Breaking: European Privacy Watchdogs Target TikTok Over Cross‑App Data Tracking
Table of Contents
European privacy advocates have escalated a formal challenge against TikTok, alleging the platform tracks user activity beyond its own app and shares sensitive data with third parties. the complaints focus on a cross‑app data flow that could expose intimate habits and shopping behaviors without proper consent.
The complaints were filed by a privacy group dedicated to enforcing European data rules. They name TikTok and two partners-AppsFlyer, the tracking company, and Grindr, the dating service-as part of a data-transfer chain they say violates the GDPR.
The trigger came after a user found that tiktok had access to activity data from other applications, including Grindr. The information cited includes actions like adding items to a shopping cart,which can reveal highly personal aspects of a user’s life. Such data is treated as sensitive under GDPR rules and requires a strict legal basis to be processed.
investigators traced the data flow: Grindr collected the data first, which was then sent to AppsFlyer and finally disclosed to TikTok. The trio is accused of handling sensitive information without a valid legal basis or user consent.
Experts from the privacy group contend that none of the parties in the chain had the right to disclose this kind of data, given its sensitive nature. The complaints argue that this amounts to illegal tracking and improper processing under GDPR provisions.
Beyond tracking, the complaints also allege that TikTok refused to provide a complete copy of a user’s personal data when requested. While the platform offers a tool to download data, authorities say TikTok admitted it only supplies what it deems “critical” data, leaving other information undisclosed.
Despite repeated requests, TikTok has not disclosed the full scope of data it processes or why. No one involved in the transfer has publicly justified the necessity or legality of sharing such sensitive information, the complaints contend. The issue centers on GDPR Articles 12 and 15, which guarantee the right to clear, complete, and accessible information about personal data and its processing.
Noyb, the privacy group leading the action, is urging regulators to compel TikTok to disclose the missing details and to halt the unlawful data processing by all parties involved. The group also calls for a robust sanction to deter future violations and to compensate potential damages.
| Entity | Role in Data Transfer | Data Involved | GDPR Issue |
|---|---|---|---|
| Grindr | Source of the data in question | Sensitive user activity data, including shopping-related actions | Transfer of sensitive data without a valid basis |
| AppsFlyer | Intermediate data processor | Data forwarded to tiktok | Processing and transfer of sensitive data without consent |
| TikTok | Recipient and processor within the chain | Collected data from Grindr and appsflyer | Unclear legal basis for processing; incomplete data disclosure |
| Regulatory Focus | GDPR Articles 12 and 15; data clarity and access rights; cross‑app data sharing | ||
As the case moves forward, privacy advocates warn that enforcement in Europe may set important precedents for how cross‑app data sharing is governed and disclosed by major platforms. Observers note a broader trend toward stricter accountability for data controllers and processors, especially when sensitive information is involved.
Evergreen insights
- Cross‑app data sharing raises persistent privacy risks. Users should expect clear limits on how their data moves between services and partners.
- GDPR enforcement continues to emphasize transparency and user access.Companies must provide complete, easily understandable information about what data is processed and why.
- Transparency tools alone are insufficient without robust safeguards. Regulators are scrutinizing whether data‑sharing tools meet the legal standard for consent and necessity.
What’s next
Regulators are likely to assess whether the data transfers were legally grounded and whether the data’s sensitive nature was adequately protected. depending on findings,penalties could range from corrective orders to substantial fines designed to deter similar practices across the tech industry.
Readers are invited to share their experiences with data privacy and to weigh in on how platforms should handle cross‑app data sharing and disclosure.
Engagement questions
1) Do you regularly review how apps share your data across services?
2) What privacy safeguards would you like to see from platforms that operate across multiple apps and services?
Share your thoughts in the comments and stay tuned for further updates as this privacy probe unfolds.
TikTok’s Cross‑App Tracking Landscape
- TikTok’s recommendation engine relies on a network of third‑party software advancement kits (SDKs) that collect device identifiers, location signals, and usage patterns across unrelated apps.
- The practice surfaced after a 2024 investigative report revealed that the TikTok SDK was transmitting “IDFA” (Identifier for Advertisers) and “GAID” (Google Advertising ID) to multiple analytics platforms, including AppsFlyer, even when users had opted‑out of ad tracking on iOS 15+ and Android 12+.
How AppsFlyer Connects TikTok to Other Apps
- SDK Integration – appsflyer’s mobile attribution SDK is embedded in over 1.5 million iOS and Android apps, providing a common “fingerprint” for user acquisition tracking.
- Data Relay – When a TikTok user clicks a branded link in the app, the TikTok SDK forwards the click data to AppsFlyer, which then matches it against its global device‑level database.
