TikTok, Google, Amazon, Apple – millions of us interact with these tech giants everyday. Whether it's apps on our phones, listening to music through a smart speaker, or just browsing the web, these companies are a major part of our lives.
As a result, they may know more about you than your friends or family, and are trusted with huge quantities of our personal information. They know your address, your location, and even your shopping habits, but how good are they at keeping this information safe?
Breaches, fines, and legislation have highlighted issues around data privacy and have led to people looking to wrestle back control of their personal information. Using tools like the best VPNs and adopting effective privacy practices aid these endeavours, but can't do all the work.
This week is Data Privacy Week, and what better way to celebrate than by raising awareness of how tech companies use our data – we want to help inform people and see these companies challenged. In our quest to achieve this, we will look to analyse and compare the data privacy practices of Apple, Amazon, Google, and TikTok.
What do the companies say?
Apple
Publicly, all the companies claim to care about, and protect, your personal information. Apple's privacy policy says it strongly believes in "fundamental privacy rights" and treats "any data that relates to an identified or identifiable individual or that is linked or linkable to them by Apple as personal data."
Apple says it only uses your personal data when it has "the valid legal basis to do so" and "retains personal data only for so long as necessary to fulfil the purposes for which it was collected."
Data Apple collects includes information you provide, as well as collecting it from third-parties. It is also shared with third-parties, but says, in both cases, this is "at your direction."
Device and personal information is recorded, alongside usage data and payment information. Due to the array of services Apple offers, health data, fitness information, and government ID data are also collected.
Apple states that "you are not required to provide the personal data that we have requested. However, if you choose not to do so, in many cases we will not be able to provide you with our products or services or respond to requests you may have."
Amazon
Amazon details how it shows us personalized ads and what cookie options are available. Amazon states how it is "not in the business of selling our customers' personal data to others." But it does say in some instances Amazon "may share your personal information with third-parties."
As well as the information you provide, Amazon collects personal information automatically when you interact with its website, products, and services. Its privacy policy also states that information is collected "through other sources."
When it comes to protecting your personal information, Amazon says it maintains "physical, electronic, and procedural safeguards for the collection, storage, and disclosure of personal information."
With Amazon being an online shopping portal and streaming service, you're required to enter a large amount of personal information. This includes home address, phone number, credit card numbers, and email addresses. Unfortunately, there isn't really a way to access Amazon's services without entering this information.
However, if you are concerned but still want to use its services, you don't always have to store a credit card on your account. You can delete your card information after purchasing an item – although you will have to re-enter it each time you want to buy something.
Google's privacy policy is a mammoth document, something unsurprising for a company of its size. Google clearly wants us to know our privacy is "protected by responsible data practices" – it's the first thing you see on the page.
It claims to limit the personal information that is used and saved and has a strict policy of never selling your personal information to anyone.
Google uses your information and online activity to show you ads it thinks are relevant to you, but says it never sells your personal data to advertisers. Personalized ads can be turned off in "My Ad Centre."
However, Google can track individuals across multiple devices, creating a detailed profile of preferences, interests, and activity, and allowing it to target ads. Google has access to your IP address and as something that cannot be disabled, this poses a significant data privacy risk.
Whilst Google claims it doesn't sell your data to third-parties, they can still access it. Google has a number of partnerships and agreements with third-parties that allow the accessing and sharing of data.
It goes on to say that personal information is shared with affiliates and other "trusted businesses or persons" for processing reasons. As well as this, Google states it allows these trusted partners to "use cookies or similar technologies for advertising and research purposes on our services."
Whilst it does collect large amounts of personal information, Google does provide you with an element of control and customization. You can deny app access to your location, limit browsing history, and have your activity data auto-deleted, as well as utilising Incognito mode.
TikTok
TikTok appears to be one of the worst offending tech companies when it comes to data privacy.
Research from data removal service, Incogni, found that TikTok was one of the worst social media apps for privacy. Its Social Media Privacy Ranking 2024 marked TikTok as the fifth worst app – although X (formerly Twitter) and Meta's Facebook, Facebook Messenger, and Instagram ranked worse.
TikTok's privacy policy states it collects profile information such as date of birth, email address, and phone number. It processes the content you generate on the app, including videos and photos you upload and create. Message information is collected, as well as purchase information.
If you choose to sync your phone and social network contacts, that will be accessed by TikTok. All the information mentioned here is collected by TikTok because you, as a user, provide it.
