Grindr's chief privacy officer on the dating app's data controversies

Hundreds of Grindr users filed suit against the LGBTQ+ dating app late last month for allegedly sharing their HIV status with third parties without consent. The accusations are the latest in a string of privacy-related scandals for the company, including a 2022 incident in which the site’s data sharing practices reportedly led to the outing of a senior Catholic church official as a Grindr user.

Kelly Peterson Miranda took over as Grindr’s chief privacy officer in January 2023 following the departure of Ronald De Jesus, who has alleged that the company stored user data, including photos and videos, after people deleted their accounts — a violation of the app’s privacy policy. De Jesus has accused Grindr of rampant privacy abuses and is suing the company for wrongful termination. In October the Electronic Privacy Information Center, a leading advocacy group, appealed to the Federal Trade Commission to investigate the app for its history of alleged privacy abuses.

Miranda asserts that the pioneering app’s privacy practices are far more rigorous than its competitors. In an interview with Recorded Future News, Miranda discusses why the HIV-status lawsuit is unfair, how Europe’s General Data Protection Regulation (GDPR) is discriminatory and why data minimization is critical to privacy protection.

This conversation has been edited for length and clarity.

RECORDED FUTURE NEWS: About three weeks ago, Grindr was sued in the U.K. for allegedly sharing users’ private information, including HIV status and the date of the last HIV test, with third parties without consent. Did this happen as plaintiffs’ attorneys allege?

KELLY PETERSON MIRANDA: In the lawsuit they allege that we sold health information — HIV last-tested date — and used it for advertising purposes, which categorically I can say no, that never happened. We have never used users’ health-related information for any type of advertising purposes as purported in the lawsuit. The activity that they described in the lawsuit we believe is a mischaracterization of practices that happened two management teams ago, and we will defend ourselves vigorously against those claims.

The information was shared with two service providers for the purposes of rolling the features out and this all predated my employment with the company. It was characterized as a breach back in pre-2018 or early 2018. It was never a breach, it was never shared unknowingly. It was shared in encrypted manners for the purposes of actually rolling out and monitoring the feature. 

RFN: What was the feature? 

KPM: HIV, the ability for users to input that information and have it as a part of their profile. It never got to parties who were never intended to receive the information. We no longer work with those third parties and those third parties have since expunged the data from their systems as well. [Editor’s Note: Grindr users can still list their HIV status publicly, if they choose.]

RFN: Nonetheless, do you see the sharing of HIV information with third parties as a breach of users’ trust? Did your privacy policy warn users that such data sharing was possible? 

KPM: We always disclose, even today if you look at the privacy policy, the potential for that information to be shared with limited service providers. I think that most people have an understanding that no company operates in a vacuum by itself. There are contractors or service providers that we work with to offer the services. So today we explicitly state that this information is shared with those service providers who have a requirement to need access. We've always been transparent with regards to the use of third parties and the data that third parties may need to have access to in order to help us provide the services. 

RFN: Have you changed your privacy practice at least on sharing HIV-related information with third parties?

KPM: The position hasn't changed because — the same as it is today — it's only ever shared with those third parties who we have to in order to provide the service. There was a lot of mischaracterization that it was shared for advertising purposes or monetization purposes and we've never shared information with third parties in order to do anything other than make it available for users to display in their profile. 

RFN: And that's true across the board, not just with HIV status?

KPM: We've always disclosed what information may be shared for certain purposes. There were some changes that were made after I came on board where we stopped sharing certain pieces of profile information for advertising purposes such as age and gender. [Now, what we share] for advertising purposes is very limited. It's a mobile ad ID if the user consents to that being shared.

RFN: Is consent just based on a privacy policy being shared or is it affirmative consent?

KPM: It’s affirmative consent in the EU. The consent is dependent on where the user lives, but all users have the option to go in and either opt in or opt out of personalized ads, which will then determine what information is or is not shared. 

Historically, fields like age and gender may have been shared. Today all that is shared with advertisers is a mobile ad ID if the user consents to that being shared, some basic phone information for the ad to be served — the phone type and size so that the ad will render correctly — an IP address because that is required, that's how information is sent across the internet. So no profile information. No location information. No personal information beyond the mobile ad ID is shared today. 

RFN: In 2022, the Wall Street Journal reported that Grindr sold location data to ad networks resulting in the outing of a senior official [Monsignor Jeffrey Burrill] with the U.S. Conference of Catholic Bishops. Back then it seems that location data was shared.

KPM: That's accurate because it was industry practice to share location data as a part of an ad bid request at the time. That's another change that was put in place — location information is no longer shared. 

RFN: Does Grindr regret that that happened?

KPM: We dispute that the information that led to Monsignor Burrill's dismissal was Grindr information because it has never been proven. We asked repeatedly for the underlying data so that we could run our own analysis to understand where it came from because the information that was in [an article by the publication Pillar] was much more broad and vast than what Grindr would have, and so we suspect that this was actually data that was packaged at the network level, and not actually Grindr data. It's not been proven today as far as we know that it is Grindr data that led to his dismissal.

The mobile phone company has access to much more data than what Grindr ever collected or used for advertising purposes. The amount of data that was used and discussed in that Pillar article goes beyond what Grindr would ever have held or collected on users. 

