Corporate Accountability Project · Data Sovereignty & National Security
Class Action · Data Privacy · National Security
Lenovo’s Secret Pipeline: How a Chinese-Controlled Tech Giant Sold Your Browsing Data to Beijing
A 2026 federal class action alleges Lenovo’s U.S. website harvested the behavioral data of millions of Americans and funneled it to its Chinese parent company, violating a landmark DOJ national security rule.
🔴 CRITICAL SEVERITY
TL;DR
Lenovo, whose American subsidiary is ultimately controlled by Chinese state-linked entities, quietly embedded 55-plus tracking technologies into its U.S. website. Those trackers captured Americans’ browsing activity, device identifiers, IP addresses, and purchase behavior, then transmitted that data to Lenovo’s Beijing-headquartered parent company. This happened after April 8, 2025, when a DOJ rule explicitly banned such transfers as a national security threat. An estimated 13.35 million U.S. devices visited lenovo.com in December 2025 alone. The company knew this rule was coming, participated in the rulemaking process, lobbied unsuccessfully for an exemption, and kept doing it anyway.
Your browsing data is not a product sample. Demand that Lenovo stop, and demand that lawmakers close the surveillance loopholes that let this happen.
Key Facts at a Glance
13.35M
U.S. devices visited lenovo.com in December 2025 alone
100K+
U.S. persons’ data required to trigger DOJ “bulk” threshold
55+
Tracking scripts identified on the Lenovo website
Apr 2025
Date DOJ Rule took effect prohibiting these data transfers
8
Separate legal claims filed against Lenovo
$5M+
Minimum amount in controversy under Class Action Fairness Act
⚠️
Core Allegations
Core Allegations
What Lenovo did to millions of Americans · 6 points
| 01 | Lenovo embedded more than 55 third-party tracking technologies into its U.S. website, including tools from TikTok, Facebook, Google, Microsoft, Adobe, and Liveramp, which automatically activated in users’ browsers without their knowledge or consent. | high |
| 02 | These trackers captured full-string URLs (revealing exactly what products users viewed), IP addresses, advertising IDs, cookie data, device metadata, and browsing patterns, then transmitted this data to third-party servers and ultimately to Lenovo’s Chinese parent company, Lenovo Group. | high |
| 03 | Lenovo conducted this data collection and transfer after April 8, 2025, the effective date of the DOJ’s Bulk Sensitive Data Transfer Rule, which explicitly prohibits sending Americans’ behavioral data to Chinese-controlled entities as a national security measure. | high |
| 04 | Lenovo Group, the Chinese parent receiving this data, is subject to China’s National Intelligence Law, Cybersecurity Law, and Data Security Law, all of which require Chinese companies to secretly cooperate with government surveillance and grant authorities unrestricted access to private user data. | high |
| 05 | Plaintiff Spencer Christy visited lenovo.com in November and December 2025, shopping for a gaming computer. Without his knowledge, his browsing activity, device identifiers, and purchase interest were captured, profiled, and transmitted to Lenovo Group in China. | medium |
| 06 | An estimated 13.35 million U.S. devices visited lenovo.com in December 2025 alone, far exceeding the 100,000-person threshold that triggers the DOJ Rule’s definition of “bulk U.S. sensitive personal data.” | high |
Regulatory Failures
How oversight broke down · 5 points
| 01 | Lenovo is a member of the Information Technology Industry Council, which actively participated in the DOJ rulemaking process and lobbied for an exemption that would have allowed Lenovo to continue sharing data with its Chinese parent. The DOJ rejected that exemption request. | high |
| 02 | Despite knowing the DOJ Rule’s requirements, Lenovo’s Privacy Policy only safeguards data transferred to China through “standard contractual clauses,” a protection the DOJ Rule explicitly deems insufficient. The Rule requires active technical controls, data minimization, encryption, and access restrictions. | high |
| 03 | In 2016, the Department of Defense’s Joint Staff warned that Lenovo devices could introduce compromised hardware into defense supply chains. In 2023, members of the House Select Committee on the Chinese Communist Party raised concerns about Lenovo’s ties to state-run cyberespionage campaigns. | high |
| 04 | Lenovo Group’s own annual reports acknowledge the risk of “non-compliant collection, processing, use, retention, sharing, cross-border transfer” of personal data in violation of applicable privacy and security laws, yet the company continued the practices described in this lawsuit. | medium |
| 05 | The DOJ Rule was created because the U.S. government determined, across multiple administrations and all three branches of government, that bulk transfers of Americans’ behavioral data to hostile foreign regimes constitute an “unusual and extraordinary threat” to national security. Lenovo defied this consensus. | high |
National Security Threat
What Beijing can do with this data · 5 points
