US lawyers fire up privacy class action accusing Lenovo of bulk data transfers to China

Lenovo faces lawsuit over Chinese data transfers

The Almeida Law Group filed a lawsuit against Lenovo for allegedly violating Department of Justice regulations regarding the bulk transfer of sensitive data to foreign adversaries. The complaint, filed on behalf of San Francisco resident Spencer Christy, claims the computer manufacturer funnels American consumer information to entities controlled by the Chinese government. This legal action targets Lenovo’s website tracking practices and its relationship with its Beijing-based parent company.

The case centers on the Data Security Program regulations that the Department of Justice (DOJ) implemented last year. These rules aim to prevent adversarial nations from acquiring large quantities of behavioral data that could be used to surveil or exploit American citizens. The lawsuit alleges that Lenovo’s website uses automated tracking systems to bypass these security controls.

The DOJ rule specifically prohibits the transfer of "covered personal identifiers" to certain foreign entities when the data involves 100,000 or more US persons. The Almeida Law Group argues that Lenovo’s data collection easily exceeds this threshold. The firm seeks class-action status for the suit, which could potentially include millions of American Lenovo customers and website visitors.

Trackers expose sensitive behavioral data

Lenovo’s website allegedly loads numerous first-party and third-party tracking scripts the moment a user lands on the homepage. These scripts record detailed user behavior and hardware specifications. The lawsuit names several high-profile tracking implementations that the company uses to gather this information.

These trackers monitor how users interact with the site, what products they view, and their physical location. The complaint lists specific identifiers that Lenovo allegedly collects and potentially shares with foreign entities. These include:

• IMEI, MAC addresses, and SIM numbers from user devices
• Government-issued identification and financial account numbers
• Detailed demographic data and advertising IDs
• Biometric identifiers and precise location tracking
• Personal health information and financial vulnerabilities

The lawsuit claims that Lenovo knowingly permits access to this sensitive data by its foreign parent companies. Because the Lenovo Group operates under Chinese jurisdiction, the suit argues that the Chinese government can legally compel the company to hand over this information. This creates a direct pipeline for American data to reach the Chinese state apparatus.

The risk of weaponized personal dossiers

Lawyers for the plaintiff argue that the collected data allows the Chinese government to build detailed dossiers on American residents. These profiles can identify psychological weaknesses or financial instability. The suit claims this information is particularly dangerous when it concerns individuals in sensitive roles.

The complaint highlights several groups that could be targeted using this bulk data. These include military personnel, journalists, politicians, and dissidents living in the United States. The suit suggests that the Chinese government could use this information for coercive targeting or blackmail.

"Weaponized profiling" is a primary concern cited in the legal filing. By analyzing behavioral patterns across millions of users, foreign intelligence services can identify high-value targets for espionage. The suit alleges that Lenovo’s failure to restrict this data flow creates a significant national security risk.

The named plaintiff, Spencer Christy, visited the Lenovo website multiple times in November and December 2025. During these visits, the suit claims that Lenovo’s trackers violated his reasonable expectation of privacy. This resulted in the unauthorized disclosure of his personal information to a foreign entity without his consent or knowledge.

Lenovo denies all allegations of misconduct

Lenovo responded to the allegations by stating that any suggestion of improper data sharing is false. The company maintains that it complies with all global data protection laws, including the stringent requirements set by the US government. Lenovo executives insist that their data practices are transparent and designed to protect customer privacy.

The company emphasizes its commitment to data security and its history of operating within the US market. Lenovo argues that its tracking practices are standard for the e-commerce industry and do not violate DOJ rules. However, the lawsuit contends that Lenovo’s specific corporate structure makes these standard practices illegal under the new federal regulations.

The legal battle will likely hinge on the interpretation of what constitutes a "transfer" under the DOJ rule. While many companies use trackers from Google, Meta, and Microsoft, the lawsuit argues that Lenovo’s connection to China places it in a different legal category. The court must decide if the mere presence of these trackers on a site owned by a Chinese-controlled entity counts as a prohibited transfer.

Seeking restitution and statutory damages

The Almeida Law Group is asking the court for relief, restitution, and disgorgement of any profits Lenovo made through these alleged data transfers. The suit also seeks statutory damages in amounts that a jury or the court will determine. If the case receives class-action certification, the total financial liability for Lenovo could be substantial.

This case represents one of the first major tests of the DOJ’s new authority to regulate bulk data transfers. It follows years of increasing tension between the US government and Chinese tech firms over data sovereignty. Similar concerns have previously led to restrictions on companies like Huawei and the ongoing legislative battles over TikTok.

The outcome of this suit could force hardware manufacturers to change how they manage their web presence and customer databases. If the court finds Lenovo in violation, other companies with foreign parentage may need to strip trackers from their US-facing websites. For now, the Almeida Law Group continues to seek more plaintiffs who visited Lenovo's site during the 2025 period.

The lawsuit remains silent on whether the use of trackers is inherently illegal for most companies. Instead, it focuses on the specific destination of that data. The legal team argues that while data collection is common, sending it to a foreign adversary is a distinct violation of federal law. Lenovo has not yet filed a formal motion to dismiss the case.