The Non-Financial Ledger

Imagine you walk into a store to buy a computer. You browse the shelves. You pick up a box, read the back, put it down. You look at a gaming setup and think, maybe next paycheck. You eventually buy the one you wanted. You leave. Normal, right?

Now imagine that every single second you were in that store, a network of invisible cameras and microphones was recording not just what you looked at, but exactly how long you looked at it, what it said about your financial situation, what it suggested about your habits, your interests, your location, your identity. And the store, instead of keeping that recording locked in a back room, was sending a copy of it to a foreign government’s intelligence apparatus before you even made it to the parking lot.

That is what Lenovo did. Every time you visited Lenovo.com, the website loaded dozens of tracking scripts the moment your browser connected, before you clicked anything, before you read a word. Those scripts grabbed your IP address, your device identifiers, your advertising IDs, your cookie data, the exact URL of every page you visited, the specific product you looked at, and the full context of your browsing session. They did not ask. There was no pop-up that said “your data will be sent to Beijing.” There was no clear opt-out.

For Spencer Christy, the named plaintiff in this class action, the violation is concrete and specific. He visited Lenovo.com in November and December of 2025. He was shopping for a gaming computer. He searched for a discounted Legion Tower 7i Gen 10. He bought one. And while he was doing all of that, Lenovo’s tracking infrastructure was building a detailed picture of him: what he wanted, what he could afford, what he was willing to pay, where he was located, and what device he was using to browse. That picture was then sent, without his knowledge or consent, to the Lenovo Group in China.

The lawsuit describes what that data can do in the wrong hands with clinical precision, but the human meaning of it is this: a government that the United States has officially classified as an adversary now has a file on you. It knows your browsing habits. It can infer your financial situation. It can identify whether you work in a sensitive role: a journalist, a judge, a soldier, a politician, an activist. And if it wants to use that information to pressure you, coerce you, or embarrass you, it has everything it needs to start.

You did not agree to that. You bought a laptop, or you almost did. You should not have had to think about national security to make that decision.

The people caught in this data sweep are not abstract statistics. They are the 13.35 million U.S.-based devices that visited Lenovo.com in December 2025 alone. They are people who needed a new ThinkPad for work, people who saved up for a gaming rig, people who were just comparing prices. They trusted that browsing a commercial website was a private act. It was not. And Lenovo, which knew this was happening and knew it violated federal law, kept the tracking infrastructure running anyway.

The betrayal at the center of this story is not complicated. Lenovo sells itself as a consumer technology company. It builds its business on the trust of American buyers. Then it takes the data those buyers generate while shopping and hands it to an entity that is legally obligated to cooperate with Chinese government surveillance requests. The law that prohibits this has been in force since April 8, 2025. Lenovo ignored it.

Legal Receipts

These are direct quotes from the court filing and from Lenovo’s own corporate documents. Read what Lenovo admitted and what the lawsuit charges.

“Lenovo knowingly and systematically used communications and associated covered personal identifiers intercepted from American citizens for the purpose of sharing U.S. consumers’ data with covered persons without the safeguards required by U.S. law.” — Christy v. Lenovo (United States) Inc., Class Action Complaint, ¶ 12 (Feb. 5, 2026)

• This charge is not about a technical glitch or a policy oversight. The word “knowingly and systematically” establishes that the lawsuit is pursuing intentional conduct, which matters for punitive damages and for triggering the crime-tort exception that removes Lenovo’s consent defense under federal wiretapping law.
• The phrase “without the safeguards required by U.S. law” points directly at the DOJ’s Bulk Sensitive Data Transfer Rule, which mandates specific cybersecurity controls, data minimization, encryption, and access restrictions. Lenovo’s only stated safeguard was contractual clauses, which the Rule explicitly does not accept as sufficient.

