Kentucky files lawsuit against Temu over data collection practices

Attorney General Russell Coleman announced on July 17, 2025, that Kentucky has filed a lawsuit against Chinese e-commerce platform Temu for allegedly collecting and transferring user data without consent. The legal action, filed in Woodford Circuit Court, accuses Temu's parent company PDD Holdings Inc. and subsidiary Whaleco Inc. of violating the Kentucky Consumer Protection Act through deceptive data collection practices and unfair trade methods.

According to the legal filing, the state's forensic investigation revealed that "the Temu app is designed to collect sensitive user data without the user's knowledge or consent and is purposely designed so that it can evade detection of this type of data collection by third-party security researchers." The complaint details extensive code-level behaviors that collect personally identifiable information without disclosure to users.

Technical findings reveal sophisticated spyware capabilities

Kentucky's independent forensic analysis uncovered what the state characterizes as multiple hallmarks of spyware and malware within the Temu application. The investigation examined both static and dynamic analysis of the app over time, focusing on code functionality and operational behavior when used by account holders.

"Temu collects an alarming amount of sensitive user data (PII) that is well beyond what would be necessary in the ordinary course of business for an online shopping app," the complaint states. Specific data collection includes granular geolocation within 10 feet accuracy, complete lists of installed applications, all WiFi networks detected by devices, and extensive telephony information.

The state documented that Temu employs multiple layers of encryption beyond standard Transport Layer Security, making data transmission analysis extremely difficult. The app also contains code designed to detect forensic examination tools and can modify its behavior when under investigation.

Code overlap with previously banned Pinduoduo app

Forensic analysis revealed significant code overlap between Temu and the Pinduoduo app, which Google suspended from its Play Store in March 2023 after discovering malware. "Both Pinduoduo and Temu contain identical lines of code" in classes dealing with device identifier collection, file access, custom encryption, and app updates that bypass official app stores.

The complaint notes that "most of the members on this team were transferred to work at Temu" after Pinduoduo disbanded its 100-engineer team responsible for developing Android exploits. This team had been specifically tasked with identifying vulnerabilities in Android operating systems and incorporating them into applications.

Chinese law creates additional privacy risks

The lawsuit emphasizes geopolitical concerns regarding data access by Chinese authorities. PDD Holdings, despite relocating its executive offices to Dublin, maintains significant operations in China and remains subject to Chinese cybersecurity laws requiring cooperation with intelligence activities.

"Chinese law requires Chinese citizens, and individuals and entities in China to cooperate with national intelligence work undertaken by the Chinese government," the complaint states. China's National Intelligence Law requires all organizations and citizens to "cooperate with national intelligence efforts" and permits intelligence institutions to collect information and take control of communications tools.

The state argues that Kentucky user data collected by Temu is accessible to individuals and entities subject to Chinese law, creating national security implications beyond traditional privacy violations.

Marketing and consumer deception allegations

Beyond privacy violations, the lawsuit addresses traditional consumer protection issues including false reference pricing, charges for unordered goods, and intellectual property infringement. Kentucky documented numerous counterfeit products bearing protected trademarks from Kentucky brands including the University of Kentucky, University of Louisville, Buffalo Trace Distillery, and Churchill Downs.

The complaint alleges Temu employs "false reference pricing" by displaying inflated original prices alongside supposedly discounted current prices that represent actual market value. Multiple Kentucky consumers reported receiving mysterious packages and unauthorized charges after making small initial purchases.

Industry impact and advertising dominance

Temu's sudden withdrawal from U.S. advertising in April 2025 highlighted the platform's massive advertising spend and market influence. Industry analysts had estimated Temu spent approximately $2 billion on Meta advertising in 2023 alone, making it the platform's largest advertising client.

The advertising pullback coincided with increased U.S. tariffs on Chinese imports rising to 125%, fundamentally undermining Temu's business model of heavily subsidized orders to capture market share despite operating losses. Within three days of halting Google Shopping ads, Temu's App Store ranking plummeted from consistent top-three positioning to 58th place.

This regulatory pressure reflects broader concerns about Chinese e-commerce platforms and their data practices. Montana previously banned the Temu app from government devices due to security threats, while Congress has initiated investigations into the platform's data collection procedures.

Legal implications for marketing community

The Kentucky lawsuit represents significant implications for the digital advertising ecosystem, particularly regarding international e-commerce platforms and data privacy compliance. The case highlights how advertising strategies must align with state consumer protection laws and privacy regulations.

According to the filing, Temu's deceptive practices were specifically designed "to maximize the number of users who sign up to use the app, thereby maximizing the amount of data that Defendants can misappropriate." This connection between marketing tactics and privacy violations demonstrates the intersection of advertising regulation and data protection law.

The legal action seeks civil penalties up to $2,000 per willful violation of the Kentucky Consumer Protection Act, injunctive relief preventing further data collection from Kentucky residents, and disgorgement of profits from unlawful activities.

Minor data collection raises additional concerns

The complaint alleges Temu collected personal information from minors, including children under 13, without parental consent or adequate age verification procedures. Despite terms of service prohibiting use by children under 13, the lawsuit notes Temu actively markets to younger audiences through animated advertisements and product categories targeting children.

