Unregulated – Grindr, Tinder and Ad Tech
Privacy Plus+
Privacy, Technology and Perspective
Unregulated – It’s time to talk about Grindr, Tinder and Ad Tech. Last week, we questioned whether the idea of data fiduciaries introduced under the proposed “New York Privacy Act,” would adequately address privacy issues raised by the targeted-advertising practices of the AdTech industry. This week, we open that discussion with what we think is the answer: No.
For a fascinating study on how AdTech industry may violate data privacy laws in Europe and the United States, click on the following link to read the recently issued report by the Norwegian Consumer Council (“Council”), entitled “Out of Control: How consumers are exploited by the online advertising industry”:
https://fil.forbrukerradet.no/wp-content/uploads/2020/01/2020-01-14-out-of-control-final-version.pdf
The report describes how the Council commissioned a technical test of ten apps. The apps tested include the dating apps Grindr, Tinder, Happn, and OkCupid; period tracker apps Clue and MyDays; makeup app Perfect; religious app Muslim: Qibla Finder; keyboard app Wave Keyboard, and children’s app My Talking Tom 2. The apps were chosen by looking at the most popular apps on Google Play in certain categories where sensitive category personal data was deemed likely to be processed, such as data about health, religion, children, and sexual preferences. The technical tests themselves identified data flows from the apps to commercial third parties, including the content of those data flows, and determined whether such data flows were necessary for the functioning of the app. The Council then analyzed the results of those technical tests against the legal documentation from the companies in question.
The report outlines whether the apps give sufficient information (Spoiler: Generally, the apps’ privacy practices were found to be deficient), whether they share data with third parties (Spoiler: Generally, the apps shared sensitive personal data with third-parties for targeting advertising purposes), and about whether this happens for purposes other than the necessary functioning of the apps (Spoiler: Yes). According to GDPR, Articles 7 and 13, such information should be provided upfront to the consumer in a clear and understandable manner, and not be hidden in legal documents. If it is not possible to provide this information in a clear and understandable manner, these practices should not happen.
Chapter 7 of the report is worth a close read because it analyzes the Grindr app in depth. Grindr advertises itself as “the world's largest social networking app for gay, bi, trans, and queer people.” The sensitive nature of the information processed through the Grindr app, includes data concerning a person's sex life or sexual orientation, which are protected under the GDPR as “special categories” of personal data. Yet, when the Commission conducted its technical test of the Grindr app, it found that Twitter’s MoPub acted as its advertising mediation network, which then facilitated personal data transmissions to other third parties.
On page 183, the report reaches a conclusion that if the AdTech industry itself is violating applicable law, then the solution is that “the relevant companies, including marketers, publishers, and the AdTech companies themselves, must purge their databases of all personal data that has been illegally acquired...Meanwhile, marketers and publishers may want to look toward other advertising models that do not rely on the collection and processing of personal data.”
While we agree that the advertising-driven business model and the Ad Tech industry need to be scaled back, we return to the idea of placing privacy before profits by imposing fiduciary duties – a concept set forth in the proposed New York Privacy Act, which we wrote about in last week’s post, available at the following link:
https://www.hoschmorris.com/privacy-plus-news/privacy-before-profits
In considering whether the imposition of fiduciary duty could provide privacy protection in the AdTech industry context, we see three problems: First, reigning in a previously unregulated industry takes political appetite and consensus – neither of which is exactly abundant in Washington these days. We would also anticipate fierce resistance, especially from platforms like Facebook and Google.
Second, many of the actors in the AdTech industry don’t have direct relationships with the individual data subjects at all – so they (viz., advertising networks and analytics providers) might not be covered as “controllers” or “data brokers” as contemplated by the proposed New York law.
Third, the proposed New York law requires “express and documented consent,” but consent cannot be meaningful without an understanding of how the underlying ad-placement algorithms work. We may know that we are being targeted for ads, but until we know what we’re being targeted for, why, how, and by whom, our consent will be meaningless, and significant privacy risks will remain.
AdTech technology isn’t unethical itself, and nor are its developers, promoters, or its well-intended users. But recent history has shown that AdTech technology can readily be – has been – weaponized, to target vulnerable individuals, spread untruths, and even influence elections, and when new weapons appear, the wise develop defenses.
We urge only that the defenses be effective as well as proportionate, and we aren’t yet convinced that the proposed New York law of fiduciary duty will be.
---
Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.