Complaint says Bumble feature connected to OpenAI violates European data privacy rules

The app company Bumble’s partnership with OpenAI violates Europe’s General Data Protection Regulation, according to a complaint filed by an influential data privacy advocacy organization.

The organization, noyb (None of Your Business), alleges that a feature known as Icebreakers violates four provisions of the GDPR.

Introduced in December 2023 on the company’s Bumble for Friends app, the feature uses OpenAI to analyze users’ profiles, but does so without direct consent, noyb says in the complaint, filed Wednesday. 

Bumble for Friends — which is separate from the company’s flagship dating app — is designed for platonic relationships. The Icebreakers feature gives consumers pre-formulated messages created by OpenAI.

Bumble’s website says the technology is meant to help customers “come up with a tailored, meaningful message” when communicating with other users.

Noyb has notched significant data privacy wins previously, including by playing a key role in prompting European regulators in 2023 to fine Meta €1.2 billion ($1.4 billion) and order it to stop transferring data to the U.S.

Bumble did not respond to a request for comment.

The complaint alleges that Bumble violated GDPR due to a lack of transparency; the lack of a legal basis for transferring personal data to OpenAI; the lack of a legal basis for transferring sensitive data to OpenAI; and not telling the users who was receiving their data.

Icebreakers relies on popups instead of soliciting direct user consent, noyb says.

The popups say “AI breaks the ice,” according to a noyb press release. “We use AI to help you get started with chatting. This allows you to ask questions that match the profile information of our members.” 

Bumble does disclose that Icebreakers users’ data is processed by OpenAI on a separate frequently asked questions page, but when the user closes the FAQ page “they return to the pop-up and must interact,” the complaint says.

That mechanism is not sufficient under GDPR, noyb alleges. 

“The banner clearly is designed to nudge users to click ‘Okay,’” the press release says.

If users try to close the pop-up without pressing “Okay,” it reappears every time the app is opened, noyb says, as well as at “random intervals” while the app is being used.

“While this suggests that Bumble relies on (annoying forms of) consent, Bumble seems to merely pretend to ask for consent, which gives people a false sense of control,” the press release says.

The individual making the complaint with noyb’s help alleges that they clicked “Okay” to make the pop-up go away and did not understand that they were agreeing to allow OpenAI to process their data. 

When the user subsequently messaged Bumble to clarify who their data was sent to and what data was shared, the complaint says, the company never provided answers.