The Norwegian study, which looks only at apps on Android phones, traces the journey a user's personal information takes before it arrives at marketing companies.
For example, Grindr's app includes Twitter-owned advertising software, which collects and processes personal information and unique identifiers such as a phone's ID and IP address, allowing advertising companies to track consumers across devices. This Twitter-owned go-between for personal data is controlled by a firm called MoPub.
"Grindr only lists Twitter's MoPub as an advertising partner, and encourages users to read the privacy policies of MoPub's own partners to understand how data is used. MoPub lists more than 160 partners, which clearly makes it impossible for users to give an informed consent to how each of these partners may use personal data," the report states.
This is not the first time Grindr has become embroiled in controversy over data sharing. In 2018, the dating app announced it would stop sharing users' HIV status with companies following a report in BuzzFeed exposing the practice, leading AIDS advocates to raise questions about health, safety and personal privacy.
The latest data violations unearthed by the Norwegian researchers come the same month California enacted the strongest data privacy law in the U.S. Under the law, known as the California Consumer Privacy Act, consumers can opt out of the sale of their personal information. If tech companies do not comply, the law permits the user to sue.
In its letter sent Tuesday to the California attorney general, the ACLU of California argues that the practice described in the Norwegian report may violate the state's new data privacy law, in addition to constituting possible unfair and deceptive practices, which is unlawful in California.
A Twitter spokesperson said in a statement that the company has suspended advertising software used by Grindr highlighted in the report as the company reviews the study's findings.
"We are currently investigating this issue to understand the sufficiency of Grindr's consent mechanism. In the meantime, we have disabled Grindr's MoPub account," a Twitter spokesperson told NPR.
The study found the dating app OKCupid shared details about a user's sexuality, drug use, political views and more to an analytics company called Braze.
The Match Group, the company that owns OKCupid and Tinder, said in a statement that privacy was at the core of its business, saying it only shares information to third parties that comply with applicable laws.
"All Match Group products obtain from these vendors strict contractual commitments that ensure confidentiality, security of users' personal information and strictly prohibit commercialization of this data," a company spokesman said.
Many app users, the study noted, never try to read or understand the privacy policies before using an app. But even if the policies are studied, the Norwegian researchers say the legalese-filled documents sometimes do not provide a complete picture of what is happening with a person's personal information.
"In other words, it is practically impossible for the consumer to have even a basic overview of what and where their personal data might be transmitted, or how it is used, even from only a single app."
Copyright 2020 NPR. To see more, visit NPR.