failed to ensure that its agreements with users—the Grindr Privacy and Cookie Policy and the Data Retention Policy—were upheld, resulting in a security breach of personal health records. Further, Grindr also breached the HBNR by allegedly retaining user health data after users effectively revoked their consent for Grindr to retain such data by deleting their Grindr accounts, in accordance with the Grindr Data Retention Policy. After De Jesus notified executives at Grindr of the security breach, Grindr allegedly failed to notify users of the security breach pursuant to the HBNR.
EPIC’s Interest
EPIC has played a leading role in developing the authority of regulators to safeguard the rights of consumers, ensure the protection of personal data, and address privacy violations. Additionally, EPIC called attention to Grindr’s failure to protect users from harassment and abuse by filing an amicus brief in Herrick v. Grindr.
Legal Documents
- EPIC Complaint, In re Grindr, LLC (Oct. 4, 2023)
- De Jesus v. Grindr, LLC (Ca. Super. Ct. Jun. 14, 2023)
- FTC, Policy Statement on Unfairness (1980)
- FTC, Policy Statement on Deception (1983)
- Health Breach Notification Rule (2009)
Resources
- Brief for EPIC as Amicus Curiae Supporting Appellant, Herrick v. Grindr, LLC, (2nd Cir. 2019) (No. 18-396)
- Byron Tau, Grindr User Data was Sold Through Ad Networks, The Wall Street Journal (May. 2, 2022)
- Azeen Ghorayshi & Sri Ray, Grindr is Letting Other Companies See User HIV Status and Location Data, Buzzfeed News (Apr. 2, 2018)
- Terje Solsvik, Grindr Fine Cut to $7 Mln in Norway Data Privacy Case, Reuters (Dec 15, 2021)
- Abby Vesoulis, How Dating Apps Became a Paradise for Predators, Mother Jones (Sept. & Oct. 2023)
- Grindr Privacy and Cookie Policy, Grindr
- Personal Information We Collect and Data Retention, Grindr (June 22, 2023)
- How We Share Personal Information, Grindr (June 22, 2023)
News
- Wendy Davis, FTC Urged To Investigate Grindr’s Data Practices, MediaDailyNews (Oct. 4, 2023)
- Mallory Culhane, EPIC Files Complaint Against Grindr, Politico Pro: Morning Tech (Oct. 4, 2023)
- EPIC Asks FTC to Probe Grindr’s Alleged Privacy Abuse, Communications Daily (Oct. 5, 2023)
- Jessica Lyons Hardcastle, EPIC Urges Watchdog to Probe Grindr’s Data Privacy – or Alleged Lack Thereof, The Register (Oct. 5, 2023)
- Suzanne Smalley, Privacy Nonprofit Calls on FTC to Investigate Grindr’s Data Practices, The Record (Oct. 5, 2023)
- Camillia Dass, EPIC Files FTC Complaint Against Grindr’s Data Privacy Practices, Marketing-Interactive (Oct. 5, 2023)
Support Our Work
EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.
Donate