A Norwegian investigation has claimed that the online advertising industry is "out of control" in the latest warning about how user data is used and shared with brands.
The Norwegian Consumer Council has filed a General Data Protection Regulation complaint against online dating apps such as Grindr and companies that receive personal data through these apps, such as Twitter’s MoPub, AT&T’s AppNexus, OpenX, AdColony and Smaato.
The organisation said the 10 apps it observed were transmitting user data to at least 135 third parties involved in advertising and/or behavioural profiling.
Grindr shared detailed user data, including the IP address, advertising ID, GPS location, age and gender. MoPub was used as a mediator for much of this data sharing and was observed passing personal data to a number of other advertising third parties, including AppNexus and OpenX, the report said.
Meanwhile, another dating app, OkCupid, shared highly personal data about sexuality, drug use, political views and more with analytics company Braze.
All of the apps the Norwegian Consumer Council tested shared user data with multiple third parties and all except one shared data beyond the device’s advertising ID. This information included the IP address and GPS location of the user, personal attributes including gender and age, and various user activities.
The investigation also found that period tracker app MyDays shared the user’s GPS location with numerous third parties involved in behavioural advertising and profiling.
Google’s advertising service DoubleClick was receiving data from eight of the apps, while Facebook was receiving data from nine.
Finn Myrstad, the Norwegian Consumer Council's director of digital policy, said the extent of tracking makes it impossible for users to make informed choices about how their personal data is collected, shared and used.
The apps tested in the report had been found to transmit data to "unexpected third parties" with no means for users to prevent or reduce the data being shared.
The report warns: "Twenty months after the GDPR has come into effect, consumers are still pervasively tracked and profiled online, and have no way of knowing which entities process their data and how to stop them. The adtech industry is operating with out-of-control data sharing and processing, despite that it should limit most, if not all, of the practices identified throughout this report.
"The digital marketing and adtech industry has to make comprehensive changes in order to comply with European regulation and to ensure that they respect consumers’ fundamental rights and freedoms."
The council is now urging data protection authorities to enforce the GDPR.
Simon McDougall, executive director for technology and innovation at the Information Commissioner's Office, the UK’s data watchdog, responded to the report by saying there has been a general acknowledgement that things can't continue as they have been in the adtech supply chain.
He added: "Over the past year, we have prioritised engagement with the adtech industry on the use of personal data in programmatic advertising and real-time bidding.
"Along the way, we have seen increased debate and discussion, including reports like these, which factor into our approach where appropriate."