TEMU and the Arkansas AG

The Arkansas Attorney General filed suit against TEMU, characterizing it not as an e-commerce platform but as a “data theft business.” The complaint alleges that after installation, the app reconstitutes itself and accesses contacts, photos, and other device data unrelated to shopping, while also overriding user privacy settings. TEMU had already been removed from Apple’s App Store for failing to meet its privacy attestation requirements. The app remains accessible via web and other platforms, and its advertising model — which requires large-scale behavioral data collection — is the engine the Arkansas AG argues is being fueled by unlawful means. What makes the case notable procedurally is the AG’s decision to file a public lawsuit directly, bypassing the typical nonpublic investigation process that usually precedes enforcement. That process normally involves letters, subpoenas, and document production, often resolving quietly with a settlement or closing. A straight-to-court filing suggests either that prior negotiation broke down, or that the conduct was considered too harmful to permit the delay. The substantive legal theory tracks the “flashlight app” precedent from an earlier FTC case — the principle that data collection must bear a reasonable nexus to the app’s stated purpose. Consumers downloading a shopping app have no basis to expect the app will access their contacts or override OS-level privacy controls. That mismatch between stated purpose and actual data behavior is the core of the claim. The episode draws an important line: data monetization through advertising is not inherently unlawful. The issue is whether consumers receive notice about what is collected, how it is used, and with whom it is shared — and whether they have meaningful control. On the allegations as pled, TEMU provided none of that. The more aggravating factor is that the app allegedly did not merely collect data without adequate disclosure — it circumvented privacy choices that users had already made at the device level. That distinction matters: ignoring consent mechanisms that were never presented is different from actively overriding ones the consumer explicitly set.

**Jonathan:** Hey. So it’s not an ecommerce platform. It’s a data theft application. Sorry about that. Pretty scary language. I posted about it. It’s a good headline. **Alysa:** Arkansas attorney general filed a lawsuit against TEMU. And if you’re a parent of, let’s just say, a tween or maybe older, maybe younger, you’ve heard of TEMU. It’s think of it as like a marketing platform where you can buy lots of things that maybe younger people like, maybe older people like. It’s just my context. For real, for like four dollars, just really, really inexpensive. There’s a lot of marketing around TEMU, and what Arkansas alleges is this app is spyware. And when you download it onto your phone, it reconstitutes itself and accesses your contacts, photos, and overrides your privacy settings. So there’s a whole lot going on with that. But essentially, they’re saying you are acting unlawfully, and also we think you’re essentially from China trying to access Americans’ data. **Jonathan:** I have so many questions. And they’re selling it. Right? Are they selling it as an advertising model on the data, or are they — **Alysa:** It’s data monetization. Right? They’ve got eyeballs. They wanna be able to advertise. There’s nothing wrong with that. It’s the how do you get there. That’s what’s regulated in the US. **Jonathan:** Oh, so it’s so fascinating. I saw your post on it this morning. So first of all, how are they doing it? I mean, is it even a thing that you could on an Apple device? **Alysa:** Well, they got kicked off. They got kicked off of Apple’s app platform. Right? There’s pretty strict privacy obligations and attestations that you have to do as an app, so they got bounced. You can also get to TEMU on web, and you can download it on certainly other platforms. **Jonathan:** And is it unusual that the Arkansas AG went straight to suing them? **Alysa:** Well, my experience with this — right. Usually, with legitimate companies, there’s a nonpublic investigation. It starts with a letter, maybe a phone call, maybe a subpoena, and there’s a lengthy process of providing information, providing documents. Usually, you either make your case that you have not violated the law and the investigation informally, quietly closes, or they say give you a draft complaint and you end up with a settlement. And once the settlement is finalized, that is what becomes publicly available and announced. And, you know, it has the complaint, what they alleged, and then the settlement with what you’re gonna do to make it better. Here, it’s just a lawsuit. So that could have meant two things. Could have meant they tried the nonpublic investigation and the parties could not resolve it, or the AG thought it was such a harm happening that they had to go right to court to essentially stop it right away. And hard to know. I I think it’s the latter. **Jonathan:** Oh, yeah. I mean, so egregious. And these are just allegations, so we don’t know what this version of the story is. But the allegations — it’ll look great. Yeah. Yeah. Yeah. Gotcha. Alright. So what’s the next step? What are we looking for? What happens in the case? Right? Is this gonna be a lengthy litigated case? **Alysa:** Let’s see how TEMU responds. Do they have an answer? Do they have a motion to dismiss? I think this is really gonna rest on the facts, so it’s probably not gonna be resolved at that early stage, call a motion to dismiss. So we shall see. But it’s interesting. And when we were going through the California regulations, there were a lot of examples about what’s secondary purposes of data that a consumer does not reasonably expect, that are not proportionate, certainly not data minimization. And the flashlight example is one of the examples. It was an earlier FTC case where if you download a flashlight app, you’re not expecting that that flashlight app is going to access all of these other aspects in your phone, including your contacts. Right? There’s not a nexus there. And California mentioned that — this is what I put in my post — this is like a flashlight app on steroids because it’s accessing all sorts of things on your device, but then also reconstituting itself so that it could override your privacy settings, which arguably — I mean, that’s a material factor. **Jonathan:** Yeah. I mean, I have to ask, what about just every free Internet product that gathers data to sell it for advertising? Like, where’s consumer reasonable expectations on that? Are we just used to it? **Alysa:** Well, we’re not banning monetization of data. I mean, that — and that is the other terminology we talk about — when you’re an advertiser, you’re advertising on a platform, you’re the publisher, and being able to make money off of having advertisers advertise on your platform — there is nothing illegal about that. What I think this lawsuit is saying is consumers need to have notice about what data is being collected, how it’s being used, with whom it’s being shared, and have an ability to control that. None of those factors were currently happening in TEMU based on the allegations. **Jonathan:** Gotcha. And what was different here is — you actually made a privacy choice somewhere in Apple, and these guys not only didn’t respect it — allegedly went around it.