The months of October through February are what some media outlets are calling “cuffing season,” a period when people reportedly experience greater interest in romantic relationships. In 2020—likely due to the COVID-19 pandemic—dating apps have reported even higher online engagement than in previous years. Whether driven by the colder weather, social distancing, or holiday spirit, there is no doubt that a significant part of this year’s “cuffing season” will take place on smartphone apps—and U.S. privacy legislation must be ready to keep up.
A Tinder-box situation: the privacy risks of online dating
Even before the pandemic, the percentage of U.S. adults who meet people online has significantly increased in recent years—and much of this growth can be attributed to the rise of smartphone dating apps like Tinder, Grindr, OKCupid, Hinge, and Bumble. According to the Pew Research Center, approximately 30% of American adults had tried online dating in 2019—including 52% of those who had never been married—compared to just 13% in 2013. A 2017 Stanford research study even found that 39% of American heterosexual couples had met online—a more commonly-cited manner than traditional alternatives such as introduction by a mutual acquaintance.
After the outbreak of COVID-19 and the ensuing lockdowns, the number of users on dating apps exploded. Match Group, the parent company which controls 60% of the dating app market, reported a 15% increase in new subscribers over the second quarter of 2020—with a record-breaking 3 billion Tinder swipes, or initial interactions with other users, the day of March 29. From March to May 2020, OKCupid saw a 700% increase in dates and Bumble experienced a 70% rise in video calls.
Despite the expanded opportunities and accessibility that dating apps provide during a pandemic, they also collect a tremendous amount of personally identifiable information. Much of this information can be linked back to the original user, such as name, photos, email address, telephone number, or age—especially when combined or aggregated with other data. Some, such as precise geolocation or swipe history, are details that users may be unaware are collected, stored, or shared outside the context of the dating app. Grindr, an LGBTQ+ dating app, even allows users to share their HIV status and most recent testing date.
The potential privacy implications are especially salient when we consider the demographics of people who use dating apps. While 30% of U.S. adults had tried online dating in 2019, that percentage rises to 55% for LGBTQ+ adults and 48% for individuals ages 18 to 29. Since dating websites and apps collect, process, and share data from a greater percentage of these individuals, they could bear disproportionate effects of any privacy or security breaches. Such breaches could bring tangible consequences, such as blackmail, doxing, financial loss, identity theft, emotional or reputational damage, revenge porn, stalking, or more—especially regarding sensitive content such as explicit photos or sexual orientation.
For example, in 2018, Grindr acknowledged that it had shared users’ HIV status with third-party companies and contained a security vulnerability that could leak users’ locations. And, in January 2020, the Norwegian Consumer Council released a report finding that Grindr was currently sharing user tracking information, precise geolocation, and sexual orientation with external marketers—prompting, in part, a House Subcommittee on Economic and Consumer Policy investigation. These privacy concerns became so substantial that, in March 2020, Grindr’s Chinese owners acquiesced to sell to a U.S. company following pressure from the Committee on Foreign Investment in the United States (CFIUS).
Dating apps and privacy policies: not yet a Match
In the United States, there is no uniform, comprehensive law that dictates how all companies—including dating websites or apps—may collect, process, share, and store the personal information of users. Instead, there are dozens of sector-specific or limited federal and state laws—and only half of states have enacted laws that require private businesses to take at least some data security measures. So far, California is the only state to give residents a legal right to access and delete any personal information held by businesses. Ultimately, the lack of a national privacy standard leaves many online daters with inadequate protections and creates regulatory uncertainty for the dating apps and websites themselves.
While the Federal Trade Commission (FTC) is the nation’s primary enforcer for data protection violations, the agency’s authority is largely limited. It primarily brings privacy cases under Section 5 of the FTC Act, which prohibits companies from engaging in “unfair or deceptive acts or practices” such as violating their own privacy policies, false advertising, or failing to provide reasonable cybersecurity standards. Under this statute, the FTC has issued complaints against Ashley Madison and Match Group.
Furthermore, the scope of information that dating apps hold introduces questions of whether the U.S. government may legally access such information without probable cause. The Supreme Court has historically assigned privacy protections from government interference to family life, intimacy, and the home. In Lawrence v. Texas (2003), the Supreme Court invalidated a Texas “sodomy law,” recognizing that the Constitution gives individuals “the right to choose to enter upon relationships in the confines of their homes and their own private lives and still retain their dignity.” The Court cited Roe v. Wade (1973) and Griswold v. Connecticut (1965), two landmark cases that recognized a constitutional “right to privacy” regarding abortion and birth control, respectively.
However, it is unclear if any future Court decisions will apply these constitutional protections to a new frontier of dating websites or apps—or whether U.S. law enforcement may request such data from companies without a warrant. For decades, the Supreme Court has held under the “third-party doctrine” that individuals do not have a “reasonable expectation of privacy” in the data that they choose to share with others. Yet, it also has acknowledged that technology, including cell phones, has dramatically increased the possible scope of surveillance and data collection—an increase that may demand a shift in the interpretation of law.
It all Hinges on this: the need for federal privacy legislation
Fundamentally, the most effective way to resolve the uncertainties and gaps in the current privacy legal system is for Congress to pass new federal legislation. National privacy standards are crucial not only to prohibit businesses from collecting or processing personal information in ways that could harm Americans—but also to limit the amount of data that businesses control and therefore could potentially transfer to law enforcement, unauthorized hackers, or other third-parties. Several current U.S. federal privacy bills, including Senator Maria Cantwell’s (D-WA) Consumer Online Privacy Rights Act and Senator Roger Wicker’s (R-MS) SAFE DATA Act, would establish similar privacy protections. And when the 117th Congress convenes this January, there are three legislative provisions that are especially relevant for any U.S. federal privacy bill to include:
First, legislation needs to set boundaries for how businesses may treat data, regardless of what settings or account options the user chooses. At a minimum, businesses should restrict their collection, processing, and transfer of personal information to what is “reasonably necessary” to provide a service (e.g., a dating website or app), and delete data that is no longer essential for that purpose. In addition, businesses should be required to implement data security programs to prevent cybersecurity breaches, including risk assessments and employee training programs.
Second, people must have the option to access, correct, delete, and request the portability of any personal information that businesses currently hold. These rights mirror the European Union’s General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), as amended, and would allow users to discover the personal information that dating websites and apps accumulate and elect to delete it.
And third, businesses need clearer legal standards to improve algorithmic transparency and accountability, including to prevent the processing and sharing of data on race, gender, religion, health, sexual orientation, or age in ways that could violate existing anti-discrimination laws or withhold opportunities from groups of people. Dating websites and apps collect demographic or otherwise sensitive information about users—and should be held legally responsible if they share this information with marketers or other third-parties that manage personalized advertisements or automated decisions in ways that could result in biased outcomes.
Enough Bumble-ing around: a time for action
As dating apps grow in popularity, so too will the amount of personal data that they store. U.S. federal regulations currently fail to properly address concerns over data storage, removal, and accountability, which lie in stark contrast to other countries or governments that regulate privacy. Thus, as online dating continues to become more prevalent, Congress must respond in kind with legislation. This cuffing season, let’s let dating app users be “cuffed” to one another, not to privacy hazards.