Your dating app activity is TikTok's business now

European privacy advocacy group noyb filed two separate complaints against TikTok with the Austrian Data Protection Authority on December 9, 2025, revealing that the social media platform tracks users across multiple third-party applications, including the gay dating app Grindr, without obtaining valid consent. The complaints expose systematic violations of GDPR Articles 5, 6, 9, 12, and 15, with potential penalties reaching 4% of TikTok's global annual revenue.

The first complaint, designated case number C-103-01, centers on TikTok's failure to provide complete information in response to user access requests under Article 15 GDPR. The second complaint, case C-103-02, alleges unlawful data collection involving special categories of personal data revealing sexual orientation and sex life, processed without explicit consent as required by Article 9 GDPR. Both complaints also name AppsFlyer, an Israeli mobile measurement company, and Grindr LLC as co-respondents for their roles in the data sharing ecosystem.

Incomplete access responses mislead users

A TikTok user downloaded his personal data on August 20, 2024, using the platform's in-app download function. The data package included a file labeled "Off TikTok Activity" containing references to his actions outside the TikTok application, but provided no explanations about how this data was collected, processed, or shared with third parties. The file listed "admin8888" as the source for significant portions of the tracked activities, offering no meaningful information about the actual origins of the data.

The complainant contacted TikTok on September 9, 2024, requesting clarification about the platform's privacy policy and access to his complete personal data as guaranteed by Article 15 GDPR. TikTok responded on October 9, 2024, stating it would provide a full response by December 9, 2024. When that deadline arrived, TikTok delivered an additional data package but continued to withhold complete information about data recipients and sources.

TikTok's December 9, 2024, response revealed that the in-app download function provides only what the company considers "most relevant" data rather than the complete copy required by Article 15(3) GDPR. The platform's download interface displays language suggesting users are accessing "all data," with phrases like "Download all available information related to your account" and the heading "All data." This misleading presentation violates the transparency requirements of Articles 12(1) and 5(1)(a) GDPR.

The data glossary TikTok eventually provided remained incomplete and incomprehensible for average users. Data categories labeled "params_pii" and "header" contained vague descriptions consisting of number sequences with no meaningful explanation of their purpose or significance. The "Header" column description stated only that it contains "basic information about the data reported to TikTok's systems, such as the time," followed by a non-exhaustive example of an information string.

According to EDPB Guidelines 01/2022, when controllers provide raw data to users, "the data may need to be explained in order to be understandable to the data subject." The guidelines specify that information must be comprehensible to an average member of the target audience. TikTok's user base, which includes over one billion people globally, consists predominantly of non-technical users who cannot reasonably understand database architecture or programming syntax.

Another user contacted TikTok after receiving similarly incomplete information through the in-app download function. TikTok responded by email on November 11, 2024, merely referring to its privacy policy without providing additional data. This pattern suggests systematic violations rather than isolated incidents affecting individual complainants.

Cross-app tracking reveals sexual orientation

The December 9, 2024, data delivery from TikTok included two tables containing "off-TikTok activity data"—information about the complainant's actions in applications completely unrelated to TikTok's video platform. These tables revealed that TikTok possessed detailed information about which applications the complainant used, what actions he performed within those applications, and whether conversion events occurred after viewing TikTok advertisements.

The data specifically showed the complainant's usage of Grindr, a dating application marketed as "the world's #1 free dating app serving the LGBTQ community." Lines 72, 73, 75, 84, 85, and 86 in the data tables documented multiple instances when the complainant opened and actively used Grindr. This information allows TikTok to draw conclusions about the complainant's sexual orientation and sex life—special categories of personal data protected under Article 9 GDPR.

TikTok stated in its October 9, 2024, letter that it processes off-TikTok activity data for four purposes: providing personalized advertising based on presumed consent, providing measurement and analytics services based on presumed legitimate interest, improving the platform based on legitimate interest, and ensuring platform security based on legitimate interest. The complainant never provided consent for processing his off-TikTok data for personalized advertising purposes. Simply accepting TikTok's terms of service and privacy policy does not constitute valid consent under Articles 4(11) and 7 GDPR.

