A leading European digital rights group has accused TikTok of unlawfully tracking users’ activity on Grindr and other apps, in what could amount to a serious breach of international privacy laws.
Austria-based non-profit NOYB (None of Your Business) lodged a formal complaint with the country’s Data Protection Authority on Wednesday, 16 December. The group alleges that TikTok, along with Grindr and marketing company AppsFlyer, violated the EU’s General Data Protection Regulation (GDPR) by tracking sensitive user data across different apps without proper consent.
According to NOYB, TikTok — owned by Chinese tech company ByteDance — accessed private data including a user’s Grindr activity, LinkedIn use, and even shopping cart contents. This data was allegedly shared and processed with the help of AppsFlyer, a third-party data analytics firm.
NOYB claims the information came from an anonymous whistleblower who only discovered their data was being accessed after repeatedly requesting access to their personal information from TikTok.
Under GDPR regulations, companies are legally obligated to inform users about how their personal data is collected and used, typically through a transparent privacy notice. The regulation also includes special protections for sensitive categories of data, such as sexuality, religion, health status, and gender identity.
Violations of GDPR can result in fines of up to €20 million (NZD $40,000,000) or 4% of a company’s global annual revenue, whichever is higher.
“TikTok said the data was used for personalised advertising, analytics, and security,” NOYB told Reuters, citing a response from a TikTok spokesperson.
Previous Privacy Violations
Both TikTok and Grindr have faced regulatory scrutiny and legal action over data privacy in recent years.
In 2024, Grindr was hit with a class-action lawsuit after allegedly sharing highly sensitive user information — including HIV status and ethnicity — with various third parties. The case, led by UK law firm Austen Hays, could affect thousands of users in the UK and globally.
Lawyer Chaya Hanoomanjee said the claimants had suffered “significant distress” due to concerns their private data may have been leaked to advertisers and analytics firms.
In response, a Grindr spokesperson stated the company takes user privacy “extremely seriously” and said the lawsuit was based on “a mischaracterisation of practices from more than four years ago”.