| 01 | Lenovo Group operates under Chinese law obligations that require the company to secretly cooperate with government intelligence agencies, meaning the behavioral data of American consumers could be accessed by the Chinese government without any legal recourse for affected individuals. | high |
| 02 | The lawsuit warns that aggregated browsing and behavioral data can be used to build detailed dossiers on U.S. residents, identify psychological and financial vulnerabilities, and specifically target individuals in sensitive roles, including judges, military personnel, journalists, politicians, and dissidents. | high |
| 03 | This data can be weaponized for coercive targeting and blackmail without users ever knowing their information was transmitted to a foreign-controlled entity, a risk the U.S. government cited as the primary driver for creating the DOJ Rule. | high |
| 04 | Lenovo Group’s largest shareholder is Legend Holdings, a Chinese investment company established by the Chinese Academy of Sciences, which is a state institution of the People’s Republic of China. These structural ties create direct financial and institutional connections between Lenovo and the Chinese state. | high |
| 05 | When a user simply browsed lenovo.com, their IP address, advertising IDs, cookie data, full URLs showing exactly what products they viewed, screen resolution, browser version, operating system, and language settings were all captured and transmitted, producing a detailed behavioral fingerprint linkable to their real-world identity. | medium |
Corporate Accountability Failures
How Lenovo knowingly proceeded · 5 points
| 01 | Lenovo’s website provided no clear or conspicuous notice that user interactions would be surveilled and routed to foreign entities. Users had no meaningful ability to opt out of the tracking technologies before their data was already captured and transmitted. | high |
| 02 | The complaint alleges that Lenovo intentionally concealed the true character of its data practices from users, actively hiding the foreign transmission of their data and making misleading statements about privacy protections that did not meet federal requirements. | high |
| 03 | Lenovo’s Privacy Policy actually admits that it transfers user personal information to the Lenovo Group and to the People’s Republic of China. The company chose to continue this practice after the DOJ Rule made it illegal, relying on contractual safeguards the law explicitly ruled insufficient. | high |
| 04 | Lenovo derived direct commercial value from sharing users’ behavioral data with advertisers and profiling networks while simultaneously avoiding the costs of obtaining proper consent, implementing adequate privacy protections, and complying with security requirements the DOJ Rule mandates. | medium |
| 05 | Plaintiffs who purchased products on lenovo.com allege they would not have made those purchases had they known their data would be covertly captured and transmitted to a Chinese-controlled entity. Lenovo profited from purchases made under false pretenses about privacy. | medium |
This Is the System Working as Intended
The structural reality behind the lawsuit · 4 points
| 01 | The advertising and data-brokerage industrial complex Lenovo exploits is the same infrastructure that enables mass commercial surveillance across the web. Lenovo did not invent this system; it simply routed the output to a foreign adversary, revealing the inherent danger of the system itself. | medium |
| 02 | The DOJ Rule exists because Congress and three successive administrations recognized that allowing foreign adversaries to purchase or access Americans’ behavioral data at scale constitutes a structural national security failure, not just a corporate policy one. | medium |
| 03 | Chinese corporate law makes the distinction between “private company” and “state actor” largely meaningless: any Chinese firm can be compelled to hand over user data to the government at any time, without notice, transparency, or recourse for affected individuals. | high |
| 04 | Lenovo is not an isolated case. It is one node in a broader pattern of Chinese-linked technology companies operating within U.S. markets while remaining subject to PRC data access laws, a conflict of interest that current regulatory frameworks are only beginning to address. | medium |
🕐
Timeline of Events
2016
The Department of Defense’s Joint Staff issues a cybersecurity warning that Lenovo computers and devices could introduce compromised hardware into defense supply chains, flagging cyberespionage risks.
Oct 2023
Members of the U.S. House Select Committee on the Chinese Communist Party write to the Navy Exchange raising concerns about Lenovo’s ties to the Chinese government and documented links to state-run cyberespionage campaigns.
Apr 2024
The Information Technology Industry Council (ITI), of which Lenovo is a member, submits a comment to the DOJ requesting an exemption from the pending bulk data rule for data processed by covered persons for product research and development. The DOJ does not adopt the requested exemption.
Apr 8, 2025
The DOJ’s Bulk Sensitive Data Transfer Rule takes effect, codified at 28 C.F.R. Part 202. The rule prohibits U.S. persons from transferring bulk sensitive personal data to entities tied to countries of concern, including China, without specific technical security controls.
