[seulement en anglais]
Nickolas Eburne (he/him/his) is a University of Ottawa Civil Law student and a wearer of many hats. Nickolas is a member of the University of Ottawa Students' Union Board of Directors, Editor-in-Chief of journal étudiant Le Flagrant Délit, a Student Researcher at the Human Rights Research and Education Centre, a RA within the Civil Law Section, Communications Director of Pro Bono Students Canada, and has various involvements related to mental health advocacy. Read more about and connect with Nickolas here.
In a surprise victory for consumer privacy advocates last week, the Norwegian Data Protection Authority said it was planning on imposing a fine of 100 million Norwegian crowns (around $11.7 million USD) on the infamous 2SLGBTQ+ dating app Grindr [1]. The specific allegation made against the corporation was that they illegally disclosed user data to third party advertising firms [2]. Now, the same allegation is being made once again by New York attorney Spencer Sheehan who is hoping to launch a class action lawsuit against the dating app in the United States [3].
For readers who don’t regularly dabble in data protection and consumer privacy laws, here’s a rundown of how dicey this situation could become for any Grindr user, even here in Canada.
Say you make your way to Grindr for the first time – you would be asked to create an account to use the dating service. Prior to being able to create an account however, a window would appear on your screen asking you to agree to the dating service’s Terms and Conditions – an agreement some experts call a “take it or leave it” agreement (since you can’t continue without agreeing to those terms first). We all know how long, and seemingly useless, Terms and Conditions are; if you just wanted to skim over them and continue creating your account, Grindr would let you do this. In fact, users can click on “Proceed” right away when the window appears – you would have the option to agree to their Terms and Conditions before even reading the word Term. I presume that only tech-savvy and cautious customers would read the entire agreement prior to consenting to it; even then, they wouldn’t have all the information required to make a clear decision since the agreement links to external sources like the Privacy Policy and the “Third Parties” page on the corporation’s website.
The agreement, which spans over a combined 3000+ words with the many external documents, clearly states that Grindr collects, uses, and shares its customers’ private information. On its website, Grindr says it collects your “photo, display name, physical characteristics, characteristics of protected information, relationship status, ethnicity, age or date of birth, gender, preferred pronouns, email address, height, weight, body type, position, social network link, “Looking For,” “About Me,” “Favorites,” “Blocks,” “Tribes,” “Meet at,” “Accept NSFW Pics,” social links (including Instagram username, Spotify top songs, Twitter handle, and Facebook username), and any other information that you add to your profile” [4]. It previously collected users’ HIV status and last tested date as well, but no longer requires it “at the recommendation of HIV prevention experts and the community of Grindr users” [5].
Once the data is collected by the corporation, the sharing aspect of it becomes a rather complicated, incomprehensible process. Grindr shares information with a variety of third parties such as Apple, Google, Facebook and more [6], which they categorize as either “Ad Partners”, “Service Providers” or “Other Partners” [7]. Even for someone who would have the time to read through all the documents, the specific details about what kind of information goes to which third party would remain confusing and unclear. I would say try it for yourself, but that would lead you down a very time-consuming, anticlimactic path of legal lingo and I doubt you have the time for that.
Instead, take the New York Times’ word for it [8]; better yet, the Norwegian Consumer Council’s word[9]. The Council recently released their report titled “Out of Control: How Consumers Are Exploited by the Online Advertising Industry” which painted dating apps like Grindr and OkCupid in a very bad light, stating they “sent a user’s location to multiple companies, which may then share that data with many other businesses” [10]. It went on to say that “Any consumer with an average number of apps on their phone — anywhere between 40 and 80 apps — will have their data shared with hundreds or perhaps thousands of actors online.” [11]
For Spencer Sheehan, an attorney based out of New York, this is illegal and worthy of a class action lawsuit. In order to get the full picture, I got on a call with Mr. Sheehan and asked him a few questions about the case he hopes to bring against Grindr. To start off, he said that the information being stored in unknown databases, shared with an undisclosed amount of third parties is “something that is harmful and improper in and of itself” and “represents a risk of possible identity theft and other negative consequences” for the app’s users.
However, he considers his chances of success concerning the class action to be rather low given there is Supreme Court precedent [12] that obligates arbitration in any lawsuit concerning terms and conditions if a general provision prioritizing arbitration exists in those terms. That is the case for this dispute and would mean that every user would have to go into individual arbitration against the corporation [13]. It would also make any resolution private; the public would know nothing of what happens behind Grindr’s closed doors.
Nevertheless, there is still a slimmer of hope for Sheehan and his supporters. The problem for Grindr lies in users’ clear consent. To present them with a legal document and offer the opportunity to “proceed” without even having to scroll down is comparable to “someone signing a contract without reading it first” said Mr. Sheehan; a contract that could then be made void. In his opinion, this does not represent clear consent from users. He told me this argument has worked only a few times in the past, where courts said corporations must require users scroll down before agreeing to Terms and Conditions. He recognizes his argument has failed more times than it has worked, but still hopes a judge will agree with him on this.
To conclude our interview, I asked whether he believed New York should follow suit with countries like Norway or states like California in broadening its consumer privacy laws. He answered that he fully believed that this would be the best course of action, as it would make New York a leader in this sector and would create a harmony with European Union and Californian legislation on the matter.
I reached out to Congressman Mondaire Jones who represents New York in Congress and happens to be one of its few openly gay members for comment on this issue, but failed to get a response in time for the publishing of this article.
Although the odds might be stacked against Mr. Sheehan’s class action lawsuit, the legislative bodies can still act to put an end to the mystery surrounding private corporations’ sharing of user information with an infinite number of third parties. Norway and California have both done it. New York is on track to achieve this in the coming years and the Canadian government has tabled a bill to ensure data protection online [14]. It’s imperative that governments step in to set limits on corporations, given their only motivation is to make profit. This is even more true now, in a world that has been forced to migrate online because of a pandemic.
[1] https://cio.economictimes.indiatimes.com/news/internet/grindr-faces-11-7-million-fine-in-norway-for-breach-of-data-privacy/80464785 [2] https://cio.economictimes.indiatimes.com/news/internet/grindr-faces-11-7-million-fine-in-norway-for-breach-of-data-privacy/80464785 [3] https://www.ebar.com/news/news/297329 [4] https://www.grindr.com/privacy-policy/personal-data-collected/?lang=en-US [5] https://www.grindr.com/privacy-policy/personal-data-collected/?lang=en-US [6] https://www.grindr.com/privacy-policy/third-parties/?lang=en-US [7] https://www.grindr.com/privacy-policy/third-parties/?lang=en-US [8] https://www.nytimes.com/2020/01/13/technology/grindr-apps-dating-data-tracking.html [9] https://www.nytimes.com/2020/01/13/technology/grindr-apps-dating-data-tracking.html [10] https://www.nytimes.com/2020/01/13/technology/grindr-apps-dating-data-tracking.html [11] https://www.nytimes.com/2020/01/13/technology/grindr-apps-dating-data-tracking.html [12] AT&T Mobility LLC v. Concepcion - 563 U.S. 333, 131 S. Ct. 1740 (2011) [13] https://www.ebar.com/news/news/297329 [14] https://www.cbc.ca/news/opinion/opinion-digital-privacy-bill-c11-1.5863117
Comments