Dating app Grindr and a Twitter-owned advertising-tech firm have been accused of unlawfully sharing users' data.
It is part of a wider investigation by the Norwegian Consumer Council (NCC) into the "out of control" advertising industry and profiling of customers.
Along with four other ad-tech companies, they face huge fines if found to be in breach of EU data laws.
Grindr said it was changing its consent platform while Twitter has temporarily disabled the relevant account.
"We are currently investigating this issue to understand the sufficiency of Grindr's consent mechanism. In the meantime, we have disabled Grindr's MoPub account," Twitter told BBC News.
Grindr and its advertising partners are accused of sharing details such as location, age, gender and sexuality, in breach of the GDPR (General Data Protection Regulation).
In response, Grindr said that it was "implementing an enhanced consent management platform."
"While we reject a number of the report's assumptions and conclusions, we welcome the opportunity to be a small part in a larger conversation about how we can collectively evolve the practices of mobile publishers and continue to provide users with access to an option of a free platform," it told the BBC.
Under GDPR rules, companies found to have shared user data illegally face fines of up to 4% of their global turnover.
Advertising-tech companies gather information about users' interests, habits and behaviour every time they use certain apps on their smartphones. The information is then used to create comprehensive profiles that can be used for targeted advertising.
Under the GDPR, any data gathered must be given with the informed consent of users but the NCC's analysis of ad-tech companies' privacy policies suggested the language was often "incomprehensible" with "questionable legal basis".
"These practices are out of control and are rife with privacy violations and breaches of European law, said Finn Myrstad, director of digital policy in the Norwegian Consumer Council.
"The extent of tracking makes it impossible for us to make informed choices about how our personal data is collected, shared and used.
"Consequently, this massive commercial surveillance is systematically at odds with our fundamental rights."
Lawyer Max Schrems, who founded the European Centre for Digital Rights and worked with the NCC on the complaints, said: "Every time you open an app like Grindr, advertisement networks get your GPS location, device identifiers and even the fact that you use a gay dating app.
"This is an insane violation of users' EU privacy rights."
The companies under investigation are:
- Twitter's MoPub
- ATT's AppNexus
AdColony told the BBC it "respects the privacy of individuals around the globe and their desire to exercise their privacy rights".
Smaato said: "We are currently reviewing the entirety of the report from the Norwegian Consumer Council and we have already begun an internal investigation. In the meantime, we have blocked all Grindr traffic to our platform until further notice."
OpenX has not yet responded and AppNexus declined to comment.