As India continues to evolve and modernise, so does its approach to finding romance. In 2022 alone, Indian users spent $31 million more on dating apps compared to the previous year, and this trend is on the rise.

Yet, the pursuit of love through these platforms comes with significant risks. Dating apps gather vast amounts of personal and sensitive information and often lack transparency regarding their data encryption, storage and transfer practices.

This article delves into the types of data collected and processed by dating apps, underlying issues and how this may be expected to change under the rapidly evolving landscape of data privacy.

At present, the Information Technology Act, 2000 (IT Act) and its allied rules govern the processing of all digital data. However, the Digital Personal Data Protection Act, 2023 (DPDPA) and its recently published draft rules will be replacing the IT Act with respect to digital personal data processing. Under Section 5 and 6 of the DPDPA, consent is the primary basis for processing an individual’s personal data. The DPDPA emphasises that consent must be free, specific, unambiguous and given through clear affirmative action, thereby allowing individuals to understand the purpose and scope of data use.

Apart from consent, Section 7 of DPDPA permits for “legitimate use” in certain situations. One such example is where the data principal (the person whose data is being processed) has voluntarily provided their data and has not withdrawn consent. It also covers other circumstances, such as fulfilling legal or law enforcement obligations, addressing national security concerns, responding to public health emergencies, providing medical treatment during crises like epidemics or disasters and safeguarding the interests of an employer.

While dating apps collect a wide variety of data from the user’s name to their zodiac sign, the data can be broadly classified into two categories: necessary and optional. Necessary data refers to the user information required to access the dating app’s core services, and includes: (i) basic details such as name, photo, username, email and age to create an account; (ii) gender and sexual orientation preferences; (iii) location data from GPS, IP address, or Wi-Fi for suggesting nearby matches; and (iv) technical data such as app usage, in-app activity, interactions with users, advertisements, third-party links, device details, IP address and cookies.

In contrast, optional data is provided voluntarily by users to enhance their experience, and is not required for accessing the app’s core services. This includes: (i) contact details like alternate emails, phone numbers and social media profiles; (ii) financial information such as credit card details and PAN card numbers; (iii) biometric data like fingerprints, voice recordings and videos; and (iv) other personal information such as occupation, family background, education, financial status, place of birth, hobbies, media and sports preferences, political views and medical and sexual history. Given the nature of dating apps, users are often motivated to share this data to better connect with potential matches or use the app’s premium features.

Obtuse consent mechanisms

Many popular dating apps operate across multiple jurisdictions and provide a universal privacy policy that users must accept to access the services. A review of these policies shows that these apps often do not obtain explicit consent before using personal data for advertising purposes. Instead, they rely on the “legitimate interest” exception to promote their services. The data used for this purpose is extensive and includes account data (phone number, email), profile data (age, gender, sexual orientation, race), usage data (in-app chats, purchases), and technical data (IP address, device type). Users are also unaware of how much data is processed and stored by dating apps. A Tinder user, who requested access to her data, found that the app had kept an 800-page record of all her liked posts on Facebook.

Under Section 5 and 6 of DPDPA read with Rule 3 of Draft Rules, dating apps must obtain user consent before collecting or processing personal data. The consent notice must include: (i) a detailed description of the data processed, (ii) a list of goods/services enabled through the data processing, and (iii) the specific purpose for processing the data. The notice must be clear and understandable, with acceptance requiring an affirmative action from the user. Data cannot be used in ways not specified in the notice. While users are motivated to share personal data to improve their chances of finding a match, they may object to the use of their data for targeted advertising or algorithmic training.

Unauthorised data use

Most dating apps use a freemium model where users can access basic services for free but can pay for additional features (unlimited superlikes, viewing who liked their profile etc). These apps primarily rely on targeted advertising revenue, which requires them to collect and classify user data. Users are seldom informed about the manner in which their data is used for such advertising purposes.

In recent years, various jurisdictions, including European Union members, have taken action against such use of user data. In 2020, the Norwegian Consumer Council filed a complaint against the dating app Grindr for unlawfully sharing personal data for marketing purposes. The data included GPS location, IP address, advertising ID, age, gender and information about using Grindr. This data was identifiable, and recipients could potentially share it with third parties. The Norwegian Data Protection Authority (NDPA) concluded that Grindr shared user data for behavioural advertising without legal justification, and imposed a €6.5 million fine. The NDPA held that while consent was the required legal basis, the consent obtained was invalid as users were not adequately informed about data sharing. Further, since Grindr is mainly used by the LGBTQ community, revealing that someone uses the app could disclose sensitive personal information about their sexual orientation, further invalidating the consent.

