Bumble’s Icebreakers feature offers users AI-generated opening lines to help spark conversations. But the feature allegedly involves sending sensitive data about people’s dating profiles to OpenAI without users’ consent.
Here’s a look at a complaint about the feature from privacy group noyb, whose legal victories have cost tech companies billions.
Jump to:
- Bumble’s AI Icebreaker feature
- Lack of transparency
- Correspondence with Bumble
- The allegations against Bumble
Bumble’s AI Icebreaker feature
Noyb’s complaint focuses on Bumble For Friends (BFF), an operating mode of the Bumble app which sits alongside two other modes, Bumble Date and Bumble Bizz. Bumble introduced its Icebreakers feature to BFF in December 2023. Icebreakers is unavailable in the other modes of the Bumble app.
The Icebreakers feature provides users with suggested opening lines to send to a match. These suggestions are provided by OpenAI’s GPT Large Language Model (LLM).
To provide Icebreakers, Bumble allegedly transmits personal data for analysis by OpenAI. The suggested opening lines are based on inferences drawn from the BFF profiles of both the sending and receiving users.
To formulate its complaint, noyb supported a BFF user who made “subject access requests” to Bumble under Article 15 of the General Data Protection Regulation (GDPR). The complaint is based on the results of that request and follow-up communications between Bumble and the user.
Lack of transparency
A core part of the complaint alleges that Bumble failed to make the appropriate transparency disclosure required under Articles 12-14 of the GDPR.
Bumble’s privacy policy allegedly failed to adequately explain how Icebreaker works or to provide some of the legally mandatory information that controllers (in this case, Bumble) must tell data subjects (BFF users).
Although Bumble listed several companies, “for example OpenAI,” among the potential recipients of personal data, it failed to disclose the purpose of sending personal data to the company or its legal basis for doing so.
Consent confusion
On implementing its Icebreakers feature, Bumble introduced a pop-up stating:
“We use AI to make it easier for you to start chatting. This allows you to ask questions that match the profile information of our members.”
The pop-up provides links to an FAQ and an “Okay” button to dismiss the notice. The pop-up appears on first opening the app and occasionally while using the Icebreakers feature. Noyb claims that the pop-up initially included an “x” in the top right corner, but this was later removed.
The pop-up also appears in the “Bumble Date” and “Bumble Bizz” modes, even though the Icebreaker feature is only available in the BFF mode.
According to noyb, this pop-up “resembles a consent banner”. Noyb says users “think that their data will not be collected unless they click ‘Okay’.”
Correspondence with Bumble
Noyb describes the complainant’s correspondence with Bumble, which began with a subject access request. Among other things, the complainant requested information about the recipients of her personal data and Bumble’s legal basis for processing.
The complainant claims that Bumble could not initially find her account, despite her verifying her identity with the number she used to authenticate logins. After a week of attempting to prove her identity, Bumble’s support operative appeared not to understand the nature of the complainant’s access request.
After six weeks, Bumble replied to the complainant, referring her to the Bumble privacy policy. The complainant argued that this policy did not include the necessary information about the recipients of her personal data or Bumble’s legal basis.
Almost two months after the original request, Bumble told the complainant that “legitimate interests” was its legal basis for processing personal data in the context of the Icebreaker feature.
The allegations against Bumble
Noyb alleges Bumble violated the following GDPR provisions:
- Article 5(1)(a): Lack of transparency regarding the processing involving OpenAI.
- Article 6(1): Lack of a valid legal basis for transferring data to OpenAI.
- Article 9: Processing sensitive (special category) data without explicit consent.
- Article 15(1)(c): Failure to properly inform the complainant about recipients of her personal data.
The group has requested that the Austrian DPA orders Bumble to bring it processing in line with the GDPR and issue Bumble a fine.
While the case remains undecided, it serves as an important wake-up call to companies implementing AI features within their platforms: Be transparent, give users control over how you use their data, and respond to any enquiries from users in a helpful and timely way.
