Privacy advocacy group noyb has filed two complaints with Austria’s data protection authority against TikTok, AppsFlyer and Grindr, accusing the companies of unlawful cross-app tracking, illegal sharing of sensitive personal data, and failure to fully comply with user data access requests under the EU’s General Data Protection Regulation (GDPR).
The complaints highlight how TikTok allegedly tracks users beyond its own app ecosystem and withholds complete information when users request access to their personal data.
TikTok accused of tracking users across other apps
According to noyb, TikTok does not limit its data collection to activity within its own app. Instead, it is increasingly integrated with other apps and websites through third-party tracking tools. In one case, a user discovered through a GDPR access request that his activity on the gay dating app Grindr was shared with TikTok, reportedly via Israeli mobile analytics company AppsFlyer.
The shared data allegedly included details about which apps the user installed and used, as well as actions taken within those apps, such as adding items to a shopping cart. Most critically, the data revealed the user’s Grindr usage, allowing TikTok to infer information about his sexual orientation and sex life.
Under GDPR, such information is classified as sensitive personal data and is protected by Article 9, which allows processing only in very limited and exceptional circumstances.
Sensitive data shared without valid legal basis
noyb argues that neither TikTok, AppsFlyer nor Grindr had a valid legal basis under Article 6(1) GDPR to share the user’s personal data. The organization further states that there was no lawful justification under Article 9(1) GDPR to process sensitive data related to sexual orientation.
At no point, noyb says, did the complainant give informed consent for his data to be shared with TikTok or any third party for advertising or analytics purposes.
Kleanthi Sardeli, data protection lawyer at noyb, said that TikTok’s practices mirror those of many large US-based tech platforms. According to Sardeli, collecting data from multiple apps and sources allows TikTok to build a comprehensive profile of users’ online behavior, with serious implications when sensitive data is involved.
Incomplete response to GDPR access request
The first complaint against TikTok focuses on the company’s alleged failure to properly respond to a data access request. GDPR gives users the right to know what personal data is processed, for what purpose, and who receives it, as well as the right to obtain a complete copy of that data.
TikTok initially referred the user to its data download tool, which the company later admitted only contains data it considers the most relevant. It does not include all personal data processed by TikTok. Even after repeated follow-ups, TikTok allegedly failed to disclose full details about the data collected from other apps and the purposes for which it was used.
noyb claims this practice violates Articles 12 and 15 GDPR, which require transparent, complete and easily understandable responses to access requests.
Lisa Steinfeld, data protection lawyer at noyb, said that TikTok’s download tool is structurally incapable of meeting legal requirements. She warned that thousands of users may have been misled into believing they had received a complete copy of their personal data when they had not.
Complaints filed with Austrian regulator
noyb has submitted both complaints to the Austrian data protection authority. The first targets TikTok for providing an incomplete response to a user’s access request. The second is directed at TikTok, AppsFlyer and Grindr for unlawful processing and sharing of off-TikTok data, lack of a valid legal basis, and violations involving sensitive personal data.
The organization is asking the authority to order TikTok to provide the missing information to the complainant, require all three companies to stop the unlawful processing of personal data, and impose an effective, proportionate and dissuasive fine under Article 83 GDPR to deter similar practices in the future.
Baburajan Kizhakedath
