Popular Android smartphone apps, including the dating services Grindr and OKCupid, are sharing detailed and sensitive information about users with numerous third parties, according to a report issued Tuesday by the European government agency Norwegian Consumer Council.
"The adtech industry is operating with out of control data sharing and processing," the authors write.
They add that "consumers are still pervasively tracked and profiled online and have no way of knowing which entities process their data and how to stop them," despite the sweeping General Data Protection Regulation, which went into effect in the EU in May of 2018.
For the report, researchers examined the data practices of 10 popular apps, including Grindr, OKCupid and Tinder. The 10 apps transmitted data to at least 135 third party ad tech companies, according to the report. Android's Advertising ID reportedly was sent to at least 70 different companies, often in combination with users' geolocation data and IP addresses.
The report comes as Congress is considering passing new, nationwide privacy legislation. On Tuesday, a coalition of watchdogs urged Congress to consider the Norwegian agency's findings when crafting a potential bill.
"The report clearly demonstrates that the comprehensive tracking and profiling of consumers is at the heart of the current adtech ecosystem," the ACLU, Center for Digital Democracy Consumer Action and other groups wrote.
"This surveillance-business model increasingly has implications beyond our digital lives," the groups add. "The data abuses detailed in the NCC’s research also contribute to the erosion of trust in the digital economy, could negatively impact our democratic processes, and may have discriminatory impacts."
The advocacy organizations also urged the Federal Trade Commission to investigate the practices outlined in the report.
"Although there are ways consumers can control the number of tracking on computers through browser settings and extensions, the same cannot be said for smartphones,” the watchdogs write. “While consumers use their smartphones throughout the day, the devices are recording information about sensitive topics such as their geolocation, health, behavior, interests, religion, and sexuality."
Authors of the Norwegian report said the apps they studied failed to obtain users' “valid” consent, as that term is defined in the EU.
"None of the apps that were analysed provide any meaningful ways of giving or refusing consent to the sharing of personal data with third parties,” the report states. “In almost all of the apps, the only option to use the app is to agree to the sharing of personal data as described in the privacy policies. If the data subject has to choose between giving blanket consent to third party processing for profiling and behavioral advertising purposes, or uninstalling the app, the consent cannot be considered to be 'freely given'."
The GDPR requires companies to obtain people's unambiguous consent before using their data for ad targeting.