"Defendants possess actual knowledge that children under the age of 13 are on the Temu app—and indeed, Defendants actively seek out this audience," the filing states. Congressional investigations have specifically requested information about Temu's data collection practices regarding minors.

Timeline

• March 21, 2023: Google suspends Pinduoduo app from Play Store for malware
• Mid-2023: Apple suspends Temu app for misrepresentations about data access
• February 2024: Temu airs first Super Bowl advertisement
• April 9, 2025: Temu abruptly halts all U.S. Google Shopping advertising
• July 17, 2025: Kentucky Attorney General Russell Coleman files lawsuit against Temu

Key terminology explained

Personally Identifiable Information (PII): The lawsuit centers on Temu's alleged collection of sensitive personally identifiable information without user consent. PII includes data points like precise geolocation coordinates, device identifiers, installed application lists, and WiFi network information that can uniquely identify individuals. Kentucky's forensic investigation revealed Temu collects far more PII than necessary for e-commerce operations, including International Mobile Equipment Identity numbers, Media Access Control addresses, and Android Advertising IDs that enable comprehensive user tracking across platforms and time.

Kentucky Consumer Protection Act (KCPA): This state law prohibits unfair, false, misleading, or deceptive acts in trade or commerce, forming the primary legal basis for Kentucky's lawsuit against Temu. The KCPA allows the Attorney General to seek injunctive relief and civil penalties up to $2,000 per willful violation. Kentucky argues Temu's data collection practices and consumer deception tactics violate multiple provisions of this consumer protection statute, which is designed to shield residents from fraudulent business practices.

PDD Holdings Inc.: The Chinese parent company of Temu, originally founded as Pinduoduo in 2015, now operates as a Nasdaq-listed entity worth over $144 billion. Despite relocating executive offices to Dublin, Ireland, PDD Holdings maintains significant operations in China and remains subject to Chinese cybersecurity laws requiring cooperation with intelligence services. The company's dual structure allows it to access U.S. capital markets while retaining operational control through Chinese subsidiaries.

Forensic investigation: Kentucky conducted an independent technical analysis of the Temu application using both static code review and dynamic behavioral analysis over time. This forensic examination revealed code designed to evade detection, multiple encryption layers beyond industry standards, and deliberate obfuscation techniques to hide data collection activities. The investigation methodology examined both what the app is designed to do and how it actually operates when used by account holders.

Chinese cybersecurity laws: A comprehensive legal framework including the National Intelligence Law, Cybersecurity Law, and Data Security Law that requires all Chinese organizations and citizens to cooperate with national intelligence activities. These laws grant Chinese authorities broad access to data collected by companies like PDD Holdings, regardless of where that data is stored. The extraterritorial application of these laws means data collected from Kentucky residents could potentially be accessed by Chinese intelligence services.

Code obfuscation: A technique employed by Temu to make its application code difficult to analyze or reverse engineer, deliberately hiding malicious functionality from security researchers. The lawsuit describes how Temu's files, folders, classes, and functions are named and cross-referenced in complex ways designed to hamper investigation. This obfuscation overlaps significantly with previously banned Pinduoduo code, suggesting deliberate efforts to conceal data collection activities from both users and security professionals.

Spyware and malware characteristics: Technical behaviors within the Temu app that match patterns typically associated with malicious software designed to covertly collect user information. These include privilege escalation code that exploits operating system vulnerabilities, detection of forensic analysis tools, and the ability to modify app behavior after installation. Security experts have characterized these capabilities as going far beyond what legitimate e-commerce applications require for normal operation.

False reference pricing: A deceptive retail practice where Temu displays inflated "original" prices alongside supposedly discounted current prices, when the higher price was never real or widely available. This creates false impressions of savings and value for consumers. The lawsuit provides specific examples, such as advertising "Zelda: Breath of the Wild" with a crossed-out price of $144 when the game never retailed at that price, while selling it for the standard $40 market price.

Intellectual property infringement: Temu's alleged widespread sale of counterfeit products bearing protected trademarks without authorization from rights holders. The lawsuit documents numerous examples of fake Kentucky-branded merchandise including University of Kentucky apparel, Louisville Slugger baseball bats, and Buffalo Trace whiskey memorabilia. This practice not only violates trademark law but creates consumer confusion about product authenticity and quality.

Data encryption layers: Temu employs at least four distinct levels of encryption beyond standard Transport Layer Security protocols, creating what the lawsuit describes as "Russian doll" style nested encryption. This excessive encryption makes it nearly impossible for security researchers to analyze what specific data is being transmitted to Temu's servers. The complaint argues this level of encryption serves no legitimate business purpose and is designed specifically to hide unauthorized data collection from detection.

Summary

Who: Kentucky Attorney General Russell Coleman filed suit against PDD Holdings Inc. and Whaleco Inc. (doing business as Temu)

What: Lawsuit alleging violations of Kentucky Consumer Protection Act through deceptive data collection practices, unfair trade methods, and consumer fraud

When: Filed July 17, 2025, in Woodford Circuit Court covering conduct from 2022 to present

Where: Kentucky state court with jurisdiction over defendants' business activities affecting Kentucky residents

Why: To stop alleged privacy violations, consumer deception, and seek penalties for unlawful data collection practices that potentially benefit Chinese intelligence services