Bumble's Privacy Policy Rewrite: Transparency Without Control

Mozilla's public campaign against Bumble's data practices secured a privacy policy rewrite from the dating app—but not the actual privacy protections it demanded. The non-profit's October victory lap came after Bumble revised its policy to clarify data sharing practices, yet the company declined to implement opt-in consent for sharing personal information with third parties. Instead, users got better transparency about what Bumble does with their data, not better control over whether it happens.

The episode lays bare an uncomfortable truth: even dating platforms that have built entire brands around protecting women won't actually give users meaningful control over their most sensitive information. Bumble's carefully cultivated reputation as the industry's ethical operator didn't translate into fundamental privacy protections when Mozilla came calling.

Create a free account

Unlock unlimited access and get the weekly briefing delivered to your inbox.

Register free

No spam. No password. We'll send a one-time link to confirm your email.

What Bumble Actually Changed

Mozilla's *Privacy Not Included project had flagged Bumble in a broader investigation that found 22 of 25 dating apps failed basic data protection standards. The non-profit specifically challenged Bumble on sharing user data with third parties without explicit opt-in consent, a practice Mozilla argued violated the spirit of regulations like the EU's General Data Protection Regulation (GDPR) and California's Consumer Privacy Act.

Bumble's response, rolled out in October, focused on making its privacy policy 'easier to read and understand', according to Mozilla's own account of the exchange. The company added clearer language about how it shares data with advertising partners, analytics providers, and other third parties. What it didn't add: a mechanism for users to opt in before that sharing begins.

The distinction between transparency and control represents a well-worn path in privacy theatre. Companies provide detailed explanations of data practices whilst maintaining those practices as default settings that most users never disable. For Bumble, that means subscribers still share personal information—including location data, demographic details, and behavioural patterns—unless they navigate opt-out settings buried in privacy controls.

Bumble maintained to Mozilla that it 'does not sell sensitive personal data', a claim that requires parsing. The company may not engage in direct data sales, but sharing information with ad tech partners, measurement providers, and analytics platforms achieves similar commercial outcomes. Data doesn't need to change hands in a transaction labelled 'sale' to flow through the digital advertising ecosystem that monetises user information.

The Industry's Structural Privacy Problem

Dating platforms operate in a particularly precarious position within the privacy landscape. The information they collect goes beyond standard digital advertising profiles to include sexual orientation, relationship preferences, private photographs, message content, and precise location data. For LGBTQ+ users in hostile jurisdictions, domestic abuse survivors, or professionals in conservative industries, this data presents genuine physical and economic risks if exposed or misused.

Match Group (MTCH) platforms have faced repeated scrutiny over data practices, with Mozilla's investigation flagging multiple properties across the company's portfolio. Bumble (BMBL) was meant to represent the alternative—a dating operator that prioritised user safety alongside growth metrics. The company's prospectus for its February 2021 IPO mentioned 'safety' 103 times and positioned its 'women-first' ethos as competitive differentiation.

That brand positioning makes the privacy policy revision particularly telling. Bumble clearly recognised Mozilla's campaign as a reputational threat significant enough to warrant response. The company engaged with the non-profit, revised its documentation, and allowed Mozilla to claim partial victory. What it wouldn't do is change the default data sharing settings that presumably feed its advertising and monetisation infrastructure.

Industry-wide, dating operators have built revenue models dependent on data sharing. As subscription growth stagnates, alternative monetisation through advertising and data partnerships becomes more attractive precisely when privacy advocates demand restrictions on those practices.

Match Group reported $836M in direct revenue in Q3 2024, down 2% year-over-year, whilst average revenue per payer declined across its portfolio. Bumble posted $275M in total revenue for Q3, with à la carte revenue (which includes advertising) up 27%.

The Regulatory Pressure Building

Mozilla's campaign represents soft power—naming and shaming without enforcement teeth. Actual regulatory frameworks are tightening around data practices, though implementations vary wildly by jurisdiction. The Digital Services Act (DSA) imposes obligations on very large platforms, a designation that applies to mainstream social networks but leaves most dating apps below the threshold. The UK Online Safety Act (OSA) focuses on illegal content and child safety rather than data privacy specifically.

Dating operators face a patchwork of requirements across markets, with the GDPR in Europe, various state-level privacy laws in the US, and emerging frameworks in markets from Brazil to India. Compliance teams at dating companies already juggle age verification mandates, content moderation requirements, and safety-by-design obligations. Privacy protections that actually empower users—like mandatory opt-in for data sharing—would add operational complexity whilst cutting off monetisation channels.

The business incentives point firmly against substantive privacy reforms. Until regulators mandate specific protections or users demonstrate they'll switch platforms over privacy practices, dating operators can afford to offer transparency without control. Bumble's response to Mozilla suggests the company calculated that policy clarification would satisfy public pressure whilst maintaining its data operations intact.

Industry insiders watching the exchange should note what didn't happen. Bumble didn't announce a competitive advantage play around privacy, positioning itself as the dating app that gives users genuine control. It didn't commit to opt-in defaults even for sensitive data categories. The company that disrupted dating norms with 'women make the first move' apparently sees no market opportunity in 'users control their data'.

The most revealing aspect of the Mozilla-Bumble dynamic is that it happened at all. A non-profit with no regulatory authority successfully pressured a publicly traded dating operator to revise its privacy documentation through public criticism alone. The fact that Bumble responded demonstrates reputational sensitivity. The limits of that response demonstrate where brand protection stops and business model protection begins.

Operators should expect privacy pressure to intensify as dating apps face increased scrutiny over trust and safety practices. The question facing product and compliance teams is whether they'll address privacy proactively or reactively—and whether 'addressing' it means transparency theatre or actual user control. The Electronic Frontier Foundation has outlined steps users can take to protect their privacy on Bumble, highlighting the gap between what platforms provide and what users actually need.