TikTok Faces Complaints Over Cross‑App Tracking * Science and Technology Times

Privacy group noyb has filed two complaints against TikTok and its data‑sharing partners after uncovering extensive cross‑app tracking practices.
The organisation says TikTok collected sensitive information from other apps without consent and failed to provide users with full access to their personal data.
Regulators in Austria are now being asked to investigate and impose penalties for alleged GDPR violations.

Tracking Beyond the TikTok App

TikTok’s data collection practices extend far beyond activity within its own platform, according to findings published by noyb. A user discovered through an access request that TikTok had received information about his behaviour in other apps, including the dating app Grindr. The data was reportedly transmitted via AppsFlyer, an Israeli tracking company that integrates with numerous mobile services. Such information can reveal highly sensitive details, including sexual orientation, which is protected under Article 9 of the GDPR and may only be processed in exceptional circumstances.

TikTok initially withheld this information from the user, providing only partial data in response to his request. Only after repeated follow‑ups did the company disclose that it knew which apps he used and what actions he performed, such as adding items to a shopping cart. The revelation raised concerns about the scope of TikTok’s off‑platform tracking capabilities. It also highlighted the risks associated with third‑party data pipelines that operate largely out of public view.

Data‑Sharing Partners Under Scrutiny

The complaints argue that TikTok could only obtain this information because AppsFlyer and Grindr transmitted it without a valid legal basis. AppsFlyer appears to have acted as an intermediary, receiving data from Grindr and forwarding it to TikTok. Neither company, according to noyb, had lawful grounds under Article 6(1) GDPR to share the user’s personal information with external parties. They also lacked justification under Article 9(1) GDPR to process or transmit sensitive data.

At no point did the user consent to this sharing, making the transfers potentially unlawful. The case illustrates how interconnected tracking systems can expose users to privacy risks even when they are not actively using a particular app. It also raises questions about how widely such data flows occur across the mobile ecosystem. Privacy advocates warn that these practices can create detailed behavioural profiles without users’ knowledge.

Incomplete Access Responses and Legal Action

The second complaint focuses on TikTok’s handling of access requests. Users are entitled to receive a full copy of their personal data and information about how it is processed. TikTok directs users to a download tool for this purpose, but the company later admitted that the tool contains only what it considers the most “relevant” data. Even after repeated inquiries, TikTok did not provide the missing information or clarify the purposes of its processing.

Noyb argues that this approach violates Articles 12 and 15 of the GDPR, which require companies to supply complete and understandable data upon request. The organisation says thousands of users may have been directed to an incomplete tool that fails to meet legal standards. Two formal complaints have now been filed with Austria’s data protection authority. Noyb is asking regulators to require TikTok to disclose all relevant data and to halt the unlawful processing carried out by TikTok, AppsFlyer and Grindr.