(Bloomberg Law) — LGBTQ+ dating app Grindr repeatedly violated state and global privacy laws by collecting and retaining highly sensitive data including nude photos without clear consent, the company’s former chief privacy officer alleged in a wrongful termination lawsuit.
Ron De Jesus says he was fired in retaliation for raising concerns about the company’s “alarming” data-privacy practices, according to a complaint filed Wednesday in a California state court in Los Angeles.
De Jesus’ accusations come after the company faced backlash for sharing users’ HIV status and was fined$7 million by the Norwegian Data Protection Agency for sharing user location and sexual orientation data with advertisers.
According to De Jesus, Grindr allegedly retained personal data including naked pictures and HIV status even after users deleted their accounts. That information was accessible by any employee or third-party vendor, he said.
“Despite Mr. De Jesus’ best efforts, Grindr not only shared user data—and likely continues to do so—but allowed third parties to collect data which was then shared with their partners, upon the user merely viewing an advertisement,” the complaint said.
Hours after he sent an email to Chief Financial Officer Vanna Krantz about his data privacy concerns, he said he received a notice of termination from the company, who he accused of placing “profit over privacy.”
De Jesus’ claims are “definitively false,” Grindr’s Head of Communications Patrick Lenihan said in a statement emailed to Bloomberg Law.
“Mr. De Jesus was terminated for being ineffective and for poorly managing Grindr’s privacy practices, which were his primary responsibility,” Lenihan said. “Through his professional failings, Mr. De Jesus put Grindr and Grindr’s users at risk.”
Global, State Privacy
The lawsuit said the Grindr app had a bug that would reset user data collection consent settings, in violation of the EU’s General Data Protection Regulation.
De Jesus also accused Grindr of violating the California Consumer Privacy Act and other state privacy laws, and said the company’s practices contradicted its own privacy policy. Its treatment of user data may also constitute deceptive trade practices under the Federal Trade Commission Act, the filing said.
He further claimed that Grindr ignored the advice of its outside legal counsel—Cooley LLP—in one debate over data collection. The law firm allegedly advised against categorizing some data used for analytics as “strictly necessary,” saying it could violate the GDPR.
Cooley didn’t respond to a request for comment.
De Jesus is seeking relief for wrongful termination, retaliation, and unfair business practices.
Schein Law Group and Sherman Law Corporation represent De Jesus. Attorneys for Grindr haven’t yet filed an appearance.
The case is De Jesus v. Grindr, Cal. Super. Ct., No. 23stcv13635, complaint filed 6/14/23.
To contact the reporter on this story: Skye Witley at switley@bloombergindustry.com
To contact the editor responsible for this story: Jay-Anne B. Casuga at jcasuga@bloomberglaw.com
(Updated to add Grindr official’s comments.)
©2023 Bloomberg L.P.