Similarly, under the DPDPA, dating apps will not be able to rely on the “legitimate use” exception under Section 7, and must obtain consent for using personal data for advertising purposes. As users are likely to be wary of their data being used in this manner, dating apps may need to reconsider their business models.

Algorithmic bias 

Dating apps often apply an algorithm to determine which profiles to show to a user. Apart from age and location, these algorithms process data from a range of sources, including social media and information provided by the user. Tinder and Bumble’s algorithm used to be based on the Elo rating system, which was originally designed to rank chess players. Users rise in the ranks based on how many people swipe right on them, which was weighted based on who the swiper was. Thus, those with similar scores will see each other more often. Dating apps, while offering various tips to enhance user likability, maintain opaque ranking practices. This lack of transparency raises concerns about potential discrimination and unfair trade practices. For example, an algorithm observing that darker-skinned users receive fewer matches may automatically lower their ranking, reinforcing past biases.

Under Section 11 of the DPDPA, data principals have the right to access their personal data, learn its source and purpose, and know whether it has been shared with third parties. This would include data developed through processing of personal data. Dating apps will need to adopt more transparent processing practices to comply as well as provide an interface to allow users to exercise their rights under the DPDPA.

Data breach

In its 2024 report, Mozilla found that half of the apps they reviewed had experienced a data breach, leak, or hack in the past three years. In one instance, location data from the dating app Grindr ended up in data brokers’ hands and was purchased by a US Christian group to monitor members of its clergy.

At present, there is no specific reporting requirements under Indian law in case of a leak or breach of personal data. These fall within the scope of directions by the Indian Computer Emergency Response Team under Section 70B (6) of the IT Act (CERT-In Directions). Under the CERT-In Directions, body corporates, intermediaries and other IT service providers must mandatorily report listed cyber incidents within six hours of noticing such incident or receiving knowledge about it. The listed events can be reported over email, phone and fax. While non-compliance with CERT-In Directions can result in imprisonment of up to one year and/or fine of up to ₹1 lakh under Section 70B (7) of the IT Act, it is unclear if such penalty has ever been enforced.

The DPDPA and Draft Rules would require dating apps to notify affected users of any personal data breach or “any unauthorized processing of personal data or accidental disclosure…that compromises the confidentiality, integrity or availability of personal data”, regardless of harm. The notification must (i) be clear and straightforward, (ii) explain the breach’s nature, extent and timing, along with potential consequences for affected users, (iii) include measures taken to mitigate risks and provide safety recommendations to users for protecting their data, and (iv) include contact information of a responsible person for inquiries.

The dating app also needs to notify the constituted Data Protection Board of any data breach within 72 hours. The data breach report must include information on how users were notified. If users receive frequent breach notifications, they may become overwhelmed, leading them to delete their accounts or limit the data they provide. These deletion requests would add another compliance burden for dating apps. To mitigate this, dating apps should invest in data encryption, anonymisation and implement top-tier cybersecurity measures.

The primary concern surrounding the use of personal data by dating apps is user apathy. Most users remain unaware of how their data is collected, shared and used by these platforms. This lack of awareness is compounded by insufficient safeguards, which contribute to indifference toward unethical data practices. Dating apps like Bumble actively encourage data sharing by rewarding users with a higher profile completion percentage based on the information they provide. The freemium business model further incentivises the collection and monetisation of user data, creating a situation where both the platform and its users are dependent on data exchange to meet their respective goals - whether that’s finding a match or driving revenue.

In this context, regulatory and policy interventions become essential. The upcoming DPDPA, with its focus on informed consent, legitimate use and restrictions on data transfer, has the potential to bring much-needed transparency to the relationship between dating apps and users. Once enforced, the DPDPA could shift user apathy toward greater awareness and activism, as users gain access to legal recourse and clearer control over their personal information. Since dating apps depended on this data for revenue, they may need to develop a different business model.

Aastha Mathur is a Senior Associate at PSA Legal Counsellors.