“Lenovo admits in its Website’s Privacy Policy that it transfers users’ personal information to the Lenovo Group and the People’s Republic of China… The Website’s Privacy Policy purports to safeguard personal information transferred to China only by maintaining agreements and standard contractual clauses that govern the transfer, processing and protection of personal information.” — Christy v. Lenovo (United States) Inc., Class Action Complaint, ¶¶ 78–79 (Feb. 5, 2026)

• This is Lenovo’s own privacy policy being used as evidence against it. Lenovo published a statement admitting data flows to China. That admission is now a central exhibit in a federal class action.
• Standard contractual clauses are a mechanism accepted in European privacy law. The DOJ Rule operates on a different legal standard and requires affirmative technical controls, not paper agreements. A contract cannot stop Chinese law from compelling disclosure to the state.

[Risk disclosure from Lenovo Group Annual Report, cited in ¶ 87 of the complaint]: “The risk that there are instances of non-compliant collection, processing, use, retention, sharing, cross-border transfer, and protection of proprietary, confidential, and personal (customer, supplier, employee), user or device-identifiable data, leading to violations of applicable privacy, security, and data protection laws and regulations.” — Lenovo Group 2023 Annual Report, cited in Christy v. Lenovo, ¶ 87

• Lenovo Group disclosed this risk to its investors in a public annual report. It knew that its cross-border data operations might be violating data protection laws. It disclosed that risk to shareholders and then continued the operations anyway.
• This disclosure makes it nearly impossible for Lenovo to argue it was unaware of its legal exposure. In litigation, admissions of known legal risk made in regulatory filings are powerful evidence of the “knowing” element required by most of the statutes named in this lawsuit.

“Lenovo [Group] collects and manages personally identifiable information (PII) and other sensitive data across its global operations. The Group is subject to a range of data privacy laws and security regulations that govern the collection, use, cross-border transfer, and retention of such information.” — Lenovo Group 2025 Annual Report, cited in Christy v. Lenovo, ¶ 88

• As recently as the 2025 annual report, Lenovo Group was acknowledging that its global data operations are subject to cross-border transfer regulations. The DOJ Rule had been in force since April 2025. The failure to comply is therefore not a legacy issue: it was ongoing through the period covered by the 2025 report.
• The combination of the 2023 and 2025 disclosures creates a two-year paper trail of Lenovo Group acknowledging these risks and, according to the lawsuit, doing nothing adequate to address them.

“The impetus for the DOJ Rule was that the U.S. government determined that the export of Americans’ behavioral data to hostile foreign regimes or entities under their jurisdiction constitutes an ‘unusual and extraordinary threat… to the national security and foreign policy of the United States that has been repeatedly recognized across political parties and by all three branches of government.'” — Christy v. Lenovo, ¶ 3, quoting U.S. DOJ press release, Apr. 11, 2025

• The “unusual and extraordinary threat” language is the same language used to invoke emergency national security powers. Its inclusion in the DOJ’s own press release establishes the seriousness of the regulatory context Lenovo chose to ignore.
• The phrase “repeatedly recognized across political parties and by all three branches of government” is significant because it forecloses any argument that this is a partisan or contested regulatory environment. Lenovo had no plausible cover of regulatory ambiguity.

“These laws require Chinese companies and individuals to secretly cooperate with government surveillance efforts and to grant authorities unrestricted access to private user data.” — Christy v. Lenovo, ¶ 29, describing China’s National Intelligence Law, Cybersecurity Law, and Data Security Law

• The Lenovo Group is headquartered in Beijing and is subject to these three Chinese laws. The word “secretly” in this description is legally significant: Chinese law prohibits Chinese entities from disclosing to foreign parties that they have received government data demands. American users of Lenovo.com would have no way of knowing if their data was being accessed by Chinese authorities.
• This creates a structural impossibility for meaningful consent or transparency. Even if Lenovo wanted to tell users their data was being accessed by the Chinese government, Chinese law would forbid it from doing so.

How the Surveillance Pipeline Actually Works

The technical mechanics of this data transfer are designed to be invisible. Here is what actually happens the moment you open Lenovo.com.

