Legal and consumer experts have expressed concerns about a cash giveaway by e-retailer, Temu.
Participants in the promotion – which has gone viral on social media – receive up to £50, but have to agree to permanently hand over considerable amounts of personal data.
Experts say that is potentially “problematic”. The data regulator says it is considering such concerns. But Temu insists what it is doing is standard industry practice.
What is Temu's campaign?
Temu's giveaway gives new users 24 hours to sign up other people using a shareable link in order for them to each receive a cash reward of between £40 and £50 – paid to their PayPal accounts – or in Temu store credit.
Existing Temu account holders can also participate, but appear to have to reach a higher threshold for such rewards.
Thousands of users eager to cash in on the promotion have been seen posting links across social media sites. But it has also been the subject of memes and posts scrutinising the rules.
The section receiving the most scrutiny states that “except to the extent prohibited by applicable law”, participants give the company consent to use and publish their “photo, name, likeness, voice, opinions, statements, biographical information, and/or hometown and state” for advertising or promotional purposes.
It adds this can take place in any media worldwide and “in perpetuity” – meaning with no fixed end date.
One such post on X (formerly Twitter) with screengrabs of the campaign's usage and publicity rules has been viewed more than two million times, according to the platform's metrics. A number of other X users claimed the rules would allow Temu to sell their data or even create deepfake adverts – though those claims have been strenuously denied by the retailer.
“Temu gathers user information solely for the purpose of delivering our service and to enhance customer experience,” the fast growing, Chinese-owned retailer told the BBC in a statement.
A spokesperson for Temu said giveaways were commonplace across many firms and different industries – citing its e-commerce rival Shein as an example of a firm running promotions with “nearly identical terms and conditions”.
“If these standard terms and conditions for run-of-the-mill promotional activities are newsworthy, then we urge you to be fair and report on their use by other companies instead of singling out Temu,” they added.
Sensitive data
Experts though have raised concerns about the terms of the promotion.
“Giving away permission for Temu to use your ‘voice' and ‘biographical information' will understandably concern its customers,” said Lisa Webb, Which? consumer law expert.
“These offers are going viral on social media, including to young people, but consumers should definitely consider whether they are comfortable giving this sensitive data away in return for cash.”
She added that “while Temu isn't the first platform to excessively hoover up data, there are definite question marks over whether requesting permission for personal data to be used ‘worldwide' is proportionate in any circumstances.”
Jonathan Kirsop, data protection partner at law firm Pinsent Mason, told BBC News it was not a wording he had seen used commonly before and the activity implied may be “problematic”. He said it could fall foul of UK data protection rules, which require user consent to be freely given, specific and able to be withdrawn in order for it to be relied upon as a reason for data processing.
“While not always prohibited, making the provision of services conditional on a consent to the use of personal data will often be unlawful on the basis the user may not be considered to have a free choice in delivering that consent, particularly where the data concerned is sensitive, such as biometric data,” he said.
The use of voice data – which is considered biometric data under the UK's General Data Protection Regulation (GDPR) – has a higher threshold for lawful use and consent in the UK because it carries greater risks, he added.
The data regulator, the Information Commissioner's Office, said it was “aware of reports about Temu” and was “considering the concerns raised.”
In a statement it added: “Organisations must be clear and transparent about how and why they collect and use people's personal information, and ensure people can make a fully informed decision as to whether to hand over their data.”
Awais Rashid, professor of cyber security at the University of Bristol, told BBC News that apps collecting a lot of data – often more than they actually need from users – had become commonplace.
He said this, as well as cash incentives or long, sometimes “indecipherable” privacy policies and terms, can make the decision more difficult and imbalanced when deciding whether or not we as individuals should part with our data to use a service.
“Whenever there is such a deal being offered we must always look at: what is the consequence of this, and how much of our data is going to be collected, how it is going to be used, and are we comfortable with that?” he said.