UK Lawsuit Claims Grindr Shared HIV Status

Gay dating app Grindr has been sued in the UK for allegedly sharing users’ sensitive personal data, including HIV status, with third parties.

The lawsuit by firm Austen Hays at the High Court in London claims “covert tracking technology” was deployed by Grindr and highly sensitive information was shared with advertisers.

The firm said about 670 people have signed up to the mass lawsuit and that potentially thousands more could join the case.

The breaches allegedly took place mainly before 3 April 2018, but also between 25 May 2018 and 7 April 2020.

‘Mischaracterisation’

Grindr said it would “respond vigorously” to the lawsuit, which it said “appears to be based on a mischaracterisation of practices from more than four years ago”.

The firm hopes to claim more than £100,000 in damages, according to its filing with the High Court.

Austen Hays attorney Chaya Hannoomanjee, who is leading the case, said claimants “experienced significant distress over their highly sensitive and private information being shared without their consent”.

“Grindr owes it to the LGBTQ+ community it serves to compensate those whose data has been compromised,” Hannoomanjee said.

Commercial purposes

The claim says Grindr shared sensitive data with third parties for commercial purposes, in violation of UK data protection laws.

The data included users’ ethicity and sexual orientation, the lawsuit claims.

It names data analytics firms Apptimize and Localytics as third parties which had access to the data.

But a potentially unlimited number of third parties used the data to customise advertisements for Grindr users, with some possibly retaining some of the shared data for their own purposes, the lawsuit claims.

Controversy

In April 2018 Norwegian non-profit group Sintef reported that Grindr had been sharing sensitive data including HIV status with Apptimize and Localytics, who were tasked with helping Grindr improve its platform.

Grindr admitted the practice, but said it was industry standard and that it differed from the sale of personal information to third parties or advertisers, which it said it had never done and would never do.

But in December 2021 the Norwegian data protection authority fined Grindr approximately 6.5 million euros (£5.6m) for sharing users personal information with third parties for creating tailored advertisements, including GPS location, IP address, advertising ID, age and gender.

The firm’s practices violated the EU’s General Data Protection Regulation (GDPR),the Norway DPC said.

‘Valid legal consent’

Grindr said at the time that it obtained “valid legal consent from all” European users.

The firm was reprimanded by the UK Information Commissioner’s Office (ICO) in 2022 over its data protection practices.

The ICO said the firm had failed to “provide effective and transparent privacy information to its UK data subjects in relation to the processing of their personal data”.