• When your browser loads Lenovo.com, the page executes scripts from at least 55 third-party companies, identified through an independent audit of the site using The Markup’s Blacklight tool. These include tracking infrastructure from Index Exchange, Smaato, Criteo, FreeWheel, Tapad, PubMatic, The Trade Desk, Magnite, LiveRamp, Neustar, and dozens more, in addition to the widely known names like Facebook, Google, TikTok, and Adobe.
• These scripts function as web beacons, pixels, software development kits, APIs, real-time bidding systems, and cookies. Each one is a small piece of code that runs automatically during your browser’s page-load process, before you have read a word or clicked anything.
• Each script captures specific data points: your IP address, which reveals your approximate location; your advertising ID, which is a persistent identifier tied to your device used across apps and websites; your cookie data, which links your current session to your past sessions; and the full URL of every page you visit, which reveals exactly what product you viewed, what discount you were looking for, and what your browsing path looked like.
• These identifiers are then transmitted in combination, which is the legal trigger for classification as “covered personal identifiers” under the DOJ Rule. A single IP address might be ambiguous. An IP address combined with a cookie ID, an advertising ID, a device fingerprint, and a full URL showing the exact product a specific person searched for is a precise, linkable profile tied to a real individual.
• Lenovo then transmits or grants access to these combined profiles to the Lenovo Group in China. Its own privacy policy confirms this. The stated safeguard, standard contractual clauses, does not meet the DOJ Rule’s requirements for restricted data transactions with covered persons, which mandate specific cybersecurity controls, data segmentation, encryption, access restrictions, and audit trails.
• The resulting profiles can be cross-referenced against other data sets to reveal details far beyond what any user would expect from a shopping session: behavioral patterns, psychological tendencies, financial situation indicators, location history, and potentially the ability to identify individuals in sensitive professional roles.

Societal Impact Mapping

Public Health and Personal Safety

The behavioral data collected by Lenovo’s tracking infrastructure creates risks that extend beyond financial harm into physical safety and psychological coercion.

• The lawsuit specifically identifies journalists, judges, military personnel, politicians, and political dissidents as individuals at elevated risk from this data exposure. These are people whose work or identity already places them in adversarial situations, and detailed behavioral profiles make it significantly easier to identify, surveil, or target them.
• Behavioral profiles built from browsing data can reveal financial vulnerabilities, psychological tendencies, and personal interests that can be used as leverage for coercion or blackmail. The complaint uses the word “blackmail” explicitly, and this is the language the DOJ used when justifying the Rule in the first place.
• The invisible and persistent nature of the tracking means affected individuals have no way to assess their own exposure, cannot take steps to mitigate harm they are unaware of, and cannot meaningfully consent to or refuse surveillance they do not know is happening.
• China’s National Intelligence Law legally prohibits Chinese entities from disclosing to foreign nationals that they have received government data demands. This means that if the Chinese government accessed any of this data, the people whose data was taken would have no legal pathway to learn that it happened.
• The aggregation of data across millions of users creates a population-level surveillance capability. At that scale, the data is useful for mapping social networks, identifying relationships between individuals, and building behavioral prediction models, uses that go far beyond any commercial purpose.

Economic Inequality

The commercial harms from this data collection fall disproportionately on ordinary consumers while the financial benefits flow upward to Lenovo and the broader Lenovo Group ecosystem.

• Lenovo avoided the significant costs of building a compliant, consent-based data infrastructure by simply not building one. The lawsuit frames this as “cost avoidance” in the unjust enrichment count: Lenovo gained a competitive advantage by cheating, while companies that invested in lawful data practices bore those costs honestly.
• The data captured from users has commercial value that users were never compensated for. The complaint describes personal data as having “exceptional value due to its predictive power and marketing utility,” and that value was extracted from users without their consent and without any payment in return.
• The California Purchaser Subclass, which covers people who actually bought products on Lenovo.com, faces a specific economic argument: they would not have made those purchases if they had known their privacy would be violated. Their money went to a company that was simultaneously exploiting their data.
• The class action covers people across the entire economic spectrum who bought or browsed Lenovo products, which range from budget laptops to enterprise servers. There is no income threshold that makes a person’s browsing data less valuable to a surveillance operation.
• The lawsuit seeks disgorgement of profits, meaning Lenovo would potentially have to return the financial benefit it received from the unauthorized data collection to the people it took that data from. This is a direct redistribution mechanism, but only if the lawsuit succeeds.