Nov-Dec 2025
Plaintiff Spencer Christy visits lenovo.com on multiple occasions, browsing and purchasing a Legion Tower 7i gaming computer. His browsing data, device identifiers, and behavioral activity are captured by tracking technologies and transmitted to Lenovo Group in China without his knowledge or consent.
Dec 2025
Publicly available web traffic data shows 13.35 million U.S.-based devices visited lenovo.com during this single month, far exceeding the DOJ Rule’s 100,000-person bulk data threshold.
Feb 5, 2026
Almeida Law Group files the class action complaint in the U.S. District Court for the Northern District of California, San Francisco Division, on behalf of plaintiff Spencer Christy and all similarly situated U.S. consumers.
💬
Direct Quotes from the Legal Record
QUOTE 1
The government’s own classification of the threat
National Security
“The export of Americans’ behavioral data to hostile foreign regimes or entities under their jurisdiction constitutes an ‘unusual and extraordinary threat . . . to the national security and foreign policy of the United States that has been repeatedly recognized across political parties and by all three branches of government.'”
💡 This is the U.S. government’s official characterization of the precise conduct Lenovo is alleged to have continued after the rule was enacted.
QUOTE 2
Chinese law mandating secret government cooperation
Core Allegations
“These laws require Chinese companies and individuals to secretly cooperate with government surveillance efforts and to grant authorities unrestricted access to private user data.”
💡 This means any data Lenovo transfers to Lenovo Group is, by legal obligation, accessible to the Chinese government upon demand, making the transfer a potential national security breach regardless of Lenovo’s stated intent.
QUOTE 3
How data can be weaponized against Americans
National Security
“A company like the Lenovo Group, operating under Chinese jurisdiction, can use this data to build detailed dossiers on U.S. residents, identify psychological or financial vulnerabilities, and target individuals in sensitive roles—such as jurists, military personnel, journalists, politicians, or dissidents.”
💡 This is not hypothetical. Behavioral profiling for coercive purposes is a documented Chinese intelligence practice, and the DOJ Rule was created specifically to prevent this pipeline from existing.
QUOTE 4
Lenovo’s own admission in its Privacy Policy
Corporate Accountability
“Lenovo admits in its Website’s Privacy Policy that it transfers users’ personal information to the Lenovo Group and the People’s Republic of China.”
💡 Lenovo disclosed the data transfer to China in its own privacy documentation, meaning the company knew this was happening, told users about it in fine print, and continued after it became federally prohibited.
QUOTE 5
Lenovo Group’s own risk acknowledgment
Regulatory Failures
“The risk that there are instances of non-compliant collection, processing, use, retention, sharing, cross-border transfer, and protection of proprietary, confidential, and personal (customer, supplier, employee), user or device-identifiable data, leading to violations of applicable privacy, security, and data protection laws and regulations.”
💡 This is Lenovo Group’s own language from its annual reports, acknowledging the exact legal risk the company then proceeded to incur. The company was aware; it proceeded anyway.
QUOTE 6
What users unknowingly triggered by opening the site
Core Allegations
“Most people would be shocked to learn that simply opening the Website could trigger data harvesting and the silent creation of a detailed behavioral profile tied to their identity.”
💡 No purchase was required. No account login. No form submission. Simply loading the Lenovo website was enough to trigger automated data capture and transmission to Chinese-controlled servers.
QUOTE 7
The scale of the data collection apparatus
Core Allegations
“Lenovo intentionally programmed and deployed on the Website such tracking technologies, provided by TikTok, Facebook, Microsoft, Google, Adobe, Index Exchange, Inc., Wunderkind, Snap, Inc., and Liveramp, among numerous others.”
💡 The scope of the tracking infrastructure deployed by Lenovo was not incidental. It was a deliberate, multi-vendor surveillance network embedded into a consumer-facing website.
QUOTE 8
The intentional nature of the alleged conduct
Corporate Accountability
“Lenovo’s conduct is not accidental, peripheral, or the result of isolated technical missteps. Rather, Lenovo knowingly facilitated the export of Americans’ behavioral data to a foreign adversary.”
💡 The lawsuit makes a deliberate argument that this is not a compliance oversight. It is alleged to be a knowing, systematic business practice that continued after the conduct was federally prohibited.
💬
Commentary
❓
Is This Lawsuit Legitimate, or Just Litigation Fishing?
▾
This lawsuit is grounded in a real, enforceable federal regulation that took effect in April 2025 with full bipartisan support. The DOJ Rule is not ambiguous about its requirements: companies cannot transfer bulk behavioral data to entities tied to China without specific technical safeguards. Lenovo’s own Privacy Policy admits the data transfers to China. The company participated in the rulemaking, lobbied for an exemption, failed to get one, and continued the transfers anyway. Whether or not the class ultimately prevails, the underlying factual allegations are backed by Lenovo’s own disclosures and documented data flows. This is not a speculative lawsuit; it targets a specific, named federal regulation that Lenovo is alleged to have knowingly violated.
