More Data Privacy Issues Uncovered by Latest Temu Lawsuit  

The Arkansas Attorney General is suing Chinese e-commerce giant Temu. AG Tim Griffin claims the online shopping app violates the Arkansas Deceptive Trade Practices Act (ADTPA) and the Arkansas Personal Information Protection Act (PIPA) with their questionable data collection practices. Temu’s parent companies PDD Holdings Inc. and WhaleCo Inc. are the defendants in the lawsuit. 

“Temu is not an online marketplace like Amazon or Walmart. It is a data-theft business that sells goods online as a means to an end,” Griffin said in a statement. “Though it is known as an e-commerce platform, Temu is functionally malware and spyware.” 

The lawsuit claims that “Temu is purposefully designed to gain unrestricted access to a user’s phone operating system, including, but not limited to, a user’s camera, specific location, contacts, text messages, documents, and other applications. Temu is designed to make this expansive access undetected, even by sophisticated users. Once installed, Temu can recompile itself and change properties, including overriding the data privacy settings users believe they have in place. Even users without the Temu app are subject to Temu ‘s gross overreach if any of their information is on the phone of a Temu user. Temu monetizes this unauthorized collection of data by selling it to third parties, profiting at the direct expense of Arkansans’ privacy rights.” 

The state is demanding a trial by jury. The lawsuit is requesting $10,000 for each ADTPA violation and a preliminary and permanent injunction prohibiting Temu’s parent companies from acquiring personal information of Arkansas residents. 

PIPA requires organizations that collect personal information use reasonable security procedures and practices to protect that data. The personal information covered under the law includes social security numbers, driver’s license numbers, account numbers, and medical records. In the event of a breach, the law requires organizations to notify the affected individuals promptly. 

The Arkansas Attorney General is not the first to take action against Temu for privacy and security concerns. In November 2023, seven consumers filed a class action lawsuit in Illinois. The lawsuit alleged that Temu failed to secure personal data and enabled hackers to steal personal and financial data from the plaintiffs. The Illinois lawsuit also alleges that Temu uses its in-app browser to secretly and invasively collect massive amounts of extremely private information and data about its users by tracking their activity on third-party websites. 

In 2023, Temu was the most downloaded app in the U.S. 

Businesses that sell goods and services online must have policies and procedures to protect the personal data they collect for both legal and ethical reasons. They also need to provide customers with a privacy notice that details what data is being collected and how it will be used.  

CompliancePoint has a team of privacy and cybersecurity professionals. We can help you design and implement security and privacy programs that comply with all applicable state, federal, and international regulations, including the GDPR and all state privacy laws. Contact us at connect@compliancepoint.com to learn more about our services.