RFN: You were also fined by the Norwegian Data Protection Authority (DPA) in 2021 for illegally sharing private user data with at least five advertising firms and had to pay nearly $12 million to resolve the decision. Do you believe that the fine also was unfair? 

KPM: We do believe the fine was unfair because we're still fighting it in court. I was just in Norway in March for the hearing where we are suing to have the decision overturned and the fine overturned as well. The basis of the Norwegian Data Protection Authority’s claim is that we did not collect proper consent or the right level of consent to share the users’ data for advertising purposes which we disagree with. 

Then the decision goes even further to what we believe is a discriminatory decision where they state that all Grindr user data is sensitive, or what we call Article 9 data, which means under the GDPR you have several different what we call legal bases — you have to have a legal basis in order to collect and process information. For non-sensitive data it can be things like performance of contract, it can be legitimate interest, it can also be consent. But once data moves over into the sensitive or special category data, the only legal basis a company can use to collect and process is consent.

What the Norwegian DPA has said is that Grindr, because of the app name and who we are, all of our users’ data, all the data that we collect — so things such as age, height, an interest in brunch or hobbies — is sensitive data because of the app that we are. 

The user would be required to give affirmative consent for every single piece of information, every chat message that is sent, every video call that’s made. 

RFN: So in other words a popup each time saying, “do you consent?”

KPM: Yes.

RFN: When you say that's discriminatory, you mean because they are applying that only to Grindr as opposed to other dating apps because you cater to LGBTQ+ populations?

KPM: Yes. They're saying that we know the sexual orientation of all of our users which we don't. We don't even ask that question. Other companies who are collecting more or the same type of information don't have that barrier of consent to adhere to just because they cater to a broader audience. It’s going to disproportionately impact service providers like Grindr who are a service to a certain community. 

RFN: Last month you published a blog post saying Grindr understands some of its users live in one of the 60-plus countries where being gay is a crime and that your “commitment to privacy goes beyond mere compliance. It's the fundamental promise we make to each and every user.” Do you worry that your users don’t trust you? 

KPM: I am dedicated to making sure that we tell our story about all of our controls and our philosophical approach to privacy so that users understand. Unfortunately, throughout Grindr’s history, there have been headlines such as what you mentioned and they always come out and then they disappear. The end result is rarely ever reported on which is that there may be some questions asked and ultimately no illegal or deceptive tactics were found. 

It starts with data minimization which is a key privacy principle and so we require as little information as possible for someone to use our services. Users have options on what they provide. They also remain in control of whether information stays in their profile or not. It can be erased at any time. So to establish a Grindr account they need a sign up mechanism of some sort whether that's an email, a phone number or a social login and an age to verify that they're old enough to use the services. Beyond that, everything else is really at the user's discretion. We don't collect full legal name. We don't require anyone to fill out the totality of their profile. We haven't even nudged users to fill out the totality of their profiles. 

RFN: Who are your advertising partners?

KPM: You can see all of our advertising partners. They’re listed in our privacy policy. They're also listed in the CMP that users see, that full screen takeover that I said, but our current ad partners are companies such as Google AdMob, PubMatic, Vungle. We work with eight ad partners right now.

RFN: Have you thought about just not sharing any data with ad partners? 

KPM: We already share the least amount of data possible. If someone opts out we don’t share any personal information. So the only piece of personal information right now that’s shared with consent is a mobile ad ID. That's it. Everything else is device related information in order to just show an ad.

RFN: But mobile ad IDs can be used to connect people through other data that's in the marketplace to figure out who they are.

KPM: So there is that possibility, but users also have the ability to reset their mobile ad ID so it's not a persistent identifier and that's controlled at the phone, at the operating system level. Apple a few years ago came out with what they call the app tracking and transparency policy. If a user opts out of ad tracking at the device level on an iPhone, we as Grindr don't even get the mobile ad ID so it's impossible for us to pass along an ID because we don't even get it. I would say that we see about 70% or so of our iPhone users opt out at the device level so there's not even a possibility for us to pass a mobile ad ID. 

RFN: But you could choose to just not work with any ad partners at all? I realize that would go far beyond what the rest of the sector is doing, but that would be something you could choose to do?

KPM: There would be nothing to subsidize the free version of the service so to offset that we would have to charge a subscription fee to every user. 

RFN: The former Grindr chief privacy officer Ronald De Jesus has said he was fired after alerting executives to rampant violations of the company privacy policy. He said that Grindr stores users’ private data, including photos and messages, after they delete their accounts. Is that true? 

KPM: No, I can tell you as chief privacy officer data is expunged or deleted in accordance with our retention schedule or when a user deletes their account as outlined in our privacy policy. 

RFN: How would you characterize what you're doing on privacy compared to the rest of the dating app sector?

KPM: It all goes back to data minimization. I think other apps are looking to collect as much information as possible and are nudging users to complete profiles, to upload photos, to give more information throughout the user journey. We value user choice in allowing all of that to remain optional — not requiring photos to use Grindr, not requiring legal names and things of that nature. We are really prioritizing privacy and discretion about data collection.