Temu, a popular marketplace where consumers can buy direct from factories overseas at cheap prices, is drawing concerns from lawyers and privacy experts who allege the shopping app can be “invasive” for unwitting users.
Temu is currently the subject of two proposed class-action lawsuits filed last year in district courts in New York and Illinois, which have not been certified. A third class action was filed in Quebec in March.
Many Canadians might first have been exposed to Temu during the Super Bowl this year or last, where the company took out multiple ads encouraging viewers to “shop like a billionaire.”
The app and online storefront sell cheap clothing, electronics, furniture and more from overseas manufacturers based largely in China. Temu’s website says the company was founded in Boston in 2022, but it’s a subsidiary of Shanghai-based PDD Holdings, a multinational commerce group established in 2015 in China.
PDD Holdings on Wednesday became the largest e-commerce player in China by market valuation, topping rival giant Alibaba, according to a CNBC report citing LSEG data.
The allegations about Temu’s deep reach into user data come as governments in both Canada and the United States grapple with privacy concerns around apps like TikTok, another Chinese-owned platform.
Temu has also earned comparisons to China’s ultra-fast-fashion giant Shein among industry observers for its factory-to-consumer business model.
As of May 31, Temu is the top free app on the Apple App Store and Google Play Store in Canada.
Class-action lawsuits filed in U.S., Quebec
Temu is currently the subject of two proposed class-action lawsuits filed last year in district courts in New York and Illinois.
A third class action was filed in Quebec in March, but is not yet certified and is reserved to residents of the province.
All suits filed cite various privacy complaints among users of the Temu app.
Jeff Orenstein, lawyer at the Consumer Law Group that filed the Quebec suit, says the permissions the Temu app asks for when you download it do not adequately detail how “invasive” the program can be.
The Consumer Law Group’s class-action complaint alleges that Temu’s app can access data via your phone’s camera, photos, messages, contacts and other apps.
“Some of the things that were picked up that the app is looking at are things that really have nothing to do with the functionality of the app,” he tells Global News.
Consumer Law Group alleges that these privacy violations are intentional on Temu’s part. The firm is seeking damages for violating individuals’ charter-protected rights to privacy and an injunction to prevent the app from taking the data in Quebec.
In response to these claims, a Temu spokesperson told Global News the app collects “the minimum information necessary” to deliver its services.
“We categorically deny the allegations in these lawsuits and intend to vigorously defend ourselves against them,” an emailed statement read.
Temu denies overreach
The spokesperson pointed Global News to the “permissions” section of the Temu website, which claims that access to contacts, calendars, microphones and Bluetooth are not requested via the app.
Temu says the camera may be used on iOS devices when using pictures to leave reviews or search via image for a product. Temu does not request full permissions to a smartphone’s photos app, the website says, but can use a device’s “built-in image picker” – an interface that allows users to choose from pictures on their device in-app – without giving complete access to the photo archive.
Temu also does not ask for location access in “most countries,” including Canada, according to the disclaimer. The listed exception is the Middle East, where Temu says location data helps users fill in shipping addresses.
Orenstein says much of the Consumer Law Group suit is based on a September 2023 report from Grizzly Research, a U.S.-based firm that identifies short-selling opportunities on equity markets.
Grizzly lambasted Temu as “the most dangerous app in wide circulation” in a report on its parent company, PDD Holdings.
Security issues in the Temu app amount to “spyware,” the report published last September argues. It claimed that the reach of the app goes far beyond what’s listed upfront in the company’s privacy policy, with the potential to access more of a phone’s file system than a user intended.
The Grizzly report is based on publicly available information and the firm says it engaged a team of unnamed cyber experts to back up its warnings. Grizzly said it stands by its research but also includes a disclaimer that the report is opinion only and should not be treated as a “statement of fact.”
In an email to Global News, Temu also denied allegations that its application amounts to spyware and dismissed the Grizzly report as unfactual. A spokesperson pointed to the app’s listings on Google’s Play Store and Apple’s App Store, which they said “rigorously screen apps for malware and spyware.”
Grizzly compares the app to TikTok, which has come under threat of ban in the U.S. unless its Chinese owners ByteDance Ltd. sell to an American firm, and is the subject of a national security review in Canada.
ByteDance has sued to prevent the U.S. ruling from coming into effect on Jan. 19, 2025, and has denied claims that TikTok poses a security risk.
The head of Canada’s national spy agency recently said TikTok is a “real threat” to users’ data security because of the app’s Chinese ties, a warning Prime Minister Justin Trudeau said Canadians ought to heed. TikTok has previously denied it provides data to the Chinese government in a statement to Global News.
But Temu is “demonstrably more dangerous than TikTok,” the Grizzly report argues, and should be removed from app stores as a result.
Global News reached out to both Apple and Google to ask whether Temu’s privacy policies satisfy their respective app stores and whether the platforms have taken action to address data security complaints. Neither company has responded with comment.
Why is this such a big deal?