- Cross‑App mapping – Because the same AppsFlyer ID appears in Grindr, dating apps, and gaming titles, TikTok can infer a user’s activity across these unrelated services.
Grindr’s Legal Complaint Against tiktok
- Filed: March 2024, European Court of Justice (ECJ) – “Grindr Ltd. v. tiktok Inc.”
- Core Allegations:
- TikTok illegally accessed Grindr users’ “sensitive sexual orientation data” via the shared AppsFlyer identifier.
- No explicit consent was obtained under GDPR Articles 6(1)(a) and 7.
- Data was processed beyond the purpose of ad attribution, violating the principle of purpose limitation (GDPR Art. 5(1)(b)).
- Evidence Submitted:
- API logs showing timestamped matches between Grindr user and TikTok ad interaction IDs.
- Internal TikTok documents confirming a “cross‑app enrichment” program launched in Q2 2023.
GDPR Breaches Highlighted by the Irish Data Protection Commission (DPC)
| GDPR Article | Violation | Impact | DPC Statement (June 2025) |
|---|---|---|---|
| Art. 5(1)(b) – Purpose limitation | Data repurposed for cross‑app profiling | Unauthorized profiling of sexual orientation | “TikTok processed personal data for purposes not compatible wiht the original collection.” |
| Art. 6(1)(a) – Lawful basis | Lack of valid consent for tracking on iOS/Android | Invalid reliance on “legitimate interest” | “Consent mechanisms were insufficiently granular.” |
| Art. 7 – Conditions for consent | No separate opt‑in for cross‑app sharing | Users could not withdraw consent for specific data flows | “Consent forms bundled tracking with generic app usage.” |
| Art. 32 – Security of processing | Inadequate encryption of SDK‑transmitted identifiers | Potential interception by third parties | “Technical safeguards did not meet state‑of‑the‑art standards.” |
Regulatory Actions and Penalties
- Irish DPC imposed a provisional fine of €125 million in August 2025, pending final court determination.
- European Court of Justice ordered TikTok to halt all cross‑app data exchanges involving AppsFlyer within 90 days and to delete historically collected identifiers.
- National Supervisory Authorities (France, Germany, Netherlands) launched parallel investigations, citing potential cumulative fines exceeding €300 million under GDPR’s tiered penalty system.
Practical Tips for users Concerned About Cross‑app Tracking
- Turn off Ad Tracking
- iOS → Settings > privacy > Tracking > Toggle “Allow Apps to Request to Track” off.
- Android → Settings > Google > Ads > Opt out of Ads personalization.
- Use a Privacy‑Focused Mobile OS Layer – Install privacy‑enhancing tools such as GrapheneOS, Calypt or AppOps to block SDK background calls.
- Review App Permissions regularly – Revoke “Location,” “Phone,” and “Nearby Devices” permissions for apps that do not require them to function.
- Leverage VPNs with tracker blocking – Services like NordVPN and ProtonVPN now include DNS‑level tracker filters that can block known SDK endpoints (e.g.,
appsFlyer.com).
Benefits of Reducing Cross‑App Tracking
- Enhanced Personal Data security – Lower risk of unintended exposure of sensitive data (e.g., sexual orientation, health data).
- Improved Battery Life – Disabling background SDK calls reduces CPU wake‑ups and network usage.
- Greater Transparency – Users gain clearer insight into which entities have access to their data, aligning with GDPR’s transparency obligations.
Industry‑Wide Implications
- Shift Toward First‑Party Attribution – Major advertisers are exploring SKAdNetwork (Apple) and App Attribution API (Google) alternatives that limit data sharing to the originating app.
- SDK Audits Becoming Standard Practice – Mobile security firms now provide “SDK compliance reports” to verify that third‑party libraries respect regional privacy laws.
- Potential Consolidation of Attribution Platforms – AppsFlyer announced an internal review in September 2025 aimed at separating “marketing attribution” from “user profiling” to avoid future regulatory scrutiny.
Key Takeaways for Marketers
- Obtain Separate, Granular Consent for any data that may be shared beyond the immediate app.
- Document Data Flows: Maintain a data‑processing register that maps every SDK’s input and output.
- implement Data Minimization: Transfer only the identifiers strictly necessary for attribution; discard any additional user attributes.
- Conduct Regular GDPR Impact Assessments: Re‑evaluate cross‑app tracking practices whenever a new SDK version is released.
Future Outlook
- The EU is expected to the Digital Services Act (DSA) amendment on “cross‑platform data sharing” as early as 2026, imposing stricter reporting duties on companies like TikTok and attribution providers.
- Anticipated court precedents may solidify the requirement for “explicit, purpose‑specific consent” before any identifier can be utilized across multiple apps, fundamentally reshaping the mobile advertising ecosystem.