What does the Temu case study reveal about the gap between claimed and actual data protection practices?
Temu claims to anonymize user data, but collects an extraordinary amount of device and behavioral information automatically, and true anonymization may be impossible given the data's richness.
Background: Temu, an online marketplace, became the most downloaded free app on both iOS and Google app stores. Its privacy policy reveals extensive automatic data collection.
What Temu collects without explicit consent:
- Operating system type and version.
- Device manufacturer and model.
- Browser type.
- Screen resolution.
- RAM and storage size.
- CPU usage.
- Device type.
- IP address.
- Unique identifiers, including advertising IDs.
- General location information.
The anonymization problem: Temu claims it can use personal data for research and development, "including analysis and improvement of services and business." It also claims to anonymize data. But studies have shown that location and purchase data alone are often enough to re-identify individuals.
Expert assessment: According to Calli Schroeder, a data protection attorney at EPIC (Electronic Privacy Information Center), de-identified data often still contains multiple personal data elements that can be linked to a person through a number instead of a name.
Key lesson: Claimed anonymization often provides insufficient protection against re-identification. When a company collects this many data points, true anonymization becomes nearly impossible. Always read privacy policies critically and understand what "anonymized" actually means in context.