The GDPR Battle Between TikTok, Grindr and Europe’s Privacy Watchdogs

A privacy storm rippled through Europe’s digital policy landscape when None of Your Business (Noyb), a Vienna-based data rights advocacy group, filed formal complaints alleging that TikTok, Grindr, and the analytics firm AppsFlyer violated the European Union’s flagship privacy law, GDPR (Reuters, 2025). 

What makes these filings striking is not just the defendants, but the nature of the data at stake: intimate details about a person’s online life, including activity on a dating app that reveals sexual orientation, something GDPR treats as special category data requiring explicit consent

It all began when a TikTok user who requested their data under GDPR discovered that the platform held information suggesting it had received signals about Grindr activity: data the privacy group says was shared through app-level tracking across several services.

Noyb’s legal filings outline that TikTok itself acknowledged some of these cross-app data flows when pressed, while Grindr and AppsFlyer are accused of acting as intermediaries without a lawful basis under GDPR. But Noyb didn’t stop at one filing. The second complaint targets TikTok specifically for allegedly withholding user information after repeated access requests: a key requirement under GDPR. Instead of supplying a complete dataset, the platform directed users toward a download tool that offered only partial information, potentially falling short of the law’s transparency obligations. This complaint argues that TikTok systematically fails to provide users with a full copy of the data held about them, a right enshrined in the GDPR's access provisions.

Taken together, the complaints bring two core issues into sharp relief:

• Data sharing without explicit consent, especially when sensitive personal traits are revealed, and
• Opaque disclosure policies, which may deprive users of their right to understand what’s held about them.

That combination has privacy advocates watching closely and regulators paying attention.

This isn’t the first time TikTok has found itself under scrutiny. In late 2025, the company faced a €530 million fine from Irish data protection authorities for how it handled the data of European users, including transfers outside the EU and transparency shortfalls (EDPB, 2025). That earlier action signaled regulators were growing more assertive. Now, these complaints push the emphasis even further into what data can be shared and under what conditions, especially when it concerns privacy-sensitive information.

Grindr, too, has been in Europe’s data privacy spotlight before. In the UK, it has faced legal challenges over the alleged transmission of health-related data through analytics tools, feeding a broader global conversation about how so-called “benign” tracking mechanisms can become intrusive when tied to deeply personal profiles (BBC, 2025). 

For years, GDPR debates centered on high-level principles such as consent and data minimization. With this complaint, those principles are being tested in real-world, high-stakes scenarios where personal data isn’t merely an abstract concept, but personal in the most literal sense.

European regulators and privacy advocates have been leaning into enforcement: Austria’s Supreme Court, for example, recently ruled that Meta’s data collection model violated European laws, forcing structural changes in how companies track users across services. This suggests that authorities are prepared to go beyond fines and toward behavior change in how platforms operate.

When a user interacts with multiple apps and those interactions are stitched together through third-party tracking, the result can be a profile that reveals far more than a user intends. Regulators around the world — from Europe to parts of Asia and the U.S. — are watching to see whether privacy laws will genuinely govern this behavior or remain aspirational.

Data rights are real only when they are accessible, enforceable, and grounded in actual practice. GDPR provided a legal framework. Now, enforcement actions like this are helping define what those rights mean in everyday digital life.