TikTok fingered for tracking user on his Grindr account
TikTok stands accused of not only tracking its users while they are using the TikTok app itself, but it is also following users when they leave the app, after one man discovered that the Chinese-owned tech giant had tracked his usage of gay dating app Grindr on his smartphone.
And that is not all; in addition to tracking users across the digital space, TikTok also refuses to provide users with a copy of all of their personal data in direct breach of GDPR.
The user only found out about this unlawful tracking practice through a data subject access request that showed his usage of Grindr was sent to TikTok, likely via the Israeli tracking company AppsFlyer.
The process allows TikTok to draw conclusions about the user’s sexual orientation and sex life; specially protected data under Article 9 of GDPR, which can only be processed in exceptional cases.
TikTok initially even withheld this information from the user, which is also a violation of GDPR (Article 15). Only after repeated inquiries, TikTok revealed that it knows which apps he used, what he did within these apps (for example adding a product to the shopping cart) – and that this data also included information about his Grindr account.
The move has prompted the Max Schrems-backed privacy organisation, Noyb, to file two complaints against TikTok and its data-sharing partners AppsFlyer and Grindr.
Noyb data protection lawyer Kleanthi Sardeli said: “Like many of its US counterparts, TikTok increasingly collects data from other apps and sources. This allows the Chinese app to gain a full picture of people’s online activity. The fact that data from another app revealed this user’s sexual orientation and sex life is just one of the more extreme examples.”
TikTok was only able to receive this information with the help of AppsFlyer and Grindr. Noyb claims that AppsFlyer most likely functions as an intermediary, receiving the sensitive data about from Grindr and then passing it on to TikTok.
However, Noyb argues that neither business has a valid legal basis under Article 6(1) of GDPR to share the complainant’s personal data with third parties. And they most certainly do not have any valid reason to share his sensitive data under Article 9(1) GDPR. At no point in time did the complainant consent to the sharing of his data.
Users should generally be informed about the recipients of personal data and even get a copy of said data. However, Noyb maintains that TikTok violated the user’s right to get such a copy.
TikTok refers its users to a “download tool”, but has now admitted this tool only holds what it deems the most “relevant” data – and by far not all personal data. Even after repeated inquiries to add the missing information, TikTok did not provide information about which data is being processed and for what purpose. By doing so, it is claimed that TikTok clearly violates Articles 12 and 15 of GDPR, which require companies to provide the information in full and in an easily understandable format.
The complaints have been filed in Austria and call on the regulator to impose an “effective, proportionate and dissuasive” fine under Article 83 of GDPR to prevent similar violations in the future.
Related storiesTikTok back in the dock over data transfers to ChinaRound 1 to ICO as TikTok opens £12.7m penalty appealTikTok whacked once again as privacy fines near €1bnThree-pronged probe into abuse of children’s privacyTikTok beefs up parental controls and ties with adlandTikTok insists ‘we’ve changed’ following €345m EU fineTikTok whacked with £12.7m fine for UK privacy failings