Automatically collected information goes a lot further and includes how you engage with TikTok – this covers what you watch, like, comment on, and search. TikTok collects a large quantity of overly invasive technical information. Examples of this include, but are not limited to, IP address, mobile carrier, device model, network type, device IDs, operating system.
TikTok admits it will be able to "use your profile information to identify your activity across devices" when you log-in on multiple devices. Information about your approximate location is collected through your SIM card and/or IP address, and, when permitted, precise location data is collected.
If you link your TikTok account to other third-party apps, including Facebook or Instagram, your information will be shared with these companies. Your information is also shared with business partners, service providers, and advertisers.
TikTok claims to ensure your information is treated securely but by its own admission it says the "transmission of information via the internet is not completely secure." It says it takes "reasonable measures to protect your personal data" but "cannot guarantee the security of your information transmitted via the Platform [TikTok]." It goes on to say that "any transmission is at your own risk."
This is a worrying statement and should be seen as a major red flag for any user of TikTok and those concerned with the security of their personal information.
What fines have been issued?
All four companies rely on your personal data to make their business models work, and they simply won't survive without it.
Despite what they say and include in their privacy policies, they are not data privacy angels and your personal information is still at risk.
General Data Protection Regulation (GDPR) was introduced by the European Union in 2018. It was seen as a positive move in the fight for data privacy, but critics argue there are gaps that can be exploited and pose challenges to privacy rights.
Legislation like this is not available in the US, with data privacy laws differing between states. Leading VPN provider Private Internet Access (PIA) ranked all US states according to their data privacy laws in 2023.
Apple, Amazon, Google, and TikTok have all been the subject of multi million dollar fines for violating individual's privacy and GDPR. Covering every fine issued to the companies will take a long time and therefore a selection will be highlighted.
Apple
Apple's most recent privacy lawsuit relates to its voice-assistant Siri being accused of listening to people without consent. The company has just agreed to a settlement of $95 million to resolve the case.
Siri was accused of recording people's conversations without their consent and when they hadn't activated Siri by saying "Hey Siri." Plaintiffs reported receiving adverts for products and restaurants discussed, as well as medical procedures.
The case was not the first Apple fought and it clearly demonstrates how settlements like this mean nothing for data privacy.
In 2023, Apple was fined $8 million for privacy violations involving French iPhone users. It was found Apple didn't obtain their consent "before depositing and/or writing identifiers used for advertising purposes on their terminals."
Data from Proton VPN found that in 2024 Apple received over $2.1 billion in fines, not just for privacy related lawsuits. In 2023, the figure was $186.4 million, and in 2022, it was $457 million.
Amazon
In 2021, Amazon was hit with the second largest GDPR fine to date as Luxembourg's National Commission for Data Protection fined them €746 million. The case related to infringements regarding Amazon's advertising targeting system, which was carried out without proper consent.
It isn't just in Europe where Amazon has been targeted. In 2023, the US Federal Trade Commission (FTC) fined the company $25 million for violating children's privacy law. Children's voice recordings were stored on its Alexa smart speaker for years and deceived parents about data deletion practices.
Proton VPN reported that in 2024 Amazon was fined $57.4 million, $111.7 million in 2023, and potentially up to $1 billion in 2022, for various foul practices.
Google has faced several data privacy lawsuits in recent years. The FTC charged Google for misleading users of Apple's Safari browser when it came to not placing tracking cookies or targeted ads on them. The 2012 case resulted in a fine of $22.5 million for the tech giant.
The FTC also alleged Google and YouTube violated children's privacy law in 2019 for collecting children's data without parental consent – this saw a much larger fine of $170 million.
In 2021, France fined Google €90 million for making cookies significantly harder to reject than accept. Google is currently facing a similar lawsuit to Apple and Siri as they are accused of collecting data from smartphones, even when tracking was disabled.
According to Proton VPN, Google's fines in 2024 totalled $2.97 billion, although not all concerned data privacy. The number in 2023 was $941 million, and $1.03 billion in 2022.
TikTok
Despite being the youngest company on this list, TikTok has racked up millions of dollars in fines.
In 2021, it agreed to pay $92 million to settle a lawsuit alleging it wrongly collected users' biometric information and private data, then disclosing it to third-parties.
