Meeting new people has never been particularly easy, which is why dating apps have become so popular. Using carefully calculated computer algorithms, these services match our interests and preferences with other people who have similar tastes. We can then arrange a date – and hopefully find love in the process.

But in order to make matches, each service collects a range of sensitive information including sexual preferences, physical location, and even the way in which the app is used. This data allows the service provider to create a very detailed profile for each of their users.

What has happened?

Most users assume this information is collected and protected by the dating app operator. And rightly so – the General Data Protection Regulation (GDPR) requires service providers to treat personal information very carefully, and to only use it for specific purposes.

Security researchers have discovered that this is not the case however. Popular dating apps like Grindr, OKCupid and Tinder have all been observed sharing this personal information with ‘unexpected third parties’ – marketing agencies.

What is the problem?

Legally, the issue is not with the sharing of sensitive data but the fact that users are unaware of their information being shared – or who with. Worse still, most of the apps tested do not give users any control over how their data is being used.

The researchers warn that the lack of control over personal data could mean that the dating service operators are at risk of prosecution under the GDPR. They could face fines of up to €20 million or more.

But there is a human aspect to these data leaks too. Some users will be rightly upset that their data is being sold to advertisers – especially as some of the most sensitive information is a personal secret. This is particularly true for users who may choose to hide their sexuality or preferences from friends and family; advertisers using that information may inadvertently expose their secrets through ads and emails that the user receives.

Can you protect yourself?

Since the GDPR was introduced, most apps do now admit to sharing data – but only because they are legally obliged to. The information is usually buried somewhere in the long, complex terms and conditions of the service – which most of us don’t read. Worse still, some apps (like Grindr) refer users to the terms and conditions of third parties where the full extent of the data sharing is discussed.

Wherever possible the Panda Security blog will alert you to these issues as we become aware, but unfortunately, the app terms of use are the only way to properly understand how your data is being used. Which means that the only way to truly secure your data is to read the terms – and to not use any dating app until you have.