Share on facebook
Share on twitter
Share on linkedin

When an app claims to be anonymous, is it really?

One well known aspect of Grindr, a well-known dating app, is that it allows users to register on the site quickly and easily, without providing any ID.  This ‘quick and easy’ approach to registration allows users to benefit from anonymity. Furthermore, the app is often used with anonymised photographs and pseudonyms. Seemingly, one’s genuine identification is not an important factor.  That is until it comes to exercising data protection rights, specifically, a Subject Access Request.

Rather than verifying a user’s entitlement to receive information against the data they have already provided when creating the account, users were asked to take a selfie whilst holding a piece of paper with their email address on it as well as holding their passport!  Grindr were collecting more information but importantly, they didn’t have the information in the first place to verify it against.  Furthermore, not only is this excessive processing of personal data but also a test of one’s selfie taking skills.

Have you been asked for government ID for “security reasons”?

Grindr aren’t the only company to ask for information they do not already have using the poor excuse of “security reasons”.   There are still companies insisting on government ID when individuals exercise their data protection rights. Having a general policy of asking for additional information violates the UK GDPR/GDPR in many cases, especially in Grindr’s position where they cannot match the ID with a user as it does not have the real name of the user to begin with! 

Organisations must have robust verification methods due to the risk of a personal data breach which attracts the highest fines from Regulators.  Nevertheless, these methods must not contravene the law.  Which all leads to the question of why aren’t all companies validating requests by less intrusive means, like sending a verification email or a code within the app? 

What do I need to do?

  1. Think about how and with whom you share your data.
  2. Pay attention to mandatory fields when providing your personal information initially. If it’s not mandatory, consider if the company needs the information and what is the benefit to you.
  3. When exercising your rights, don’t be afraid to challenge requests for information you haven’t already shared with the company or that which they wouldn’t already have.

What does my organisation need to do?

  1. Policies and Procedures – make sure to have robust and effective verification procedures for individuals exercising their rights.
  2. Awareness and training – make sure everyone in the organisation knows how to recognise a rights request and what to do with one.
If you have any further questions around how to validate or fulfil data subject rights requests, please contact us at hello@bridewellconsulting.com and we’ll be happy to help.

Related Posts