Temu is collecting users’ sensitive personal information without their knowledge and designed its app’s code in a way to evade detection, Kentucky’s attorney general says in a state court complaint.
The popular online shopping app is also “awash in products that baldly infringe upon, or simply copy outright, intellectual property” owned by Kentucky-based businesses, according to the state’s lawsuit filed Thursday in the Kentucky Circuit Court for Woodford County.
The retailer is also facing a lawsuit brought by Nebraska over its data practices.
Kentucky’s Temu investigation revealed the app is collecting data on users that’s “well beyond” what’s necessary for its operations—including a user’s physical location, data points that allow the app to track a device’s movements, and lists of a consumer’s installed apps and associated accounts—Kentucky Attorney General Russell Coleman (R) says.
Temu’s code is also “purposely designed to evade front-end security review,” applying “multiple layers of encryption” to shield itself, the state alleges. The code also allows Temu to reconfigure its functionality once it’s downloaded, effectively bypassing security and privacy tests to gain Google or Apple app store approval, the complaint says.
PDD Holdings and Temu didn’t immediately respond to emailed requests for comment.
The code is allegedly modeled on Pinduoduo, an app created by Temu parent company PDD Holdings Inc. Pinduoduo has been described as malware by security experts and was banned from Google’s app store over privacy issues. Many of the engineers who developed its code were transferred to work on Temu, the state claims.
Chinese law requires businesses to hand over data and cooperate with national intelligence agencies if requested, and provides the government “broad authority” to investigate and access private networks and communication systems. The companies have a portion of their operations in China, amplifying the consequences of Temu’s alleged privacy violations, Kentucky asserts. Temu also deceptively represents the quality of its products and engages in other business practices that violate Kentucky’s consumer protection law.
Consumers have allegedly reported receiving products that are low quality and don’t resemble images on the app, and being charged for and sent items they didn’t order. Temu also has a “convoluted and ineffective IP protection policy,” allowing unlicensed products to be sold on the app, the state alleges.
Kentucky asserts various violations of the state’s consumer protection law, and an unjust enrichment claim. The state is seeking injunctive relief, up to $2,000 per violation of its law, and disgorgement of all ill-gotten gains.
The case is Kentucky v. PDD Holdings Inc., Ky. Cir. Ct., No. 25-CI-00232, complaint filed 7/17/25.
To contact the reporter on this story:
To contact the editor responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.