Rob D’Ovidio, associate professor at Drexel University in Philadelphia, is one of the privacy experts sounding the alarm about Temu’s reach.
He says the risk from Temu is not necessarily in having access to a user’s most sensitive data, but to smaller tidbits that build up over time to build a profile of a shopper.
“You’ve got to start saying, buyer beware. You should look to an alternative marketplace,” he tells Global News.
Small pieces of information like purchases or a photo here and there might seem “innocent” to users, D’Ovidio says, “but when you combine multiple data elements, they start uncovering patterns of health, they start uncovering patterns of taste and likes and habits.”
“And that’s really where the concern here is. It’s not just a one-snapshot look at you. It’s a look over time,” he says.
The kinds of information collected via the Temu app is not unique to that marketplace, D’Ovidio says.
But the most acute concerns come from the company’s origins in China, where firms can be compelled to disclose information by the ruling Chinese Communist Party, he says. Temu’s privacy policy states the company may share information with its affiliates.
A company with direct links to China and the capacity to build a profile through a user’s personally identifiable data should “raise some alarms,” D’Ovidio argues.
Temu’s spokesperson told Global News that the company “has never provided user data to the Chinese government” and claimed it would not do so if asked.
But the rock-bottom prices offered via Temu should also raise red flags for shoppers, Orenstein argues.
If Temu is able to sell goods at very low prices, it suggests that the company is not primarily profiting off of its cheap clothes and electronics, he says. Instead, Orenstein suggests, the “very valuable” personal data a consumer provides is the trade-off where Temu can make its money, a claim also levied in the Grizzly report.
“There’s the expression that if you don’t know what the product is, you’re the product,” he says.
Temu’s spokesperson told Global News it only shares data with some third-party service providers in cases such as order fulfilment.
“We ensure that they have only access to personal information needed to perform their functions and services,” the statement said.
PDD Holdings does not disclose financial information specific to its Temu business unit. The company’s spokesperson said, however, that “external estimates of Temu’s losses are far from reality.”
Temu is able to offer such cheap prices because of its “efficient” supply chain that removes middlemen and streamlines transportation to cut down on warehousing and handling fees, according to the spokesperson.
‘You just lose all control’
Ann Cavoukian, director of the Global Privacy and Security by Design Centre and Ontario’s former three-term privacy commissioner, says users need to think about what they’re giving up in exchange for deals on apps like Temu.
“Shop like a billionaire. And what do you get in return? You have to ask that,” she says. “There’s obviously some benefit to the app in collecting all this personal information and on an ongoing basis.”
Canadians have “virtually no control” over their data in the face of applications that lead with convenience and affordability but put privacy and security in the backseat, Cavoukian says.
“They aren’t turning their minds to what happens with all the information that is obtained through this app … so much personally identifiable information that can easily get into the hands of unauthorized third parties,” she says. “And you just lose all control.”
Temu’s spokesperson told Global News that protecting privacy is a “core principle” for the marketplace.
“At Temu, we prioritize the protection of privacy and are transparent about our data practices,” the statement read.
Canada is not equipped with “sufficient” privacy laws, Cavoukian argues. Federally, the Personal Information Protection and Electronic Documents Act (PIPEDA) is more than 20 years old, and provincial legislation is also largely out of date, she argues.
Canada’s privacy commissioner is “aware of some concerns and media reports related to privacy issues and Temu,” but hasn’t personally investigated the matter, according to a statement provided to Global News.
What can you do to protect your privacy?
A spokesperson for the commissioner confirmed the office is responsible for overseeing compliance with PIPEDA, which sets the ground rules for how businesses – foreign or domestic – have to handle Canadians’ personal information.
The spokesperson said individuals “should always consider the potential risks related to how their information may be collected, used and disclosed by the platform or application,” adding that it’s important to ask why certain info is being requested.
A spokesperson for Innovation, Science and Economic Development Canada (ISED) told Global News that the government tabled Bill C-27 in 2022, which proposes to replace PIPEDA with the updated Consumer Privacy Protection Act (CPPA).
That bill, currently being studied by a House committee, proposes to enhance “individual control” over their own data, with powers to modify and request personal information be deleted, the spokesperson said.
It would also give the privacy commissioner powers to compel companies to change how they handle personal data and the ability to recommend penalties for transgressors. Recommended fines could be as high as three per cent of the company’s global revenue or $10 million, whichever is more.
These laws, if passed, would apply to companies headquartered outside of Canada, the spokesperson said.
D’Ovidio says that if a user is set on downloading the Temu app, to do so from a reputable platform like the Apple or Google app stores, which should provide some assurance that the particular version of the application has been vetted.
“We know that they have a process that they’re going to look through that app, look through that code, scrutinize it and tell the users what their privacy implications are,” he says.
But even those assurances aren’t enough for D’Ovidio. Global News asked him whether he would ever consider downloading the Temu app on his own devices.
“No, I wouldn’t,” he says.
“There are plenty of other shopping outlets and marketplace where the companies are parented in countries that really have a strong regard for end-user privacy.”