Hundreds have joined a UK class action lawsuit against LGBTQ+ dating app Grindr, seeking damages over a historical case of the company allegedly forwarding users’ HIV status as well as other sensitive data to third-party advertisers.

This data included a user’s HIV status and their last test date, their sexual preferences, and their GPS location – all of which were added to public profiles by users and later gathered up by Grindr’s trackers.

The Norwegian Data Protection Authority (NO DPA) fined Grindr 65 million Norwegian kroner in 2020 ($5.9 million at today’s exchange rate) for violating GDPR’s consent rules. NO DPA’s case didn’t mention any violations regarding the sharing of HIV data or information about a user’s sexual preferences. However, it ruled that third parties had received a user’s GPS location, IP address, advertising ID, age, gender, and the fact that they used the app, and concluded that Grindr had disclosed user data to third parties “for behavioural advertisement without a legal basis.”

The Electronic Privacy Information Center (EPIC) said in October last year it was pushing for the FTC to probe the app maker after finding that it was retaining user data even after accounts were deleted – a practice Grindr’s privacy policy explicitly says it wouldn’t do.

  • gravitas_deficiency@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    6
    ·
    edit-2
    7 months ago

    Ooh boy. In the states, that’d be a Big Fucking HIPAA Violation and they’d be pretty seriously boned. As in: they might be fined out of existence.

    I assume the UK has some similar mechanisms. I will say that it’s more than a bit shocking that literally ANYONE at ANY LEVEL at Grindr thought this would be in any way, shape, or form morally or legally justifiable.

    Edit: yeah, they’re not a covered entity so not applicable. Still unbelievably shitty.

    • cm0002@lemmy.world
      link
      fedilink
      English
      arrow-up
      25
      ·
      7 months ago

      Actually no, Grindr is not a HIPAA covered entity (Such as a healthcare provider or clinic) or a “business associate” of a covered entity (Such as a Third-party to process and/or transmit medical data on behalf of a covered entity)

      Now if Grindr had Grindr owned STD clinics that people got tested at and somehow that info got onto the app that would be a HIPAA violation.

      An app asking you and you providing STD status freely, or any medical status for that matter, isn’t. (Unless it’s an app that bills itself as a medical something)

    • Dudewitbow@lemmy.zip
      link
      fedilink
      English
      arrow-up
      19
      ·
      7 months ago

      HIPAA only applies of its your doctor or a medical institution does it. it doesnt stop people you may know/businesses unrelated to the field from disclosing said info.

    • Ebby@lemmy.ssba.com
      link
      fedilink
      English
      arrow-up
      11
      ·
      7 months ago

      In the states, that’d be a Big Fucking HIPAA Violation

      Is it though? If memory serves, users willfully providing medical info isn’t a breach, unlike if they accessed that info directly from the doctor.

    • xor
      link
      fedilink
      English
      arrow-up
      9
      ·
      7 months ago

      As people have said, it’s actually perfectly legal in the US, horrifyingly.

      But the UK has very strict data protection laws which we inherited from when we were in the EU, and medical data is explicitly considered sensitive. If they actually did sell medical information, they’re in deep shit, legally.

    • Neato@ttrpg.network
      link
      fedilink
      English
      arrow-up
      8
      ·
      7 months ago

      Unfortunately it’s not a HIPAA violation. That only covers medical providers. No one else is beholden to HIPAA.