What happened
A proposed class action lawsuit filed by Almeida Law Group in the U.S. District Court for the Northern District of California alleges that Lenovo United States Inc. enabled bulk transfers of Americans’ sensitive data to entities tied to China through its website tracking and advertising infrastructure. The complaint claims Lenovo embedded tracking technologies such as pixels, scripts, cookies, and real-time bidding components on Lenovo.com that collected persistent identifiers including IP addresses, advertising IDs, and browsing activity. The lawsuit alleges this data, affecting more than 100,000 U.S. users, was transmitted or made accessible to Lenovo Group entities linked to China, potentially violating the U.S. Justice Department’s Data Security Program rules and federal and California privacy laws. The allegations remain unproven and will be contested in court.
Who is affected
U.S. users who interacted with Lenovo’s website on or after April 8, 2025, are affected, as their browsing data, identifiers, and electronic communications were allegedly collected and transferred as part of advertising and tracking operations.
Why CISOs should care
The lawsuit highlights regulatory and legal risks associated with cross-border data transfers involving website tracking and advertising technologies, particularly when sensitive user identifiers and behavioral data are involved.
3 practical actions
- Review cross-border data transfer practices. Ensure compliance with applicable regulations governing sensitive data transfers.
- Audit website tracking and analytics tools. Identify third-party tracking components that collect and transmit user identifiers.
- Assess compliance with privacy regulations. Verify that tracking, consent, and data handling mechanisms meet regulatory requirements.