A number of highly popular smartphone apps including Grindr, OkCupid and Tinder are illegally sharing the intimate personal information of their users to advertisers, a new study has found.

The Norwegian Consumer Council looked into the data sharing practices of 10 smartphone apps and found that they collectively handed over personal data, including information that could indicate someone’s sexuality, religious beliefs and location, to at least 135 companies.

These companies include tech giants Facebook, Amazon and Google, along with a range of smaller, lesser known firms like AppsFlyer, Fysical and Receptiv.

“Every time we use our phones, a large number of shadowy entities that are virtually unknown to consumers are receiving personal data about our interests, habits and behaviours,” the study found.

“These actors use this information to track us over time and across devices, in order to create comprehensive profiles about individual consumers. In turn, these profiles and groups can be used to personalise and target advertising, but also for other purposes such as discrimination, manipulation and exploitation.”

The study found that despite the General Data Protection Rule coming into effect in Europe nearly two years ago, “consumers are still pervasively tracked and profiled online and have no way of knowing which entities process their data and how to stop them”.

Many of these practices are against the law in Europe, according to the Norwegian Consumer Council.

The worst of the worst

Grindr’s data sharing practices were found to be particularly egricious. The app shared highly detailed user data with a large number of third parties, with the information including IP address, GPS location, age and gender. Those third parties then reserved the right to share the information with even more companies.

The Norwegian Consumer Council will be filing an official complaint against Grindr because of this.

The study also found that dating app OkCupid passed on information including sexuality, political views and drug use to third party advertising company Blaze, while Perfect365 sent data including GPS location to more than 70 companies.

The findings amount to “comprehensive illegal collection and indiscriminate use of personal data”, Norwegian Consumer Council director of digital policy Finn Myrstad said.

“These practices are both highly problematic from an ethical perspective, and are rife with privacy violations and breaches of European law,” Myrstad said.

The sort of information handed over to advertising firms can provide a “complex picture of individuals, revealing what we do in our daily lives, our secret desires and our most vulnerable moments,” he said.

“This massive commercial surveillance is systematically at odds with our fundamental rights and can be used to discriminate, manipulate and exploit us,” Myrstad said.

The investigation of the 10 popular apps is likely to be representative for most smartphone apps, the study concluded.

“Because of the scope of tests, size of the third parties that were observed receiving data, and popularity of the apps, we regard the findings from these tests to be representative of widespread practices,” it said.

Yet another controversy

The study comes after a number of data sharing controversies in recent years involving some of the biggest tech companies in the world. Most prominent was Facebook’s Cambridge Analytica scandal, with the data of millions of Facebook users harvested without their consent through a personality quiz app.

The personal data of more than 300,000 Australians was “improperly shared” as part of the incident, with the Australian Privacy and Information Commissioner currently conducting an inquiry into it.

It was also revealed last year that the majority of Android apps are automatically sharing user data with Facebook without the permission of the users as part of a Privacy International report.