Arizona Attorney General Sues Temu for Alleged Data Theft: What Business Owners Need to Know

By Ramyar Daneshgar
Security Engineer | USC Viterbi School of Engineering

Disclaimer: This article is for educational purposes only and does not constitute legal advice.

Arizona Attorney General Kris Mayes has filed a major lawsuit against Temu and its parent company, PDD Holdings Inc. The complaint alleges widespread, deceptive, and highly intrusive data-collection practices that pose both consumer-privacy and national-security risks. The case also raises significant compliance questions for businesses that rely on mobile apps, third-party software, or international vendors.

This article outlines the core allegations, the regulatory risks, and the steps business owners should consider as enforcement actions intensify across the country.

Summary of the Allegations

According to the filings reported by the Associated Press, the Arizona Attorney General argues that the Temu app collects a “shocking amount” of user data without informed consent. The complaint highlights the following practices:

1. Excessive and undisclosed data collection
The app allegedly gathers granular GPS location data, a list of all apps installed on a device, and device metadata unrelated to e-commerce operations. The Attorney General argues that the app’s functionality is disproportionate to its advertised purpose.

2. Code designed to evade scrutiny
The lawsuit claims the app uses code patterns associated with spyware or malware. These patterns are said to make it difficult for users, mobile-platform security tools, or forensic teams to detect hidden data-collection behaviors.

3. Exposure to foreign-government access
Because Temu is owned by a China-based parent company, user data may be subject to compulsory disclosure under Chinese law. The Attorney General warns that this creates a potential national-security vulnerability for U.S. citizens and businesses.

4. Deceptive trade practices affecting Arizona consumers
Arizona alleges that Temu violates the Arizona Consumer Fraud Act by presenting itself as a low-cost marketplace while relying on invasive data harvesting. The complaint also includes accusations of intellectual property misuse and sale of counterfeit or unlicensed goods.

The Attorney General has advised Arizona residents to delete the Temu app and run malware scans on their devices.

Why This Matters to Business Owners

Although this lawsuit targets Temu, the underlying issues reflect broader privacy and cybersecurity risks that apply to businesses in every industry. The case demonstrates several important lessons for business owners who manage customer data, rely on third-party software, or operate apps of their own.

1. Data collection must match legitimate business purposes
Collecting data that is unrelated to the core function of your app or service can expose your business to regulatory scrutiny, civil liability, and reputational harm. Regulators increasingly examine whether data practices align with necessity, transparency, and consent principles.

2. Hidden tracking or device-level access will trigger investigations
If an app uses code that behaves like spyware, modifies system permissions, or attempts to bypass platform controls, regulators will classify it as a security threat. Businesses must ensure that any mobile app, SDK, or plug-in is subject to strict internal review.

3. Cross-border data flows now carry elevated risk
If your business relies on foreign cloud hosting, offshore development teams, or third-party tools headquartered abroad, you may face increased exposure, particularly when the foreign country has laws that enable compelled access to user data.

4. Consumer-protection statutes are expanding into the cybersecurity domain
State attorneys general are now framing data-privacy incidents as deceptive trade practices that violate consumer-protection laws. This significantly increases the penalties and legal exposure businesses may face.

5. Enforcement activity is accelerating
Arizona is not the first state to challenge Temu’s practices. Similar lawsuits have been filed in Nebraska and Arkansas. At the federal level, the U.S. Department of Justice has already imposed civil penalties on Temu’s U.S. subsidiary for other violations. Businesses should expect more multi-state investigations and follow-on litigation.

Practical Steps for Business Owners

The Temu lawsuit highlights risks that all businesses should actively manage. Key steps include:

1. Conducting a third-party risk review
Evaluate all third-party platforms that interact with customer data. Verify whether vendors collect more data than necessary or rely on overseas infrastructure that may introduce additional exposure.

2. Reviewing your privacy disclosures and permissions
Ensure that your privacy policy accurately reflects what your technology collects and why. Double check that your mobile app or website does not request device-level access beyond what is required.

3. Implementing data-minimization and retention controls
Limit data collection to what is needed for business operations. Reduce long-term storage of unnecessary data, which lowers both legal and security risks.

4. Updating incident-response and forensic-readiness plans
If regulators allege undisclosed data collection or technical misuse, your business must demonstrate that it has processes in place for detection, investigation, and corrective action.

5. Strengthening cross-border data governance
Businesses with international vendors, offshore developers, or global cloud providers should document transfer mechanisms, security controls, and government-access risk evaluations.

What Happens Next

The Temu case may become a national test for how aggressively states can pursue foreign-owned tech platforms for data-collection practices. Several outcomes are possible:

• Court-ordered changes to Temu’s data-collection practices
• Mandatory security audits
• Civil penalties for consumer-protection violations
• Additional lawsuits from other state attorneys general
• Federal intervention if national-security concerns escalate

For U.S. businesses, the message is clear. Regulatory expectations around data privacy and app security are rising. Companies that handle consumer data, operate mobile applications, or rely on global technology partners will face increased scrutiny.