Unlawful tracking across apps. It’s no secret that TikTok is rather data hungry. After all, the popular video platform’s algorithm seems to know exactly what content users want to see. However, it’s not well known that TikTok also tracks you while using other apps. A user found out about this unlawful tracking practice through an access request – which showed that e.g. his usage of Grindr was sent to TikTok, likely via the Israeli tracking company AppsFlyer - which allows TikTok to draw conclusions about his sexual orientation and sex life. This is specially protected data under Article 9 GDPR, which can only be processed in exceptional cases. TikTok initially even withheld this information from the user, which violates Article 15 GDPR. Only after repeated inquiries, TikTok revealed that it knows which apps he used, what he did within these apps (for example adding a product to the shopping cart) - and that this data also included information about his usage of the gay dating app Grindr.

Kleanthi Sardeli, data protection lawyer at noyb: “Like many of its US counterparts, TikTok increasingly collects data from other apps and sources. This allows the Chinese app to gain a full picture of people’s online activity. The fact that data from another app revealed this user’s sexual orientation and sex life is just one of the more extreme examples.”

Accomplices in unlawful data processing. TikTok was only able to receive this information with the help of the Israeli data company AppsFlyer and Grindr itself. AppsFlyer most likely functions as a kind of intermediary, which receives the sensitive data about the complainant from Grindr and then passed it on to TikTok. The problem: Neither AppsFlyer nor Grindr have a valid legal basis under Article 6(1) GDPR to share the complainant’s personal data with third parties such as TikTok. And they most certainly don’t have any valid reason to share his sensitive data under Article 9(1) GDPR. At no point in time did the complainant consent to the sharing of his data.

Insufficient reply to access request. Users should generally be informed about the recipients of personal data and even get a copy of said data. However, TikTok seems to structurally violate the users’ right to get such a copy. TikTok refers its users to a “download tool”, but later admitted that this tool only holds what it deems the most “relevant” data – and by far not all personal data. Even after repeated inquiries to add the missing information, TikTok didn’t provide information about which data is being processed and for what purpose.  By doing so, TikTok clearly violates Articles 12 and 15 GDPR, which require companies to provide the information in full and in an easily understandable format.                                                                                         

Lisa Steinfeld, data protection lawyer at noyb: “TikTok directs its users to an inherently incomplete ‘download tool’. It’s fair to assume that thousands of users were sent to this scam tool, which structurally doesn’t comply with the legal requirements to provide a full copy of one’s own personal data.”

Complaints filed in Austria. noyb has therefore filed two complaints with the Austrian data protection authority (DSB). The first complaint is against TikTok and revolves around the incomplete reply to the complainant’s access request. The second complaint is against TikTok, AppsFlyer and Grindr and deals with the undefined processing of off-TikTok data, the lack of a valid legal basis for the data sharing and processing and the violation of Article 9(1) GDPR. We request TikTok to provide the complainant with the missing information and all three companies to stop the unlawful processing of his personal data. Last but not least, we suggest that the authority impose an “effective, proportionate and dissuasive” fine under Article 83 GDPR to prevent similar violations in the future.