Data collection concerns highlighted in class-action lawsuit filed against Chinese platform Temu

With splashes of orange accompanied by an upbeat jingle, Temu’s Super Bowl ads garnered a lot of attention this season. Temu—housed under Boston-based Whaleco and owned by PDD Holdings—spent millions of dollars on six ads, Bloomberg reported in February.

But the Chinese ecommerce site, which uses the tagline, “Shop like a billionaire,” has attracted criticism since its 2022 launch. The House Select Committee on the Chinese Communist Party indicated last year there was a high chance Temu—among other companies like Nike, Adidas, and Shein—could be using Uyghur forced labor in their supply chains.

“You have an entity that has exploded out of nowhere, with a business model that doesn’t make sense, with very little transparency and visibility,” Ram Ben Tzion, the CEO of Ultra Information Solutions, a regulation and digital vetting company headquartered in Tel Aviv, Israel, told IT Brew, noting that they’ve uncovered a range of products that aren’t allowed in the US market due to the fact they are likely sourced from Xinjiang, “where there is a suspicion of forced labor.”

Separately, a class-action lawsuit in Illinois accused Whaleco of “subjecting new users’ data to unlawful collection,” while another in New York accused the company of failing to abide by industry standards to keep customers’ data safe.

“Through their clandestine tracking activities, Defendants have violated wiretap laws, unlawfully intruded upon users’ privacy, violated their rights of privacy, and unjustly profited from their unlawful activities,” court documents allege.

Temu, however, denies the claims. “We categorically deny the allegations in both lawsuits and intend to vigorously defend ourselves against these meritless lawsuits,” a spokesperson for Temu said in a statement. “The complaints are essentially taken from a short-seller report by Grizzly Research, which has stated clearly that its reports are not based on statements of fact.”

What does the app collect? In its privacy policy, Temu states it collects users’ phone numbers, email addresses, device info, operating system info, unique identifiers for advertising, approximate location data (such as IP addresses), and more. The company also collects information from third-party sources, such as data providers, affiliates, US government agencies and public records, and other third-party services.

We reached out to Temu and a spokesperson for 5WPR, speaking on behalf of the company, was unwilling to be quoted on the record.

“I think there’s a difference between publicly stating, ‘Here’s what we collect,’ versus ‘Here’s all the ways we’ve hooked in deep into the operating system of your phone and things that we could do beyond what’s stated in our in our privacy policy,’” Mike Thompson, a security architect manager at Varonis, a New York City software company, said. 

Speaking on the security side of Temu, Thompson said, despite not having evidence of any exploits, the app still raises “a lot of red flags—much more than you would expect.”

Compared to Amazon, Temu actually appears to collect less data, he said. “But what are you doing with that data? How you are collecting it is important, as is the actual ability for you to adhere to your policy.”

Tzion says all of these things—from privacy and security concerns to IP claims—come with a price.

“Somebody is paying a price. The consumer [pays] a great price, because their data is taken and can be abused for various purposes,” he said. “If you're sourcing from a company that is violating brand IP rights, then obviously, somebody's paying the price.”

Temu recently received the Mobile Application Security Assessment (MASA) certification this month from DEKRA, a Berlin-based and Google-authorized independent provider of testing, inspection, and certification. Receiving MASA certification from DEKRA involves “a detailed examination of an app’s data handling, encryption practices, authentication mechanisms, and compliance with industry-standard privacy protections,” according to ITSecurityWire.

Correction 04/04/24: This article was previously published with a quote from an unnamed spokesperson from Temu, which has since been updated.