Temo Collects Data Beyond What's 'Necessary' for Shopping App: Class Action
Plaintiffs brought 12 claims against China-based PDD Holdings and Temu under various privacy, wiretapping and computer crimes laws in a Friday class action (docket 1:23-cv-15653) in U.S. District Court for Northern Illinois in Chicago. The suit names PDD Holdings, owner of Pinduoduo and Whaleco’s Temu, which is “directly controlled” by PDD.
The lawsuit alleges the Temu app is “purposefully and intentionally loaded with tools to execute virulent and dangerous malware and spyware activities on user devices” that have downloaded and installed the app. Temu “misled people about how it uses their data,” said the complaint. The Temu shopping app, which has been extensively promoted -- including in a Super Bowl commercial this year -- has been the most downloaded app in the U.S. since late 2023, with over 100 million U.S. users as of May, it said.
Temu’s privacy violations “are particularly concerning because Temu is a Chinese-owned company,” said the complaint. That means data collected from it “is ultimately available to individuals and entities in China" because under Chinese law, data possessed by, controlled by or accessible to individuals and entities in China "may be demanded by the government at any time"; that information isn’t adequately disclosed to Temu app users, it said. Montana, which has banned use of the China-based TikTok app for privacy concerns, also recently banned the Temu app from government devices “due to its significant concerns regarding the privacy of user data,” said the complaint.
PDD operates subsidiaries in China and has long maintained corporate headquarters in Shanghai, but “in an effort to obscure its connections to China,” the company recently said it was moving its “principal executive offices” to Dublin, said the complaint. Most of its business operations remain in China, it said.
Plaintiffs Debra Krystyn, Chicago; Nicole May, Santa Clarita, California; Tyana Daugherty, Los Angeles; Solaliz Hernandez, Sylmar, California; Margret Philie, Middleborough, Massachusetts; Vera Figlock, Taunton, Massachusetts; and Jehan Ziboukh, Richmond; all downloaded and used the Temu app, subjecting their personal and private data to misappropriation by the defendant, said the complaint.
Temu collects user data “beyond what is necessary for an online shopping app,” including biometric information and user data, the complaint said. Temu has “a complete arsenal of tools to exfiltrate virtually all the private data on a user’s device and perform nearly any malign action upon command trigger from a remote server,” it alleges, citing a Grizzly Research September report that says the app “gains access to ‘literally everything on your phone.’” That is particularly concerning, said the report, “given that biometric information such as facial characteristics, voiceprints, and fingerprints are immutable characteristics that can be misused by unscrupulous actors.”
The Temu app collects more information from users than is disclosed, said the complaint. Users aren’t able to “effectively consent to the collection of their data by the app,” since defendants have “misled users regarding the scope of the data collected from them and the ways in which their data is used,” it said. Temu is “particularly ‘dangerous’ because it ‘bypasses’ phone security systems to read a user’s private messages, make changes to the phone’s settings and track notifications,” said the complaint, citing a May article from International Business Times.
Apple recently concluded that the Temu app violated its privacy rules, said the complaint, citing Politico. Analysts have concluded that Temu uses inducement of low-cost Chinese-made goods “to lure users into unknowingly providing unwarranted and broad-ranging access to their private data in ways that are deceptive,” said the complaint.
Google pulled Temu’s precursor, the Pinduoduo app, from its Play Store “due to the presence of malware on the app that exploited vulnerabilities in Android operating systems,” the complaint said. According to one report, “Company insiders said the exploits were utilized to spy on users and competitors, allegedly to boost sales,” said a June report from Compass Intelligence. Pinduoduo “requested as many as 83 permissions, including access to biometrics, Bluetooth, and Wi-Fi network information,” it said. Temu, “not as aggressive in its data requests,” requests 24 permissions, such as access to Bluetooth and Wi-Fi network information that's still “a cause for concern,” it said.
Grizzly referenced analysts, including at Google, who believed Pinduoduo was “covertly collecting private and personal data from users without their knowledge and consent, including highly sensitive biometric data contained on users’ devices.” The collection wasn’t accidental; the functions were “intentionally built into the design of the app,” it said. PDD had a team of 100 programmers to “find and exploit OEM customizations of Android (installed on mainstream brands of low-priced smartphones), intending to exploit vulnerabilities audited less often than the mainline Android codebase,” it said. The Temu app development team includes 100 engineers who built the Pinduoduo app, it said.
Pinduoduo was reinstated on the Google Play store by “removing the ‘bad parts,’ some of which were identically utilized as components of the TEMU app, strongly indicating malicious intent,” the complaint said, citing Grizzly. “We strongly suspect that TEMU is already, or intends to, illegally sell stolen data from Western country customers to sustain a business model that is otherwise doomed for failure,” it said.
“So in exchange for that super low, too-good-to-be-true price on some gadget, we warn you that TEMU is able to hack your phone from the moment you install the app, overriding the data privacy settings you think you have in place, as well as your intentions, helping itself to your contact list, your precise location, in some cases, control of your camera, screenshots of the apps running on your screen, and, depending on the permissions you may have given when you installed the app, your SMS text messages and other documents you may have on your phone,” Grizzly said.
The defendants have taken plaintiffs’ PII and made some or all of it available to individuals in China, including some under the control of the Chinese government, alleged the complaint. They have access to plaintiffs’ PII and content that can be used for “commercial advantage and other harmful purposes,” and they will “continue to profit" from the activities, it said. Plaintiffs have suffered loss of privacy and biometric information, and their mobile devices' "battery, memory, CPU and bandwidth” have “suffered injury,” it said. Plaintiffs did not authorize Temu to collect, store or use their biometric data, it said.
The plaintiffs claim violation of the Computer Fraud and Abuse Act; the Electronic Communications Privacy Act; the right to privacy under Massachusetts general laws; the Massachusetts Wiretap Act; Illinois’ Biometric Information Privacy Act; the California Unfair Competition and False Advertising laws; the California Comprehensive Data Access and Fraud Act; and the Virginia Computer Crimes Act, plus the right of privacy under the California Constitution, unjust enrichment and intrusion upon seclusion.
They seek damages suffered as a result of the alleged conduct including compensatory, statutory and punitive damages; restitution; disgorgement; pre- and post-judgment interest; and reasonable attorneys’ fees and legal costs. They also seek an injunction enjoining defendants from continuing conduct determined to be unlawful. Temu didn't comment.