Oklahoma AG Sues Temu: Unlawful Data Harvesting, Spyware Allegations, and IP Theft in Latest Blow to Chinese E-Commerce Giant

Comprehensive analysis of Oklahoma Attorney General Gentner Drummond’s lawsuit against Temu and its place in the growing wave of state actions against the ultra-popular Chinese shopping app amid the $3.425 billion U.S. privacy fines surge.

“Temu built its business model on deception, exploiting consumers while undermining American companies and exposing users to serious privacy risks. My office will not stand by while companies illegally profit from Oklahomans’ personal data and deceive consumers.” — Attorney General Gentner Drummond, May 11, 2026

The Lawsuit: Core Allegations

Oklahoma’s complaint, filed under the Oklahoma Consumer Protection Act, accuses Temu of multiple violations:

• Unlawful data collection: The app allegedly collects precise location, microphone and camera access, activity on other installed apps, and more — without meaningful user knowledge or consent.
• Spyware-like behavior: Forensic analysis reportedly found the app designed to evade detection by security tools, with “multiple hallmarks of spyware and malware.”
• Deceptive practices: Bait-and-switch reward programs, misleading marketing, and failure to disclose data practices.
• Intellectual property theft: Selling counterfeit merchandise featuring Oklahoma brands, including OU, OSU, and OKC Thunder items.
• National security concerns: Harvested data potentially accessible by entities tied to the Chinese Communist Party (CCP).

The state retained independent forensic experts to reverse-engineer the Temu app, strengthening the technical basis of the claims.

Temu’s Rapid Rise and Pattern of Scrutiny

Launched in 2022, Temu quickly became one of the most-downloaded shopping apps in the U.S., known for ultra-low prices and aggressive gamified shopping. However, its success has been accompanied by repeated privacy and security red flags from regulators.

Multi-State Lawsuit Wave Against Temu (2025–2026)

Technical Concerns: Beyond Standard Tracking

Multiple state investigations allege Temu’s app goes far beyond typical e-commerce data practices. Claims include:

• Access to device microphone/camera without explicit ongoing consent.
• Monitoring of activity across other apps.
• Obfuscated code designed to bypass security scanners.
• Transmission of data to servers in China, where national intelligence laws could compel disclosure to the CCP.

These allegations align with broader concerns about Chinese-owned apps (TikTok, Shein, etc.) and U.S. data security.

Connection to the National Privacy Enforcement Surge

Oklahoma’s action is the latest chapter in a record year for privacy enforcement. Gartner estimated $3.425 billion in U.S. state privacy fines in 2025 alone — driven by consent failures, improper data sharing, and children’s privacy issues. While many fines targeted U.S. companies, foreign platforms like Temu face additional scrutiny over data sovereignty and national security.

State AGs are using consumer protection statutes creatively where federal privacy law remains patchwork. Oklahoma’s suit adds IP theft and counterfeiting claims, broadening the legal strategy.

Business Model Under Fire

Temu’s ultra-low prices rely on a direct-from-China manufacturer model with minimal intermediaries. Critics argue this enables counterfeiting while the app’s gamification (spin-to-win, group buys, rewards) drives engagement and data collection. The lawsuit claims users become “the product” — their data monetized or shared in ways never clearly disclosed.

Potential Remedies and Impact

Oklahoma seeks:

• Permanent injunction against the alleged practices.
• Civil penalties under the Consumer Protection Act.
• Restitution and disgorgement of profits (unjust enrichment).
• Possible requirements for app redesign, clearer disclosures, or data deletion.

A win could force Temu to overhaul its U.S. operations, similar to pressures faced by TikTok. Defeat or settlement would still raise compliance costs for the company nationwide.

Temu’s Likely Defense

Temu has previously denied similar allegations, claiming compliance with applicable laws and robust privacy protections. The company will likely argue that data practices are standard for personalized shopping, disclosures are adequate, and claims of spyware are exaggerated. It may also challenge jurisdiction or seek removal to federal court.

Broader Implications for Consumers and Regulators

This case highlights several trends:

1. State AG activism: Attorneys general are filling the federal vacuum on privacy and tech accountability.
2. Geopolitical data risks: Concerns over foreign apps and CCP access are bipartisan.
3. App store and platform responsibility: Increased pressure on Apple and Google to vet apps more rigorously.
4. Consumer awareness: Shoppers chasing bargains may increasingly weigh privacy and security trade-offs.

Recommendations for Users and Businesses

For consumers: Review app permissions regularly, use privacy-focused browsers or VPNs, limit data shared with shopping apps, and consider alternatives with stronger U.S. privacy compliance.

For businesses: Companies partnering with or competing against Temu should monitor developments closely. Brands whose IP is allegedly infringed may consider joining or supporting these actions.

Outlook

Oklahoma’s lawsuit adds significant momentum to the multi-state campaign against Temu. As more AGs pile on and federal lawmakers debate bills like KOSA and broader data security measures, foreign e-commerce platforms operating in the U.S. face a tightening regulatory net.

Whether this becomes a landmark case or part of a string of settlements, one message is clear: in the era of record privacy fines and heightened national security concerns, “cheap and fast” is no longer enough — platforms must also be transparent and trustworthy with user data.