Class-Action Plaintiffs Say AdTech Company Sent Data to Chinese-Owned Entity
Advertising technology company Index Exchange intercepted and then transmitted users’ online communications and sensitive data to Chinese-owned e-commerce platform Temu, violating federal privacy and national security laws, a plaintiff alleged in an amended class-action complaint Friday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The first amended complaint in case 1:25-cv-10517 details a “dangerous and unlawful data-sharing arrangement between an advertising platform … and a foreign adversary” of the U.S., contravening the Data Security Program, also called the Bulk Sensitive Data Rule, which DOJ established in April. It prohibits the transfer “in bulk [of] the sensitive personal data of Americans to persons or entities tied to 'countries of concern,'" the complaint said (see 2503100057).
Despite this, “Index Exchange, through its automated advertising infrastructure, transmits U.S. user data to Temu” which “receives this data in real time as part of its participation in Index Exchange’s ad delivery system,” the lawsuit adds.
“Temu has come under increasing scrutiny from regulators and members of Congress over concerns that its data practices may facilitate surveillance by the Chinese government,” it added.
In Friday's class action, plaintiff John Baker said that when he accessed the website BibleGateway.com, Canada-based Index Exchange “observed and tracked” his communications and activity, which “directly expose[d] the specific passages and topics" he was seeking "for study and reflection.”
These “searches for spiritual guidance on deeply personal subjects” constitute “information that a reasonable person would not wish to be disclosed,” the complaint said. Baker said he didn't give consent.
Filed at the U.S. District Court for Northern Illinois, the case includes a claim of violating the Electronic Communications Privacy Act. Index Exchange had asked to dismiss the original complaint for lack of jurisdiction (see 2511030043).
Nebraska (see 2506120027) and Kentucky (see 2507170044) have sued Temu, though it has maintained its innocence (see 2507210015). Oklahoma has also probed the company for privacy concerns (see 2509180011). Outside the U.S., the Austrian privacy advocacy group Noyb included Temu as part of a larger lawsuit over unlawful data transfers at the start of the year (see 2501160010).