The data TikTok provided indicates the complainant's account settings showed "user_mode" values demonstrating he had not consented to personalized advertising. TikTok cannot rely on legitimate interests under Article 6(1)(f) GDPR for processing off-TikTok activity data because the processing is not necessary to achieve the vaguely stated objectives of measurement, platform improvement, or security. These interests could be achieved through less invasive methods limited to data generated during actual TikTok usage.

Even if TikTok possessed legitimate interests, they would not override the fundamental rights and freedoms of users whose activities across multiple applications are being tracked and aggregated to create comprehensive profiles. The European Court of Justice addressed similar data aggregation practices in case C-446/21, finding that extensive cross-platform data collection for behavioral advertising violates the data minimization principle of Article 5(1)(c) GDPR.

AppsFlyer and Grindr enabled tracking

TikTok obtained the complainant's Grindr usage data through AppsFlyer, an Israeli company operating mobile attribution and analytics services. AppsFlyer maintains a branch office in Berlin at Schönhauser Allee 180, placing it under German data protection authority jurisdiction for European operations. The company functions as an intermediary that receives user activity data from mobile applications and distributes it to advertising platforms and analytics clients.

AppsFlyer cannot rely on any legal basis under Article 6(1) GDPR for sharing the complainant's personal data with TikTok. The complainant never provided explicit consent for this data transfer. Other potential legal bases—such as contractual necessity, legal obligation, vital interests, or public task—clearly do not apply to commercial data brokering operations. AppsFlyer's claim to legitimate interests fails because users have reasonable expectations that their activities in one application will not be automatically transmitted to unrelated platforms for commercial exploitation.

For special categories of personal data revealing sexual orientation, Article 9(2) GDPR establishes that processing is prohibited unless specific exceptions apply. AppsFlyer cannot invoke any of these exceptions. The complainant did not provide explicit consent under Article 9(2)(a). The data was not manifestly made public by the complainant under Article 9(2)(e)—Grindr usage information visible only to accepted connections within a dating application does not constitute making data "manifestly public" as clarified by the Court of Justice in case C-252/21.

Grindr's role in this data sharing chain presents particularly serious GDPR violations given the dating application's history of data protection problems. The Norwegian Court of Appeal upheld a €6.5 million fine against Grindr on October 25, 2025, for sharing App IDs and other personal data with advertising partners without valid consent between July 2018 and April 2020. The court determined that Grindr App IDs constitute information about sexual orientation and sexual relationships under Article 9(1) GDPR because they reveal that individuals are using a dating application primarily serving gay men and the LGBTQ community.

Grindr transmitted the complainant's usage data to AppsFlyer, which subsequently shared it with TikTok. Neither Grindr nor AppsFlyer obtained the complainant's explicit consent for processing or transferring special categories of personal data. Grindr's privacy policy and terms of service do not satisfy GDPR consent requirements, particularly for Article 9 special category data requiring heightened protection.

Recipients and sources remain undisclosed

TikTok violated Article 15(1)(c) GDPR by failing to disclose the specific recipients of the complainant's personal data. The European Court of Justice ruled in case C-154/21 that controllers must provide information about all recipients that is "as specific as possible." The information should "contain information about specific recipients" rather than generic categories, and controllers cannot satisfy this obligation by referring users to privacy policy documents.

TikTok's October 9, 2024, and December 9, 2024, responses merely copied sections from its privacy policy describing general categories of potential data recipients. The platform stated that it shares information with "third party platforms and partners" when users log in through third-party accounts, register through third-party platforms, or publish content to other social media platforms. These vague category descriptions fail to identify which specific entities actually received the complainant's data and for what processing purposes.

The Austrian Data Protection Authority has repeatedly held that providing general privacy policy language does not satisfy Article 15 obligations because such documents contain generic information about planned processing rather than specific details about actual processing of individual users' data. The distinction matters because transfers to recipients are possible but may not occur, or controllers may process data in ways not foreseeable in advance or even unlawfully.

