Mozilla's Privacy Review Exposes Match Group's Market Control Problem

Match Group operates nine of the 22 dating apps that failed Mozilla's privacy standards review, whilst Bumble controls three more. The finding, published this week in Mozilla's Privacy Not Included consumer guide, exposes a structural problem for privacy-conscious singles: switching platforms to escape invasive data practices often means moving from one subsidiary to another owned by the same parent company. Mozilla's researchers evaluated 25 dating apps against five privacy criteria, with only Lex—a text-based LGBTQ+ app—meeting standards.

Data as product, not byproduct

The Mozilla review found that dating apps routinely collect what researchers termed 'creepy' levels of personal information—race, religion, political affiliation, sexual orientation, precise location data, private messages, and photos—then share or sell it for advertising purposes. The guide notes that most apps bury these practices in privacy policies written to obscure rather than inform.

Create a free account

Unlock unlimited access and get the weekly briefing delivered to your inbox.

What makes dating apps particularly vulnerable to privacy failures isn't technical incompetence. It's business model design. Monetisation through advertising and data partnerships requires extensive user profiling. The more granular the data, the more valuable the inventory.

Match disclosed in its February 2024 10-K filing that 'first-party data' capabilities represent a competitive advantage for ad targeting. Bumble's investor materials describe similar data assets.

For context, the dating industry saw at least 47 reported data breaches between 2017 and 2023, according to research compiled by Surfshark. Grindr alone has faced regulatory action in Norway (fined €6.5M in 2021 for GDPR violations related to ad tracking) and is currently defending against a US lawsuit alleging the app shared users' HIV status with third-party advertisers. Grindr has denied the allegations and called the claims 'meritless', but the case remains in discovery.

The pattern Mozilla identified isn't aberrant behaviour by rogue operators. It's how the advertising-supported dating model functions at scale.

Why independence correlates with privacy

Lex's status as the sole app to pass Mozilla's review isn't coincidental. The platform—launched in 2019 as a modernised version of text-based personal ads—operates without venture capital, carries no advertising, and generates revenue exclusively through a £6 monthly subscription called Lex Expand. According to the app's public statements, it collects minimal data, doesn't use AI matching algorithms, and has no third-party data partnerships.

Smaller, independent platforms reviewed by Mozilla also performed better than their venture-backed counterparts, even if they didn't fully pass. The structural advantage is clear: apps without investor pressure to scale user acquisition costs through performance marketing don't need to build the tracking infrastructure that creates privacy vulnerabilities.

This creates an uncomfortable dynamic for operators. The dating apps most users can actually discover—those with marketing budgets capable of competing in App Store search and Meta advertising auctions—are precisely the ones most incentivised to monetise user data. Independence offers cleaner data practices but makes customer acquisition nearly impossible at scale.

Regulatory collision approaching

Mozilla's review arrives as European enforcement of the General Data Protection Regulation (GDPR) intensifies and the UK Online Safety Act (OSA) takes effect. The OSA requires dating platforms to implement age verification and protect users from illegal content by March 2025. Separately, the EU Digital Services Act (DSA) mandates transparency in algorithmic systems and restricts targeted advertising to minors.

Dating apps sit at the intersection of multiple regulatory frameworks. They're social platforms under the DSA, data controllers under GDPR, and—because many target under-25s—subject to heightened child safety requirements. Compliance teams are managing overlapping obligations whilst product and growth teams resist changes that could impact conversion funnels.

Match mentioned regulatory compliance costs 17 times in its Q4 2024 earnings call, up from nine mentions the previous quarter. Bumble's general counsel told investors in November that the company had hired additional compliance staff across three jurisdictions. Grindr has disclosed spending $4.3M on privacy and regulatory infrastructure since 2022.

The commercial tension is sharpening. Tightening data collection reduces ad targeting effectiveness, which pressures already-declining revenue per user. Match reported Q4 2024 direct revenue (primarily subscriptions) up 5% year-over-year but indirect revenue (advertising) down 2%. Bumble's advertising revenue fell 8% in the same period. Both companies attributed softness partly to changes in data availability for ad targeting.

What operators can actually do

The Mozilla review offers no viable short-term playbook for scaled operators. Rebuilding data architecture to collect and retain less information whilst maintaining personalised matching, fraud detection, and trust and safety operations would require engineering resources most dating companies have just finished cutting. Match eliminated 8% of staff in 2024. Bumble cut 30% of staff.

Subscription-only models like Lex's avoid the data-for-ads trade-off but require conversion rates scaled platforms can't achieve without extensive funnel optimisation—which itself requires data collection. The apps that passed or nearly passed Mozilla's standards operate at user bases between 500,000 and 2 million. Match's paying user base was 11.4 million in Q4 2024.

What's emerging instead is a two-tier market: venture-backed platforms competing on user acquisition efficiency, and independent apps competing on privacy credentials. The former control distribution and discovery. The latter control reputation with the privacy-conscious segment that Mozilla's guide will likely expand. Research shows that users perceive two types of privacy risks on dating apps: immediate concerns about other users accessing their personal information and broader worries about corporate data handling. Whether that segment represents 3% or 30% of the addressable market will determine if cleaner data practices ever become commercially viable at scale. Recent investigations demonstrate how popular dating apps have shared sensitive data to third parties, whilst associated privacy risks include the use of dating apps for criminal purposes including stalking, sexual violence, and other violent crimes.