What You Were Told vs. What Was Actually Happening

The Cost of a Life Metric

What Now?

The lawsuit names Lenovo (United States) Inc. and reaches back to the Lenovo Group’s entire corporate structure. Here is who holds accountability and what you can do.

Corporate Leadership (Roles on Record in Filing)

• Lenovo (United States) Inc., principal place of business: 1009 Think Place, Morrisville, North Carolina 27560. This is the U.S. subsidiary named as defendant.
• Lenovo Group Limited: Parent company, incorporated in Hong Kong, principal corporate operations in Beijing, China. Subject to Chinese National Intelligence Law, Cybersecurity Law, and Data Security Law.
• Legend Holdings Corporation: Largest shareholder of Lenovo Group. Beijing-based. Founded by the Chinese Academy of Sciences, a state institution of the People’s Republic of China.
• Chinese Academy of Sciences Holdings Co., Ltd.: Retains ownership, governance rights, and strategic influence over Legend Holdings. State-controlled entity of the PRC.

Regulatory Watchlist

• U.S. Department of Justice, National Security Division: The DOJ is the agency responsible for enforcing the Bulk Sensitive Data Transfer Rule (28 C.F.R. Part 202). It can pursue civil and criminal enforcement action against U.S. companies that violate the Rule. Contact the DOJ at www.justice.gov/nsd.
• Cybersecurity and Infrastructure Security Agency (CISA): CISA wrote the technical security requirements that companies must follow when engaging in restricted data transactions. It has authority to investigate noncompliance. Contact CISA at www.cisa.gov.
• Federal Trade Commission (FTC): The FTC has jurisdiction over deceptive and unfair business practices, including privacy policy misrepresentations. Lenovo’s privacy policy claimed compliance while admitting conduct the DOJ Rule prohibits. File complaints at www.ftc.gov/complaint.
• California Attorney General: California’s Unfair Competition Law (Bus. & Prof. Code § 17200) and the California Invasion of Privacy Act are state enforcement mechanisms. The California AG can bring independent enforcement actions. Contact at oag.ca.gov.
• U.S. House Select Committee on the Chinese Communist Party: This committee has already written to institutions about Lenovo’s CCP ties in 2023. Constituent pressure can prompt additional oversight hearings and investigations. Contact your representative at www.house.gov/representatives/find-your-representative.

What You Can Do

• If you visited Lenovo.com on or after April 8, 2025, you may be a member of the Nationwide Class. Contact Almeida Law Group LLC at david@almeidalawgroup.com or victor@almeidalawgroup.com, or search classaction.org for the case Christy v. Lenovo (United States) Inc. to monitor its progress.
• Use a privacy-focused browser extension such as uBlock Origin or Privacy Badger to block tracking scripts on corporate retail sites. These tools can interrupt the exact type of real-time bidding and pixel tracking described in this complaint.
• Demand that your local library, school, community organization, or employer conduct an audit of what devices and software they use from companies with disclosed data transfer relationships with countries of concern. Lenovo equipment is widely used in educational and public sector settings.
• Support organizations working on digital rights and privacy enforcement: the Electronic Frontier Foundation (eff.org), the Electronic Privacy Information Center (epic.org), and the Center for Democracy and Technology (cdt.org) all work on the legal and policy issues this case raises.
• File a complaint with the FTC if you made a purchase on Lenovo.com after April 8, 2025. You can document the date of purchase, the product, and your location. That paper trail matters in regulatory proceedings.
• Talk to your neighbors, coworkers, and community members about this case. The class covers potentially millions of people who have no idea their data was sent to China. Awareness is the first step toward accountability.