Privacy experts are sounding the alarm over Temu, a popular application for shoppers looking to shop direct from overseas manufacturers. Here's what you should know.
Temu, a popular marketplace where consumers can buy direct from factories overseas at cheap prices, is drawing concerns from lawyers and privacy experts in North America who allege the shopping app can be “invasive” for unwitting users.
Temu is currently the subject of two proposed class-action lawsuits filed last year in district courts in New York and Illinois, which have not been certified. A third class action was filed in Quebec in March.
Many Canadians might first have been exposed to Temu during the Super Bowl this year or last, where the company took out multiple ads encouraging viewers to “shop like a billionaire.”
The app and online storefront sell cheap clothing, electronics, furniture and more from overseas manufacturers based largely in China. Temu’s website says the company was founded in Boston in 2022, but it’s a subsidiary of Shanghai-based PDD Holdings, a multinational commerce group established in 2015 in China.
PDD Holdings on Wednesday became the largest e-commerce player in China by market valuation, topping rival giant Alibaba, according to a CNBC report citing LSEG data.
The allegations about Temu’s deep reach into user data come as governments in both Canada and the United States grapple with privacy concerns around apps like TikTok, another Chinese-owned platform.
Temu has also earned comparisons to China’s ultra-fast-fashion giant Shein among industry observers for its factory-to-consumer business model.
As of May 31, Temu is the top free app on the Apple App Store and Google Play Store in Canada.
Class-action lawsuits filed in U.S., Quebec
Temu is currently the subject of two proposed class-action lawsuits filed last year in district courts in New York and Illinois.
A third class action was filed in Quebec in March, but is not yet certified and is reserved to residents of the province.
All suits filed cite various privacy complaints among users of the Temu app.
Jeff Orenstein, lawyer at the Consumer Law Group that filed the Quebec suit, says the permissions the Temu app asks for when you download it do not adequately detail how “invasive” the program can be.
The Consumer Law Group’s class-action complaint alleges that Temu’s app can access data via your phone’s camera, photos, messages, contacts and other apps.
“Some of the things that were picked up that the app is looking at are things that really have nothing to do with the functionality of the app,” he tells Global News.
Consumer Law Group alleges that these privacy violations are intentional on Temu’s part. The firm is seeking damages for violating individuals’ charter-protected rights to privacy and an injunction to prevent the app from taking the data in Quebec.
In response to these claims, a Temu spokesperson told Global News the app collects “the minimum information necessary” to deliver its services.
“We categorically deny the allegations in these lawsuits and intend to vigorously defend ourselves against them,” an emailed statement read.
Temu denies overreach
The spokesperson pointed Global News to the “permissions” section of the Temu website, which claims that access to contacts, calendars, microphones and Bluetooth are not requested via the app.
Temu says the camera may be used on iOS devices when using pictures to leave reviews or search via image for a product. Temu does not request full permissions to a smartphone’s photos app, the website says, but can use a device’s “built-in image picker” – an interface that allows users to choose from pictures on their device in-app – without giving complete access to the photo archive.
Temu also does not ask for location access in “most countries,” including Canada, according to the disclaimer. The listed exception is the Middle East, where Temu says location data helps users fill in shipping addresses.
Orenstein says much of the Consumer Law Group suit is based on a September 2023 report from Grizzly Research, a U.S.-based firm that identifies short-selling opportunities on equity markets.
Grizzly lambasted Temu as “the most dangerous app in wide circulation” in a report on its parent company, PDD Holdings.
Security issues in the Temu app amount to “spyware,” the report published last September argues. It claimed that the reach of the app goes far beyond what’s listed upfront in the company’s privacy policy, with the potential to access more of a phone’s file system than a user intended.
The Grizzly report is based on publicly available information and the firm says it engaged a team of unnamed cyber experts to back up its warnings. Grizzly said it stands by its research but also includes a disclaimer that the report is opinion only and should not be treated as a “statement of fact.”
In an email to Global News, Temu also denied allegations that its application amounts to spyware and dismissed the Grizzly report as unfactual. A spokesperson pointed to the app’s listings on Google’s Play Store and Apple’s App Store, which they said “rigorously screen apps for malware and spyware.”
Grizzly compares the app to TikTok, which has come under threat of ban in the U.S. unless its Chinese owners ByteDance Ltd. sell to an American firm, and is the subject of a national security review in Canada.
ByteDance has sued to prevent the U.S. ruling from coming into effect on Jan. 19, 2025, and has denied claims that TikTok poses a security risk.
The head of Canada’s national spy agency recently said TikTok is a “real threat” to users’ data security because of the app’s Chinese ties, a warning Prime Minister Justin Trudeau said Canadians ought to heed. TikTok has previously denied it provides data to the Chinese government in a statement to Global News.
But Temu is “demonstrably more dangerous than TikTok,” the Grizzly report argues, and should be removed from app stores as a result.
Global News reached out to both Apple and Google to ask whether Temu’s privacy policies satisfy their respective app stores and whether the platforms have taken action to address data security complaints. Neither company has responded with comment.
Why is this such a big deal?
Rob D’Ovidio, associate professor at Drexel University in Philadelphia, is one of the privacy experts sounding the alarm about Temu’s reach.
He says the risk from Temu is not necessarily in having access to a user’s most sensitive data, but to smaller tidbits that build up over time to build a profile of a shopper.
“You’ve got to start saying, buyer beware. You should look to an alternative marketplace,” he tells Global News.
Small pieces of information like purchases or a photo here and there might seem “innocent” to users, D’Ovidio says, “but when you combine multiple data elements, they start uncovering patterns of health, they start uncovering patterns of taste and likes and habits.”
"And that’s really where the concern here is. It’s not just a one-snapshot look at you. It’s a look over time,” he says.
The kinds of information collected via the Temu app is not unique to that marketplace, D’Ovidio says.