Privacy nonprofit calls on FTC to investigate Grindr’s data practices

A complaint filed with the Federal Trade Commission (FTC) Wednesday urges the agency to investigate the LGBTQ+ dating app Grindr for potentially illegally storing and disclosing users’ sensitive data, including HIV and vaccination status.

The Electronic Privacy Information Center’s (EPIC) complaint lays out Grindr’s history of compromising users’ privacy and safety, pointing most recently to allegations made by the app’s former chief privacy officer, Ronald De Jesus, who is suing the company for wrongful termination.

De Jesus’s suit, filed in June, alleges that Grindr fired him after he alerted executives to rampant violations of the company’s privacy policy, according to EPIC’s complaint.

Grindr executives were notified about the privacy violations, EPIC’s complaint says, but they expressed “disinterest [which] escalated into displeasure and contempt.”

According to EPIC, Grindr appears to store users’ private data, including photos and messages, after they delete their accounts, a violation of the company’s privacy policy. It also allegedly fails to stop employees from accessing private user information.

The app’s privacy policy states that if users decide to delete their accounts, personal information “will no longer be made available via the Services and will generally be deleted within 28 days.”

Grindr issued a statement saying that “privacy is a top priority for Grindr and the LGBTQ+ community we serve.”

“We have adopted industry-leading privacy practices and tools to protect and empower our users,” the statement said. “We are sorry that the former employee behind the unfounded allegations in today's request is dissatisfied with his departure from the company.”

De Jesus alleges that Grindr executives “canceled or halted the privacy-promoting projects he was working on prior to his dismissal, including the production of a privacy video series and the creation of a privacy center, which would have been a central hub for privacy resources on Grindr’s website,” the EPIC complaint says.

The potential privacy violations are particularly significant because many of Grindr’s LGBTQ+ users may not be out, the complaint said.

The complaint outlines prior privacy violations at the company, including those revealed in a 2022 Wall Street Journal article documenting that Grindr sold location data to ad networks. The Journal reported that a Catholic publication bought such data from a third party, allowing it to publicize that a senior official with the U.S. Conference of Catholic Bishops used the app.

The Norwegian Data Protection Authority fined Grindr in 2021 for illegally sharing private user data with at least five advertising firms. The agency levied a fine of 100 million Norwegian kroner, or about $11.7 million, saying that Grindr shared users’ precise locations thereby allowing the advertisers to label individuals as LGBTQ+ without their consent.

EPIC’s complaint argues that Grindr’s conduct violates Section 5 of the FTC Act because it constitutes an unfair and deceptive practice. The nonprofit also argues that Grindr violated the agency’s Health Breach Notification Rule.

“It’s critical that the Federal Trade Commission step in and conduct a thorough investigation of Grindr’s personal data practices,” EPIC Director of Litigation John Davisson said in a statement. “Grindr users deserve peace of mind that their sensitive personal data will be protected from mishandling and misuse.”