Arizona Attorney General Kris Mayes is suing Temu, a large online marketplace founded in 2022. According to a 02 December 2025 press release, Temu violated the Arizona Consumer Fraud Act through "unlawful data collection, violations of customers' privacy, and counterfeiting some of Arizona's most iconic brands." Temu is best known for allowing primarily Chinese sellers to sell products directly to Western consumers, including those in the US. Mayes accused Temu of harvesting sensitive user data without their knowledge or consent. "Temu allegedly collects an alarming amount of sensitive user data and personally identifiable information (PII) that goes far beyond what is necessary for a typical online shopping app," read the AG's release. "According to the lawsuit, the app secretly infiltrates users' devices to access and harvest sensitive information, including the user's precise physical location, the phone's microphone and camera, and the user's private activity on other apps installed on the phone, all without their knowledge or consent."[1]
A Temu spokesperson shared a statement with Dark Reading denying the claims of the lawsuit. "Temu denies the allegations in the lawsuit and will defend itself vigorously. We help consumers and families access quality products at affordable prices," the spokesperson says. "By providing another route to market, we return power and choice to local players, small and medium-sized businesses, and consumers. We remain focused on delivering tangible savings to consumers and creating value for sellers."
The complaint claims that because Temu is owned by PDD Holdings, a Chinese company (albeit one that moved its headquarters to Ireland in 2023) that operates multiple Chinese ecommerce businesses including Pinduoduo, it would then be beholden to Chinese law mandating businesses share information with the Chinese government's intelligence apparatus; that is the Chinese Communist Party or the CCP. Though it is unclear what PII has been taken or shared with the Chinese government, it is true that China's National Security Law compels local companies to share data, including sensitive data, with the country. And beyond its own citizens and companies, China has a robust cyber-espionage operation targeting sectors and nations around the world.
The complaint further alleges that, based on a review of the app's code, Temu is designed to evade front-end security review and shield processes from forensic inspection. "A review of the Temu app's code shows that it is purposely designed to evade front-end security review. The app applies multiple layers of encryption to its various processes, in an effort to shield itself from forensic review," the lawsuit read. "It also uses code to 'sniff out' potential forensic tools or settings to determine whether it is being examined by a third party reviewer. The app is even able to go so far as to edit its own code once it has been downloaded to a consumer's phone, potentially allowing it to exploit user's PII and other data, or to otherwise control the consumer's device, in unknown and unknowable ways." This is not the first time Temu has faced a major lawsuit. Temu was accused of similar practices in class action lawsuits filed in 2023 and 2025. Like previous lawsuits, Arizona's complaint argues Temu's app has "multiple hallmarks of spyware and malware." Temu has rejected the claims of all three lawsuits.
As a result of these accusations and others (such as anti-consumer practices and intellectual property theft), Arizona seeks a permanent injunction against Temu from acquiring, maintaining, and using citizen PII. In addition to this and other demands, Arizona seeks civil penalties and "all other available relief allowed by law."
Apps taking wide swaths of user data is nothing new, and in fact, user data harvesting and brokering has gotten so aggressive over the years that lawmakers have had to pass whole new laws to limit grosser abuses of consumer data. Misuse takes multiple forms; for example, Reddit sued Anthropic this year for allegedly scraping the former's message board data without permission to train the latter's Claude AI assistant. The social media company recently sued AI vendor Perplexity over similar claims.
Cobun Zweifel-Keegan, managing director of the International Association of Privacy Professionals (IAPP), tells Dark Reading that Arizona is the fourth state to sue Temu, "showing there is bipartisan scrutiny over the app's privacy, marketing, and retail practices. For states like Arizona that lack a comprehensive consumer privacy law, general consumer protection principles apply to retailers' privacy practices," he says. "Although this is not always thought about the same way in every state, companies are generally expected not to collect information beyond what is reasonable for the service they are providing, unless they clearly disclose unexpected data collection and use to the consumer. You can see this reflected in the language the Arizona AG uses about the allegedly alarming amount of sensitive data Temu collects that it is beyond what would be necessary in the ordinary course of business for an online shopping app."
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.darkreading.com/application-security/arizona-ag-temu-stealing-user-data
Comments