It was fined $345 million, the fifth largest ever GDPR fine, by Ireland in 2023 for failing to protect children's data from public visibility. Lessons were not learned, as in August 2024 the US Department of Justice filed a lawsuit against TikTok relating to children's privacy. The company was accused of unlawfully collecting children's data and failing to respond when parents attempted to delete accounts.
The expert opinion
These collections of fines are just a snapshot of cases brought against these big tech companies and highlight sinister data privacy practices, as well as blatant disregard for GDPR rules and individual protections.
Commenting on the relationship between tech companies and data privacy Jurgita Miseviciute, Head of Public Policy at Proton, said: "Privacy and competition are two sides of the same coin. Big Tech profits off people's most valuable asset – their personal data – by offering 'free' services in exchange. And with the rise of AI, the stakes are higher than ever."
"This exploitative business model benefits no one but Big Tech and erodes both privacy and choice. But why would they care about a fine for wrongdoings that are the equivalent to a parking fine for you or I? It's time regulators started speaking big tech's language. You don't prevent a bank robbery by arming guards with a feather."
Big tech profits off people's most valuable asset – their personal data
"We need to create an environment where tech companies, no matter where they are founded, can thrive and not be hindered by the biggest players in the market, and strong competition legislation – enforcement – is vital for this. Fines may not be enough – Big Tech needs to end their anticompetitive practices.”
In 2023, NordVPN published a study detailing how long it takes to read the privacy policies of the most visited websites in the US. At 19,434 words, Meta's policies for Facebook and Instagram had the longest policies and took nearly 82 minutes to read.
“Even though we keep reminding users to read the privacy policy, one in three Americans still doesn’t look at any legal information online. However, this is understandable. We would need to spend a quarter of a month visiting the privacy policy pages of websites we need. A minimum-wage worker in the US would earn around $338.14 during that time,” says Adrianus Warmenhoven, a cybersecurity expert at NordVPN.
“On the other hand, reading a privacy policy is as important as having one. That is why companies should work hard to make their privacy policies short and easy to understand, while still keeping their privacy practices transparent. Meanwhile, users should choose trusted websites and know what to look for.”
"To protect their data, individuals can take proactive steps such as using privacy tools to encrypt internet traffic, opting out of data sharing where possible, and limiting app permissions. Staying informed about privacy policies and updates is also crucial."
"Ultimately, a comprehensive regulatory framework is needed to ensure consistent protection across the board. While companies like Google and Facebook have faced significant fines for violating data privacy laws, it's essential for consumers to remain vigilant and take control of their personal data."
Can you protect your personal data?
You may feel like David standing in front of Goliath when it comes to data privacy, and feel like there's nothing you can do – but there are always options. While changing the landscape of data privacy will be a huge undertaking, there are steps you can take in the short-term to secure your personal data.
Reading privacy policies is vital. You need to know what you're consenting to and what data you're handing over, and you should only consent if you're 100% happy. Always opt-out and reject everything you can and, where possible, take steps to find and remove data companies have on you.
Using a VPN on all your devices is another great way of protecting your privacy. VPNs encrypt your internet traffic and mask your IP address, keeping it safe from third-parties. Many VPNs come with additional features such as ad blockers and threat protection, keeping you safe from trackers and cookies. Almost all the providers on our best VPN list have no-logs policies, which mean they don't keep records of your data or browsing activity.
Beyond VPNs, using tools like the best encrypted messaging apps, private search engines, and encrypted mail services all help form an arsenal of secure tech that'll help keep your information private.
If you are worried what personal information is out there, data removal services, such as Incogni, can help. They contact data brokers and send them data removal requests for your information. ExpressVPN, one of the best VPN for beginners, includes data removal as part of its Identity Defender suite. NordVPN also includes data removal as part of NordProtect which is included in its premium plans.
Continue the fight for data privacy
Clearly fines will not deter big tech companies and despite what they say, they do not care about your data privacy except when it's used to make money.
All companies here, and more, have been the subject of data privacy lawsuits and should not be trusted with our data. Who is worse depends on the apps and services you use and how comfortable you are with handing over different types of data.
Raising awareness of data privacy practices and adopting tools such as VPNs is vital, and a strong foundation to begin a wider effort to change the landscape of data privacy.
Disclaimer
We test and review VPN services in the context of legal recreational uses. For example: 1. Accessing a service from another country (subject to the terms and conditions of that service). 2. Protecting your online security and strengthening your online privacy when abroad. We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.
