Ky. AG Sues Temu For 'Stealing' User Data

By Elliot Weld

Law360 (July 21, 2025, 8:04 PM EDT) -- Kentucky Attorney General Russell Coleman has brought a lawsuit in state court against Chinese bargain-shopping app Temu, accusing it of illegally "stealing" customer data without their knowledge and allowing the Chinese Communist Party to access the information.

In a complaint filed Thursday, the state attorney general's office asserted violations of the Kentucky Consumer Protection Act and Kentucky common law, and said it would seek an injunction on data collection.

"Temu's cheap products and flashy marketing hide real danger," Coleman said in a statement Thursday. "Their platform can infect Kentuckians' devices with malware, steal their personal data and send it directly to the Chinese government. At the same time, they're eroding trust in some of Kentucky's most iconic brands, which could lead to job losses and hardship."

According to the court filing, an investigation had revealed "threats to Kentuckians' privacy and security due to code-level behaviors in the Temu app," and that those behaviors were designed to evade detection.The app uses multiple layers of encryption and other processes to shield itself from forensic searches, and it uses code to "sniff out" potential forensic tools, the suit says.

"The app even goes so far as to edit its own code once it has been downloaded to a consumer's phone, potentially allowing it to exploit user's [personal identifiable information] and other data, or to otherwise control the consumer's device, in unknown and unknowable ways," the complaint read.

Furthermore, it collects an "alarming" amount of personal identifiable information that is beyond what is needed for an ordinary online shipping business, the attorney general's office said, adding that Temu can also collect a user's GPS information, lists of other apps installed on a device, and the cellular data and Wi-Fi networks to which the user's phone is connected.

Kentucky alleged Temu acknowledges that part of its operations are located in mainland China, where cybersecurity laws allow the government "unfettered access" to data owned by Chinese businesses. Nebraska Attorney General Mike Hilgers made similar allegations in a suit filed in Nebraska state court last month, saying Temu was unlawfully gathering information from minors and using secretly installed malware on consumer devices.

A spokesperson for Temu said in a statement Monday that Coleman's allegations were unfounded and based on misinformation circulated online. The spokesperson said the company categorically denies the allegations and "will defend ourselves vigorously."

"We understand that as a new company with an innovative supply chain model — one that begins by bringing the global supply chain directly to the end consumer — some may misunderstand us at first glance and not welcome us," according to the statement. "We are here for the long term and are eagerly listening and improving. We believe that scrutiny will ultimately benefit our development. We are confident that our actions and contributions to the community will speak for themselves over time."

The state is represented by Russell Coleman, J. Christian Lewis, Stephen Humphress, and Lyndsey Antos of the Kentucky Attorney General's Office; Brian McMath and Brian Moore of Nachawati Law Group; and David Slade of Wade Kilpela Slade LLP. Counsel information for the company was not immediately available.

The case is Commonwealth of Kentucky v. PDD Holdings Inc. et al., case number 25-CI-00232 in the Woodford Circuit Court.

--Editing by Covey Son.

< Older Post

Newer Post >