The Norwegian Consumer Council made waves, on Tuesday January 14, when it unveiled its investigation ‘Out of control’ that shows how "consumers are being exploited by the online advertising industry".
The 186-page report sifts through ten mobile apps on Androïd - including the four famous dating apps Tinder, OkCupid, Grindr and Happn - and shows that they share their users' personal data with at least 135 third-party companies. They then use this data for the purposes of targeted advertising or online behavioural profiling.
Take for example the LGBTI dating app Grindr, which had already been at the centre of a scandal in 2018 after sharing with external providers sensitive data of its users including their HIV status and the date of their last test.
The survey shows that the app shares the IP address, advertising ID, GPS location, age, gender and sometimes even the "relationship type" of its users with a large number of third party companies involved in advertising and profiling.
Twitter's subsidiary, MoPub, was used for much of this data sharing, before passing it on to several advertising companies, many of which reserve the right to share the data they collect with their partners, according to the report.
According to Finn Myrstad, director of digital policy at the Norwegian Consumer Council, "these practices are out of control and in breach of EU data protection laws".
The collection and use of data is not based on any legally valid consent of users within the meaning of the General Data Protection Regulation (GDPR).
Users generally have no idea that these companies even exist. Furthermore, none of these apps offer the possibility to refuse the sharing of one's data with third parties, unless one rejects the terms of use and therefore, renounces the use of the application.
European authorities questioned
On the basis of this report, the Norwegian Consumer Council lodged several complaints with the Norwegian Data Protection Authority against Grindr and five online advertising companies: MoPub, AppNexus, Open X, AdColony and Smaato for breach of the GDPR regulation.
The noyb organisation headed by Austrian activist Max Schrems, who assisted him in the legal analysis and drafting of the complaints, has indicated that it too will be filing similar complaints with the Austrian Data Protection Authority in the coming weeks.
Well aware that users themselves have few options to prevent this massive sharing of their data, more than 20 consumer protection and civil society organisations in Europe, the US, Russia and New Zealand have asked their national authorities to investigate these practices by the online advertising industry.
This is particularly the case for the European Consumers Organisation (BEUC). "EU data protection law is a powerful tool to defend consumers against companies that do not respect their privacy. Data protection authorities must take action against those who break the rules", said its director, Monique Goyens, in a statement.
BEUC also sent a letter to European Commissioners Margrethe Vestager, Thierry Breton and Didier Reynders, as well as to the European Data Protection Committee and the European Data Protection Supervisor, asking them to take action against the "systematic and illegal commercial surveillance permitted by the advertising business model".
For its part, the Norwegian Consumer Council has urged companies whose business model depends on online advertising to seek alternative solutions, for example through technologies that do not rely on the widespread collection and sharing of personal data.
See the report: https://bit.ly/2tgihBT (Original version in French by Marion Fontana)