TikTok also failed to disclose the sources from which it obtained the complainant's personal data, violating Article 15(1)(g) GDPR. The December 9, 2024, response regarding off-TikTok data sources referred only to "advertisers" who "may share information with us" through various methods. This generic description fails to identify specific third parties involved in collecting and transmitting data about the complainant's Grindr usage to TikTok's systems.

EDPB Guidelines 01/2022 specify that controllers must disclose "exactly which third parties were involved" when responding to access requests about data sources. TikTok's references to its privacy policy do not fulfill this requirement because the privacy policy describes potential data sources in general terms rather than identifying actual sources for specific data points about individual users.

TikTok attempted to justify withholding information by invoking Article 15(4) GDPR, claiming that disclosure would compromise "threat detection and security practices" or "the rights and freedoms of third parties." This provision applies only to requests for copies of data under Article 15(3), not to requests for information about processing under Article 15(1). Even where Article 15(4) applies, controllers must demonstrate that disclosure would actually adversely affect others' rights—TikTok provided no substantiation for its claims beyond conclusory assertions.

Data minimization violations

TikTok's indiscriminate collection and processing of off-TikTok activity data violates the data minimization principle of Article 5(1)(c) GDPR, which requires that personal data be "adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed." The platform should implement organizational measures ensuring that for each specific purpose, only data indispensable for achieving that purpose undergoes processing.

The European Court of Justice addressed similar systematic data collection in case C-446/21 concerning Meta's processing of user data across Facebook, Instagram, and third-party websites. The court found that accumulating vast amounts of data from diverse sources to create detailed user profiles exceeds what is necessary for providing social networking services or personalized advertising. Controllers must demonstrate that each specific data point contributes to the stated processing purpose.

TikTok tracks which applications users open, what actions they perform within those applications, when they add items to shopping carts, and whether they complete purchases after viewing TikTok advertisements. This granular cross-application surveillance extends far beyond what is necessary for the four purposes TikTok invoked: personalized advertising, measurement and analytics, platform improvement, and security.

Personalized advertising on TikTok could operate using data generated within the TikTok application itself—user interactions with videos, expressed interests, search queries, and engagement patterns. Measurement and analytics services for advertisers require only aggregate conversion data, not detailed tracking of every action users perform across their entire mobile device ecosystem. Platform improvement and security objectives likewise do not necessitate comprehensive surveillance of activities in unrelated applications.

The scope of TikTok's data collection becomes clear from the data tables provided to the complainant. Individual rows document discrete events such as "app_open," "add_to_cart," and conversion events for specific products. The tables include technical parameters revealing device specifications, geographic location, timestamps, advertising identifiers, and application-specific information. This extensive tracking infrastructure operates continuously across users' digital activities, accumulating data that provides minimal value for the stated processing purposes while enabling comprehensive profiling.

Enforcement implications for platforms

The complaints against TikTok arrive amid intensifying European regulatory pressure on the platform's data practices. The Irish Data Protection Commission imposed a €530 million fine on TikTok on May 2, 2025, for unlawful transfers of European user data to China and transparency failures in its privacy policy. That decision included orders requiring TikTok to bring processing operations into compliance within six months and threatening to suspend data transfers to China if compliance was not achieved.

TikTok subsequently admitted to the Irish regulator that it discovered in February 2025 that "limited EEA User Data had in fact been stored on servers in China, contrary to TikTok's evidence to the Inquiry." This revelation prompted a new investigation into whether TikTok provided inaccurate information during regulatory proceedings—potentially warranting additional penalties beyond the existing €530 million fine.

The December 9 complaints add new dimensions to TikTok's regulatory challenges by documenting systematic violations distinct from data transfer issues. The cross-application tracking alleged in case C-103-02 demonstrates that TikTok operates extensive surveillance infrastructure extending beyond its own platform to monitor user activities across the mobile ecosystem. The incomplete access responses documented in case C-103-01 suggest TikTok has implemented systems designed to obscure the full scope of data processing from users and regulators.

Previous GDPR complaints against Chinese technology companies filed by noyb in July 2025 targeted TikTok, AliExpress, and WeChat for failing to provide complete information in response to access requests. The Irish High Court decision on November 17, 2025, allowed TikTok to challenge the €530 million fine and temporarily suspended the order to cease data transfers to China pending judicial review. That ruling could extend resolution until March 2026, demonstrating the prolonged timelines involved in European data protection enforcement.

