Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jun 28, 2026 · 6 min read

Grindr Contacts 20 Trackers in 15 Minutes, EFF Finds

The EFF measured Grindr sharing data with 20 third party tracking domains during a single 15-minute session — and through real time bidding auctions, that data flows to hundreds more. Here's what's being shared and who's getting it.

In 2022, a Catholic publication called The Pillar purchased location data harvested from Grindr's advertising network and used it to identify a senior official at the U.S. Conference of Catholic Bishops — who then resigned. The data didn't come from a breach. No hacker broke in. The information flowed out through the exact mechanism Grindr uses to sell ads: a system that auctions your personal data to dozens of companies every time you open the app. That case put a face on an abstract threat. This Pride Month, the Electronic Frontier Foundation is demanding Grindr stop it from happening again.

Key Takeaways

  • The EFF measured Grindr contacting 20 third party tracking domains in just 15 minutes of app activity, using the open source tool TrackerControl.
  • Grindr shares mobile advertising IDs, profile photos, age, interaction data, display names, and chat content — including with companies that use real time bidding auctions potentially exposing that data to hundreds of additional buyers.
  • EU authorities issued a €63 million fine against Grindr for illegal data sharing; a 2021 Norwegian fine of $11.7 million was also imposed for sharing precise location data without consent.
  • A location data broker previously collected precise movement data from millions of Grindr users between 2017 and 2020, detailed enough to infer specific romantic encounters between named individuals.
  • The EFF is demanding Grindr make behavioral advertising opt-out by default and require affirmative opt-in consent before training AI on user messages.

What Did the EFF Actually Find?

The EFF's June 26, 2026 analysis used TrackerControl — a free Android app that intercepts network traffic — to observe what Grindr sends and to whom. The answer: 20 third party tracking domains contacted within 15 minutes of normal use. That's not 20 companies total receiving data at some point in your account history. It's 20 separate data recipients reached before you've done anything particularly interesting in the app.

The data shared includes mobile advertising IDs (MAIDs), profile photos, your age, interaction data like taps and swipes, display names, and chat messages. That last category is especially significant: Grindr uses chat content for AI training, and the EFF found no evidence that users meaningfully consent to this before their private conversations become model training data.

Smartphone displaying a network traffic visualization with data streams flowing outward from a single app toward corporate silhouettes, indigo and charcoal background representing third party data exposure

How Does Real-Time Bidding Turn Your Data Into a Public Auction?

Real-time bidding is the automated system behind almost every digital advertisement. When Grindr loads an ad, it broadcasts a packet of information about you — your MAID, location, demographics, behavior — to ad exchanges. Those exchanges run millisecond auctions among dozens of demand-side platforms. The winning bidder shows you an ad. Every losing bidder still received your data.

Industry analyses put the number of entities receiving user data from a single app or page load at 250 or more. The advertiser who wins pays for the impression; every other participant keeps your data for free. For a gay dating app, this means your implicit sexual orientation — the fact that you use Grindr — is broadcast to an unknown number of ad-tech companies every time you open the app. You never agreed to that distribution. You have no idea who received it. And you have no way to take it back.

MAIDs make this worse. A mobile advertising ID is a persistent, cross platform identifier that links your Grindr activity to your behavior in every other app on your phone. A data broker who buys Grindr-sourced bidstream data can join it to your retail app purchases, your health app data, your location history from a weather app. The profile built this way is comprehensive in ways no single data point suggests.

A Pattern of Violations, Not a Single Mistake

Grindr's data sharing problems span nearly a decade, and the company has paid for them repeatedly.

Between 2017 and 2020, a location data broker collected precise movement data from millions of Grindr users via advertising networks. The data was granular enough to identify specific romantic encounters between named individuals. No system was hacked; the data was simply purchased through the same channels that power Grindr's advertising revenue.

In 2021, Norway's data protection authority fined Grindr $11.7 million for sharing users' precise GPS coordinates with five advertising firms without valid consent under GDPR. The Norwegian Consumer Council's "Out of Control" report, which documented the violations, noted that Grindr transmitted location data even when the app was running in the background.

The Pillar incident in 2022 was different in character because it showed what a motivated actor could do with legitimately purchased data. The publication didn't need a subpoena or a court order. It bought location data from Grindr's advertising supply chain, correlated it with movement patterns, and identified a named individual in a position of authority. That person's private life became public knowledge through a commercial transaction Grindr facilitated.

In 2026, EU authorities issued a €63 million fine for illegal data sharing — the largest penalty Grindr has faced and a signal that regulators view the violations as systemic rather than incidental. The pattern matches what regulators found in the FTC's ban on data broker Kochava, which sold 94 billion location pings a month from 35 million Americans through its advertising supply chain.

EPIC's FTC complaint documents additional concerns: Grindr shares HIV status and vaccination status with advertisers. Employees can access private user messages. Despite a stated policy of deleting user data within 28 days of account deletion, Grindr retains photos and messages beyond that window. The company's previous Chief Privacy Officer sued Grindr, alleging in the suit that the company "prioritized profit over privacy."

Why This Matters Beyond One App

Grindr's situation illustrates a structural problem with ad-supported apps: the business model requires sharing user data, and the RTB ecosystem was designed without meaningful access controls on who receives that data downstream. The GDPR has now accumulated over €7.1 billion in total fines, but fines paid after the fact don't un-broadcast data already auctioned through RTB systems.

What makes Grindr particularly high-stakes is who uses it and why. LGBTQ+ people in dozens of countries face legal jeopardy for their identities. Outing someone as gay can result in violence, job loss, family rejection, or criminal prosecution depending on jurisdiction. A dating app that leaks identity data through ad-tech infrastructure isn't just a privacy inconvenience — it's a physical safety issue. The EFF is pushing for structural change: opt-out from behavioral advertising as the default setting, and opt-in consent required before training AI on private user conversations.

What Can You Do Right Now?

  • Reset your mobile advertising ID. On Android, go to Settings > Privacy > Ads and reset your advertising ID. On iOS, go to Settings > Privacy & Security > Tracking and disable tracking for all apps. This breaks the cross app linkage that makes MAID-based tracking so powerful.
  • Audit app permissions. Location is the most dangerous permission to grant a social app. If any app has "always on" location access, change it to "only while using the app" or deny it entirely. Precise location is the data point that enabled the 2017-2020 tracking and the Pillar incident.
  • Use TrackerControl or a DNS level blocker. TrackerControl and similar tools (NetGuard, RethinkDNS) can block connections to known tracking domains. The EFF used TrackerControl to measure Grindr's 20-domain contact in 15 minutes — you can use the same tool to stop those connections.
  • Assume deletion doesn't work. If you delete your account, do not assume your photos and messages disappear on the stated schedule. The EFF found evidence of retention beyond the stated 28-day window. Export what you need and treat anything shared as potentially persistent.
  • File a complaint. Complaints to national data protection authorities — the FTC in the US, your national DPA in the EU — result in real investigations. The Norwegian $11.7M fine and the EU €63M enforcement action both started with documented complaints.

The Pillar case happened because one publisher decided to buy data that Grindr made available. The question isn't whether someone will do it again — it's whether Grindr will change its systems before they do.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.