In an age where AI is being woven into the fabric of everyday digital experiences, even dating apps aren’t exempt. But Bumble’s recent experiment with AI-generated conversation starters may have swiped left on EU data protection rules.
The AI feature that didn’t ask first
In December 2023, Bumble rolled out “AI Icebreakers” for its “Bumble for Friends” platform. The feature uses OpenAI’s ChatGPT to generate suggested opening lines based on a user’s profile. To do that, Bumble feeds your personal data, including profile content and potentially sensitive information, into an AI system operated by a third party. There’s just one problem: at no point did Bumble get your clear, informed consent.
Instead, users were presented with a persistent pop-up banner reading: “AI breaks the ice. We use AI to help you get started with chatting.” The only real option was to click “Okay”. Try closing it? It reappears the next time you open the app — a classic example of dark pattern design meant to manufacture consent, without ever actually giving users a proper choice.
Pretending it’s consent, claiming it’s legitimate interest
Despite what the banner suggests, Bumble isn’t relying on consent under Article 6(1)(a) of the GDPR. In fact, when one user pushed for clarity through a subject access request under Article 15, Bumble finally disclosed that it considers this processing to fall under “legitimate interests” — specifically Article 6(1)(f). This is despite the fact that Bumble is handing user data, possibly including sexual orientation, to a US-based AI provider.
That’s a problem. Sensitive data like sexual orientation is protected under Article 9 of the GDPR and can only be processed with explicit consent. Legitimate interest simply doesn’t cut itת particularly when the data is being used to generate content via a third-party AI.
noyb files complaint with Austrian DPA
Privacy rights organisation noyb (None of Your Business), founded by Max Schrems, filed a formal complaint with Austria’s data protection authority. The complaint outlines several alleged violations:
- Lack of transparency under Article 5(1)(a), due to misleading messaging and failure to disclose recipients.
- Absence of a valid legal basis under Article 6(1), with no explicit consent despite processing of sensitive data.
- Failure to fulfil access rights under Article 15, by providing incomplete information during the subject access request.
- Unlawful processing of special category data under Article 9.
noyb is calling for immediate cessation of the data processing, a proper legal framework for future use of AI features, and an administrative fine to deter repeat behaviour.
Don’t let “legitimate interest” land you in trouble
Bumble’s situation is a case study in how not to implement AI under GDPR. Organisations using AI to process user data, especially via third-party providers, need to tread carefully. Consent must be freely given, informed, and specific. Pretending to offer a choice through persistent nudges is both unethical and illegal.
How VinciWorks can help
We support businesses to stay compliant as AI and GDPR continue to intersect.
GDPR training
The global reach of GDPR means that any company and firm that offers goods or services in the EU is required to comply. Training will ensure that you can do that. Our GDPR courses include an in-browser editing tool that lets you customise the courses to reflect your information security challenges and best practices.
AI training
Artificial intelligence (AI) can transform how work gets done but companies and firms need to understand the opportunities and risks inherent in this emerging technology. Our innovative AI compliance courses provide training that will ensure you stay ahead of the curve, avoid compliance fines and safely evade reputational damage.
GDPR registers
GDPR compliance imposes significant burdens on DPOs and data processors, including reporting breaches within 72 hours and documenting new data processing activities. Fines for non-compliance can reach tens of millions of Euros. Implementing clear processes is crucial. Omnitrack’s GDPR Workflows, developed with top law firms, streamline compliance by automating data collection and management. This ensures completeness, reduces administrative burden, and simplifies regulatory evidence.
Get in touch to learn more about how we can help you stay on the right side of data protection law.
