Online shoppers find deals on the Temu app, but states say the trade-off is personal data
Who doesn’t look for a bargain?
But states are asking, “at what cost?”
Temu, an online retail platform offering low-cost goods, has based its business model on consumers’ interest in hunting down and grabbing bargains.
But critics say the Temu app is malware that steals personal data and gives the Chinese government access to it.
A growing number of states—including Arkansas, Kentucky and Nebraska —are pushing back against Temu’s business practices, filing lawsuits accusing Temu of violating state consumer protection laws and exposing their residents to a hostile foreign power.
Sharon R. Klein is co-chair of Blank Rome’s privacy, security and data protection practice and managing partner of the firm’s Irvine, California, office. Klein says the lawsuits against Temu reflect states’ increasing interest in fighting for consumer protection.
“States are saying that the goods that Temu sells are bright, shiny objects that convince people to give away their privacy because they want cheap fashion,” she says. “States are saying they won’t allow that.”
Klein adds that the “states are watching each other on this matter,” and that there would likely be more interest in pursuing Temu over the security of the app and deceptive practices.
In the past few years, legal experts say, states have upped their efforts through legislation and litigation to ensure the data protection and online safety of their residents. State legislatures, for example, are increasingly passing laws to better ensure the safety of children online. These new laws can include parental consent rules or requirements that companies design their products and services in a way that ensures children’s safety and doesn’t impermissibly share their personal data. (See “Private Interests,” August-September, page 30.)
And states have jumped into litigation against foreign companies, such as the social media platform TikTok, for data privacy violations, along with accusations that the app is designed to be addictive.
During President Joe Biden’s administration, the Justice Department warned that TikTok’s parent company could transfer sensitive information to the Chinese government.
In September, President Donald Trump signed an executive order approving a proposed agreement that would have TikTok’s U.S. application operated by a joint venture owned by a consortium of American investors.
“The messaging here is that states are equal to the federal government when it comes to protecting data,” Klein says.
Temu ‘swamp’
Temu is an app and retail website available in the U.S. and other countries and owned by PDD Holdings, a Chinese holding company. It is operated in the U.S. by Boston-based Whaleco Inc. and has become one of the most downloaded apps in the U.S., according to Sensor Tower, which analyzes data on the digital economy.
Temu did not return repeated requests for comment. But in 2024, the company responded to Arkansas’ lawsuit against it with a statement.
“We understand that as a new company with an innovative supply chain model, some may misunderstand us at first glance and not welcome us,” the statement said.
Like TikTok, Temu is battling litigation in the U.S. on multiple fronts. Consumers have gone after Temu with class action lawsuits that allege it violates consumer privacy rights and that it sent text messages to phone numbers on the U.S. do-not-call registry.
In September, the band Twenty One Pilots sued Temu, alleging it is selling counterfeit merchandise. The complaint accused Temu of being a “veritable swamp of infringing and otherwise illegal products.”
In the same month, the Federal Trade Commission and the Justice Department announced Temu would pay $2 million to settle allegations that it violated the INFORM Consumers Act of 2023, which mandates that online marketplaces disclose detailed seller information to buyers and provide clear reporting mechanisms for consumers. Temu was accused of failing to provide the information consumers needed to report any goods that were unsafe or fraudulent.
Donata Stroink-Skillrud, an attorney specializing in privacy and cybersecurity, is the president of Termageddon, which generates privacy policies for websites and applications and keeps them up to date. She also serves as co-chair of the ABA Science & Technology Law Section’s e-Privacy Committee.
Donata Stroink-Skillrud (Photo courtesy Donata Stroink-SkillrudThe FTC settlement is a start, but not enough to be a deterrent, Stroink-Skillrud says.
“We need actual enforcement, not slap-on-the-wrist fines,” she says, adding that a major issue is that Congress has failed to pass a comprehensive privacy law.
In the last four years, Congress has twice tried and failed to pass major privacy legislation. In 2022, the American Data Privacy and Protection Act, which would have established national privacy standards, never got to a floor vote. Two years later, a similar bill was introduced but failed to advance.
Without overarching comprehensive federal privacy laws, states have begun to fill the gap, Klein says. In 2018, California became the first state to enact comprehensive consumer privacy legislation. Its law went into effect in 2020. Since then, other states have followed, including Virginia and Colorado.
States step up
In August 2024, attorneys general from 21 states banded together to send a letter to PDD Holdings demanding answers about Temu’s data collection practices.
Arkansas was the first state to file a lawsuit against Temu in June 2024, accusing the company of purposefully designing the app “to gain unrestricted access” to consumers’ phones, including the camera, location, contacts and other specific data.
Once the Temu app is installed, the Arkansas suit alleges, it can go undetected while it changes itself and then overrides “the data privacy settings users believe they have in place.” The complaint, filed in state court, alleges violations of state law, including the Arkansas Deceptive Trade Practices Act and the Arkansas Personal Information Protection Act.
More recently, Nebraska filed a lawsuit against Temu in June 2025, followed by Kentucky. The lawsuits accuse Temu of violating state data protection laws.
“Temu’s cheap products and flashy marketing hide real danger,” Kentucky Attorney General Russell Coleman said in a press release announcing the state’s lawsuit against Temu. “Kentuckians need a strong defense against this aggression, and that’s exactly what the attorney general’s office intends to do.”
Stroink-Skillrud sees the Temu litigation as highlighting consumer obsession with “fast fashion and cheap products.” In addition to litigation, states should be concentrating on educating residents about how to protect their privacy.
The easiest way for consumers to avoid the possibility of Temu selling their private data is to break the cycle of addiction to “cheap stuff,” she says.
“If you think that something is too good to be true, it probably is,” she says
Write a letter to the editor, share a story tip or update, or report an error.
