Lenovo faces US privacy lawsuit over alleged data transfers to China

A US law firm has filed a class action lawsuit against Lenovo, accusing the PC manufacturer of violating federal data security regulations by transferring bulk behavioral data of American consumers to Chinese entities through its website tracking systems.

DOJ Data Security Program at center of case

The lawsuit, filed by Almeida Law Group on behalf of San Francisco resident Spencer Christy, centers on Data Security Program regulations implemented by the Department of Justice last year. These rules were designed to prevent adversarial countries from acquiring large quantities of behavioral data that could be used to surveil, analyze, or exploit American citizens' behavior.

The complaint alleges that Lenovo's website uses numerous first and third-party tracking implementations that measure and record user data, including trackers from TikTok, Facebook, Microsoft, and Google. According to the suit, this allows Lenovo to collect bulk personal data and knowingly permit access to or transfer of such data to entities that qualify as covered persons under the DOJ Rule.

What constitutes a violation?

The lawsuit cites the DOJ rule's threshold for "covered personal identifiers" as 100,000 US persons or more. The complaint lists various potential identifiers that could trigger this threshold, including government and financial account numbers, IMEIs, MAC and SIM numbers, demographic data, and advertising IDs.

Almeida Law Group argues that Lenovo's data practices violate American consumers' reasonable expectation of privacy by exposing behavioral data to foreign adversaries. The suit claims that Lenovo Group, operating under Chinese jurisdiction, could use this data to build detailed dossiers on US residents, identify psychological or financial vulnerabilities, and target individuals in sensitive roles such as jurists, military personnel, journalists, politicians, or dissidents.

Potential consequences outlined

The lawsuit suggests that the collected data could be "weaponized for profiling, coercive targeting, or even blackmail." The named plaintiff visited Lenovo's website multiple times in November and December 2025, triggering trackers that the suit claims resulted in the unauthorized disclosure of personal information to a foreign entity.

Lenovo's response

Lenovo has denied the allegations, stating that "any suggestion that Lenovo improperly shares customer data is false." The company emphasized that it takes data privacy and security seriously and complies with all applicable data protection laws and regulations globally, including stringent US requirements. Lenovo maintains that its data practices are transparent, lawful, and designed to protect customers.

Legal implications and next steps

The case seeks class action status and requests relief, restitution, and disgorgement, as well as statutory damages to be determined by the court and/or jury. The lawsuit raises important questions about the intersection of international data transfers, privacy regulations, and the responsibilities of multinational technology companies operating in the US market.

While the suit remains silent on whether the use of trackers themselves is permissible, it focuses on the alleged transfer of collected data to Chinese entities. This distinction could prove significant as the case progresses through the legal system.

The outcome of this case could have broader implications for how technology companies handle user data, particularly when operating across jurisdictions with different privacy and security requirements. As data privacy regulations continue to evolve globally, companies like Lenovo may face increasing scrutiny over their data collection and transfer practices.

The case highlights the growing tension between the business models of many technology companies that rely on data collection and targeted advertising, and increasing regulatory efforts to protect consumer privacy and prevent potential misuse of personal information by foreign entities.