Why Does It Matter That Data Goes to China Specifically?
▾
China’s National Intelligence Law, enacted in 2017, compels all Chinese organizations and citizens to support, assist, and cooperate with national intelligence work. This is not a theoretical risk. It means any Chinese company, including Lenovo Group, can be legally required to hand over data to the Chinese government without telling the people whose data it is. In the hands of a foreign intelligence service, behavioral data from millions of American consumers becomes a tool for identifying military personnel, mapping social networks, building blackmail files, and targeting dissidents living in the U.S. The U.S. government did not create the DOJ Rule because of paranoia. It created it because this pipeline represents a documented national security threat.
Did I Consent to This When I Visited Lenovo’s Website?
▾
The lawsuit argues no. Lenovo did not provide clear or conspicuous notice that browsing its website would route communications to foreign entities. The tracking technologies activated automatically during page load, before any user interaction or opportunity to consent. Even Lenovo’s Privacy Policy, which does mention data transfers to China, describes protections that the DOJ Rule explicitly deems inadequate. The lawsuit contends that no valid consent was obtained under applicable law, including the federal Wiretap Act and California’s Invasion of Privacy Act. Simply having a privacy policy does not constitute consent, particularly when the policy describes practices that fall short of what federal law now requires.
Who Is at Greatest Risk from This Kind of Data Exposure?
▾
Everyone is affected, but some people face acute danger. The complaint specifically names judges, military personnel, journalists, politicians, and dissidents as high-value targets. A behavioral profile compiled from browsing activity, purchase history, device identifiers, and location data can reveal financial stress, political affiliation, personal relationships, and psychological vulnerabilities. For someone in a sensitive government or military role, that profile is a roadmap for coercion. For a journalist covering China or a dissident with family in China, it is potentially a life-threatening exposure. This is why the DOJ Rule was created and why the government described the underlying threat as “unusual and extraordinary.”
What Can I Do to Protect Myself Right Now?
▾
Use a privacy-respecting browser (Firefox with uBlock Origin is free and highly effective) to block third-party tracking scripts. Avoid visiting the websites of companies with known data-transfer arrangements with Chinese entities when browsing casually. Use a VPN from a reputable, non-Chinese provider to mask your IP address. Opt out of advertising ID tracking on your phone (both iOS and Android have settings for this). Contact your congressional representatives and demand stronger enforcement of the DOJ Rule, increased penalties for violations, and mandatory transparency disclosures when companies transfer data to countries of concern. You can also sign onto the class action or monitor its progress at ClassAction.org if you visited lenovo.com after April 8, 2025.
Why Did Lenovo Continue After the Rule Took Effect?
▾
The lawsuit argues it was a deliberate business decision, not an oversight. Lenovo participated in the rulemaking process. Its industry group lobbied for exemptions that were rejected. Its own annual reports acknowledged the legal risk of cross-border data transfers. The cost of compliance, including implementing data minimization, encryption, access controls, and documentation requirements, is substantial. Continuing the transfers avoids those costs and preserves the commercial value of the data pipeline to Lenovo Group. The alleged decision to prioritize profit over legal compliance and consumer privacy, after being warned by federal regulators for nearly a decade, is the core of the case against the company.
Is Lenovo the Only Company Doing This?
▾
No. Lenovo is one of the most prominent examples because of its Chinese state-linked ownership structure, but the broader problem extends to any company with corporate operations subject to Chinese jurisdiction that also operates consumer-facing platforms in the United States. The DOJ Rule targets an entire category of data flow, not just one company. The difference with Lenovo is the directness of its state ties: its parent company’s largest shareholder traces back to an institution established by the Chinese Academy of Sciences, a state body. This is not a distant or theoretical relationship with the Chinese government. It is a documented, structural one.
💡 Explore Corporate Misconduct by Category
Corporations harm people every day — from wage theft to pollution. Learn more by exploring key areas of injustice.
- 💀 Product Safety Violations — When companies risk lives for profit.
- 🌿 Environmental Violations — Pollution, ecological collapse, and unchecked greed.
- 💼 Labor Exploitation — Wage theft, worker abuse, and unsafe conditions.
- 🛡️ Data Breaches & Privacy Abuses — Misuse and mishandling of personal information.
- 💵 Financial Fraud & Corruption — Lies, scams, and executive impunity.