For advertising technology companies and mobile measurement providers, the complaints highlight growing legal risks associated with cross-application tracking infrastructure. AppsFlyer and competitors including Adjust, Branch, Kochava, Singular, and Airbridge provide software development kits that mobile applications integrate to enable attribution and analytics. These SDKs collect user actions and transmit data to measurement platforms, which then distribute information to advertising platforms and analytics clients.

The data sharing ecosystem depends on legal theories that GDPR enforcement is increasingly challenging. Mobile measurement partners typically claim legitimate interests or contractual necessity as legal bases for data collection and sharing. These justifications face scrutiny when processing involves special categories of personal data, when sharing extends beyond parties with direct user relationships, or when processing occurs without transparent disclosure enabling informed user choices.

Grindr's €6.5 million fine from Norwegian authorities established that App IDs revealing dating application usage constitute special category data requiring explicit consent. The Norwegian court rejected Grindr's arguments that users could avoid data sharing through paid subscriptions or device-level settings, finding that personal data was shared immediately upon accepting the privacy policy before users could access alternatives. The court determined Grindr acted intentionally, with personnel "aware of and made a conscious choice regarding what information was shared with advertising partners."

Transparency failures undermine user rights

The structural inadequacy of TikTok's data download function prevents users from effectively exercising rights under Articles 16-22 GDPR. Users cannot rectify inaccurate data, erase unnecessary processing, restrict unlawful activities, or object to processing without first understanding what data exists and how it is being processed. Article 15 access rights serve as the foundation enabling enforcement of all other data subject rights.

Recent Austrian Supreme Court litigation involving Meta established on December 18, 2025, that platforms cannot limit access rights through selective disclosure or generic download tools. After 11 years of litigation initiated by privacy advocate Max Schrems, the court ordered Meta to provide complete access to all personal data collected from the user, with detailed information about sources, recipients, and processing purposes for every data point.

The Austrian Supreme Court rejected Meta's trade secret arguments and Article 15(4) limitations, determining that controllers must provide comprehensive information about processing under Article 15(1) regardless of internal policies or business interests. The court awarded €500 in damages for GDPR violations, establishing a baseline compensation amount that could apply to numerous similar cases throughout Europe.

Data protection authorities have repeatedly found that providing download tools containing only "relevant" or "most commonly requested" data violates Article 15(3) requirements for complete copies. The European Data Protection Board confirmed in Guidelines 01/2022 that controllers are obliged to provide complete copies unless users expressly request otherwise. Summaries or selections of data do not satisfy legal obligations.

TikTok's misleading interface language suggesting the download tool contains "all data" compounds transparency violations. Users reasonably believe they are accessing complete information when the platform explicitly represents the download function as comprehensive. Only after repeated inquiries and formal complaints did TikTok acknowledge that its in-app tool provides merely "most relevant" data selected according to undisclosed criteria.

The glossary TikTok eventually provided fails to meet GDPR standards for understandable information. While some data categories received clear explanations—such as "Your derived gender. The value '2' means that your derived gender is female"—most categories contained only vague descriptions using technical jargon incomprehensible to average users. The "Header" category explanation referenced "basic information" contained in "data packets" with "information strings" but provided no meaningful clarification of what the extensive JSON-formatted technical data actually represents.

Financial exposure and corrective measures

noyb's complaints request that the Austrian Data Protection Authority investigate the matter, determine that violations occurred, order TikTok to fully comply with Article 15 obligations, and impose "effective, proportionate and dissuasive" fines under Article 83 GDPR. For violations of Articles 12 and 15, fines can reach €20 million or 4% of global annual revenue, whichever is higher. For violations of Articles 5, 6, and 9 involving unlawful processing and special category data, fines can reach the same maximum amounts.

TikTok generated revenue exceeding $13 billion globally in 2024. A fine of 4% would equal approximately $520 million—comparable to the €530 million penalty imposed by Irish authorities for data transfer violations. The cumulative financial exposure from multiple enforcement actions could reach over €1 billion if authorities pursue maximum penalties across jurisdictions.

