Want your Grindr data? Show your ID and take a selfie!
Today, noyb filed a GDPR complaint against Grindr – a dating app for gay, bi, trans and queer people, where many users share very personal and even explicit sexual details. Instead of authenticating against the data that users have provided, like the email and password – Grindr requires users to identify in maybe the most grotesque way imaginable: Users have to hold up a piece of paper with their email address, as well as their passport – all while balancing their phone to take a selfie. This is not just absurd, but also a violation of the GDPR.
Exercising fundamental rights must be facilitated by companies. In this case, the complainant represented by noyb, is a Grindr user who was trying to understand more about how Grindr uses his data. Grindr surprisingly denied access to his personal data because the user did not send a selfie holding his passport and a piece of paper with his e-mail address on it.
When “Hunk_69” has to become Richard Smith to claim his rights: Companies like Grindr make the registration process simple and fast – not only to comply with data minimization, but also because using Grindr in a supposedly anonymous way is part of the promise to users. Especially when the service is often used with anonymized pictures and using pseudonyms, not having to show an ID to open an account is part of the service – after all, even the logo of Grindr is a mask.
However, when a user tries to exercise their rights to find out what personal data the company has on them, Grindr requires them to suddenly take off the mask and even show a government issued ID, which is not only inconsistent with the principle of data minimization, but with the entire product.
“You can see and share even the most intimate pictures on Grindr with just your email and password – only when you want to exercise your GDPR rights, you must strip down and show a government ID.” - Max Schrems, chair of noyb
Companies usually argue with “security reasons”. By law, companies are required do a case-by-case assessment on whether there is reasonable doubt as to the identity of the user. Having a general policy of asking for additional information violates the GDPR, especially when Grindr cannot actually match the ID with a user, as it does not have the real name of users.
“It is ridiculous to authenticate ‘Hunk 69’ with a government ID, when Grindr is designed not to know the real name of its users. In reality, they require a ‘coming out’ of users to exercise their rights.” - Max Schrems, chair of noyb
Broader issue with GDPR rights. Grindr is far from the only companies that introduce complicated or even prohibitive rules when users want to exercise their GDPR rights. These unnecessary “routine identity checks” by data controllers should be stopped, especially where other less intrusive measures like sending a verification email or a code within the app are available, like in this case.
If you want to exercise your rights: Delete the Account. As an alternative, Grindr suggested to the Complainant, he may choose to delete his account, if he “do[es] not wish to share any data with Grindr”. The Complainant chose a third option – to file a GDPR complaint with the Austrian Data Protection Authority, DSB who will now have to decide over the case.