The complaints also name AppsFlyer and Grindr as respondents, exposing those companies to separate enforcement actions and potential fines. AppsFlyer's European operations through its Berlin branch place it under German data protection authority jurisdiction. The Berlin Commissioner for Data Protection and Freedom of Information would likely coordinate with Austrian authorities through GDPR cooperation mechanisms if AppsFlyer is found to be a joint controller or separate controller for processing at issue.

Grindr faces enforcement by Austrian authorities as the competent supervisory authority since the company, based in the United States, has no establishment in the European Economic Area and is subject to GDPR under Article 3(2). The cooperation mechanism of Article 56 GDPR does not apply to Grindr, making the Austrian Data Protection Authority directly responsible for investigating and determining violations. Grindr's revenue from advertising reached $53.7 million in 2024, with total revenue of $344.6 million, limiting maximum fine exposure compared to TikTok but still presenting material financial risk.

Corrective measures could extend beyond financial penalties to operational restrictions. The Irish Data Protection Commission's May 2025 decision ordered TikTok to suspend data transfers to China if processing did not achieve compliance within six months. Similar orders could require TikTok to disable cross-application tracking infrastructure, implement consent mechanisms meeting GDPR standards, or cease processing special category data until valid legal bases are established.

For advertising technology infrastructure, enforcement outcomes could require fundamental changes to how mobile measurement partners operate. If AppsFlyer and similar companies cannot establish valid legal bases for collecting and sharing user activity data across applications, the entire attribution and analytics ecosystem would need restructuring around first-party data relationships and explicit user consent for each data sharing relationship.

Regulatory coordination across jurisdictions

The Austrian Data Protection Authority received both complaints under Article 77(1) GDPR, which permits users to file with supervisory authorities in their country of residence regardless of where controllers are established. For TikTok, the Irish Data Protection Commission serves as lead supervisory authority under Article 56 GDPR because TikTok Technology Limited maintains its main establishment at The Sorting Office, Ropemaker Place, Dublin 2. The Austrian authority will coordinate with Irish counterparts through Article 60 cooperation procedures.

This coordination process requires the lead authority to cooperate with concerned supervisory authorities and reach joint decisions on enforcement actions. The Irish DPC's May 2025 decision imposing a €530 million fine on TikTok followed consultation with data protection authorities throughout the European Economic Area. No supervisory authority raised objections during the prescribed four-week consultation period, enabling the decision to proceed.

The December 9 complaints introduce new violation allegations distinct from data transfer issues addressed in the Irish proceeding. Cross-application tracking, incomplete access responses, and special category data processing present separate legal questions requiring independent investigation and determination. The Austrian authority could pursue its own enforcement action or coordinate with Irish authorities to address the violations as part of comprehensive proceedings against TikTok.

For AppsFlyer, the Berlin Commissioner for Data Protection and Freedom of Information likely serves as lead authority due to the company's German branch office. The Austrian authority identified AppsFlyer Germany GmbH at Schönhauser Allee 180, 10119 Berlin as the relevant European entity. Cooperation between Austrian and German authorities under Article 56 would determine which authority takes primary responsibility for investigating AppsFlyer's role in the data sharing ecosystem.

Grindr's enforcement presents a simpler jurisdictional situation. As a U.S. company with no European establishment, Grindr is subject to GDPR territorial scope under Article 3(2) because it offers services to European users and monitors their behavior. The cooperation mechanisms of Article 56 do not apply, making the Austrian Data Protection Authority directly competent to investigate and determine violations without lead authority coordination requirements.

Timeline

• August 20, 2024: Complainant downloads personal data using TikTok's in-app function, discovers file labeled "Off TikTok Activity" with incomplete information
• September 9, 2024: Complainant sends formal access request to TikTok requesting clarification about privacy policy and complete personal data under Article 15 GDPR
• October 9, 2024: TikTok responds stating it will provide full information by December 9, 2024, includes preliminary explanations about off-TikTok activity data processing purposes
• November 11, 2024: Another user receives incomplete response from TikTok referring only to privacy policy without providing additional data
• December 9, 2024: TikTok provides additional data package revealing cross-application tracking including Grindr usage, acknowledges in-app download function contains only "most relevant" data
• December 9, 2024: noyb files complaint C-103-01 against TikTok with Austrian Data Protection Authority for incomplete access responses violating Articles 12 and 15 GDPR
• December 9, 2024: noyb files complaint C-103-02 against TikTok, AppsFlyer, and Grindr for unlawful cross-application tracking and special category data processing violating Articles 5, 6, and 9 GDPR
• January 16, 2025: noyb files separate complaints against TikTok and five other Chinese companies for unlawful data transfers to China
• May 2, 2025: Irish Data Protection Commission imposes €530 million fine on TikTok for data transfer violations and transparency failures
• July 12, 2025: Irish DPC opens new inquiry after TikTok admits storing EEA user data on Chinese servers contrary to previous statements
• July 17, 2025: noyb files GDPR complaints against TikTok, AliExpress, and WeChat for systematic violations of Article 15 access rights
• October 25, 2025: Norwegian appeals court upholds €6.5 million fine against Grindr for sharing sensitive user data without valid consent
• November 17, 2025: Irish High Court allows TikTok to challenge €530 million fine, temporarily suspends order to cease China data transfers
• November 24, 2025: German enforcement actions against TikTok and other platforms probe algorithmic systems under DSA, GDPR, and AI Act
• December 18, 2025: Austrian Supreme Court orders Meta to provide complete data access after 11-year legal battle, awards €500 damages

Summary

Who: A TikTok user represented by European privacy advocacy group noyb filed two complaints against TikTok Technology Limited, AppsFlyer, and Grindr LLC with the Austrian Data Protection Authority. The complainants are occasional TikTok users who discovered through access requests that the platform was tracking their activities across multiple third-party mobile applications, including the gay dating app Grindr, without their knowledge or consent.

What: The complaints allege systematic GDPR violations including failure to provide complete access to personal data (Articles 12 and 15), unlawful processing without valid legal basis (Article 6), data minimization failures (Article 5), and processing special categories of personal data revealing sexual orientation without explicit consent (Article 9). TikTok's in-app download function misleads users by claiming to provide "all data" while actually delivering only what the company deems "most relevant," preventing users from understanding the full scope of surveillance conducted through cross-application tracking infrastructure operated in partnership with mobile measurement company AppsFlyer and enabled by data sharing from applications like Grindr.

When: The violations occurred over an extended period from at least August 2024 through December 2024. The complainant downloaded his TikTok data on August 20, 2024, and submitted a formal access request on September 9, 2024. TikTok provided incomplete responses on October 9, 2024, and December 9, 2024. Noyb filed both complaints with the Austrian Data Protection Authority on December 9, 2025, following months of inadequate responses demonstrating systematic rather than isolated violations.

Where: The complaints were filed with the Austrian Data Protection Authority (Datenschutzbehörde) in Vienna under Article 77(1) GDPR. TikTok Technology Limited maintains its European headquarters in Dublin, Ireland, where the Irish Data Protection Commission serves as lead supervisory authority under Article 56 GDPR. AppsFlyer operates through AppsFlyer Germany GmbH in Berlin, placing it under German data protection authority jurisdiction. Grindr LLC is based in West Hollywood, California, and has no European establishment, making it subject to GDPR under Article 3(2) territorial scope provisions.

Why: The violations matter because they prevent European users from exercising fundamental privacy rights and understanding how their most sensitive personal information—including sexual orientation and sex life—is being collected, processed, and shared across commercial data ecosystems without their knowledge or consent. TikTok's misleading data download tool and incomplete responses to access requests prevent users from verifying GDPR compliance, identifying unlawful processing, or exercising rights to rectification, erasure, and objection. The cross-application tracking infrastructure enables comprehensive surveillance extending far beyond TikTok's video platform to monitor users' entire mobile device activities, creating detailed profiles that reveal intimate aspects of users' lives while obscuring the data collection from regulatory oversight and individual awareness.