TL;DR: On February 5, 2026, a California man filed a class action lawsuit against Lenovo, alleging the company's U.S. website funnels consumer data (IP addresses, device IDs, browsing behavior) to its Chinese parent company through third-party tracking tools. The lawsuit invokes a DOJ rule that took effect in April 2025, which bans bulk transfers of sensitive American data to China, Russia, and four other adversary nations. Lenovo is the third company sued under this rule. Microsoft subsidiary Xandr and ad-tech firm Index Exchange were hit with similar suits for allegedly sending data to Temu. Civil penalties run up to $368,136 per violation. Criminal penalties: up to $1 million and 20 years in prison.

The Lawsuit

Spencer Christy filed the complaint in the U.S. District Court for the Northern District of California. The allegation is straightforward: when you visit Lenovo's website, tracking tools embedded in the page collect your IP address, advertising IDs, device IDs, and cookie data. That information then flows through automated advertising systems to Lenovo Group, the Chinese parent company headquartered in Beijing [1].

That data pipeline, the suit argues, violates both the DOJ's Bulk Data Transfer Rule and the Electronic Communications Privacy Act. The tracking tools intercept your browsing activity and route it to an entity in a "country of concern" without your knowledge or consent [2].

Lenovo responded that it "takes data privacy and security seriously and complies with all applicable data protection laws and regulations globally, including stringent U.S. requirements" [1]. That's a standard denial. The court will decide if it holds up.

The Rule That Changed the Game

The DOJ's Bulk Data Transfer Rule (28 C.F.R. Part 202) went into effect on April 8, 2025. It implements Executive Order 14117, signed by Biden in February 2024, which restricts the transfer of Americans' sensitive personal data to six designated "countries of concern": China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela [3].

The rule covers several categories of data:

  • Geolocation data on 1,000+ U.S. devices
  • Biometric identifiers on 1,000+ U.S. persons
  • Personal health data on 10,000+ U.S. persons
  • Personal financial data on 10,000+ U.S. persons
  • Genomic data on 100+ U.S. persons
  • Certain covered personal identifiers on 100,000+ U.S. persons

Some transfers are outright prohibited. Others are "restricted," allowed only with specific security measures. The penalties aren't trivial: civil fines up to $368,136 per violation, or twice the transaction amount. Willful violations can bring criminal charges: up to $1 million in fines and 20 years in prison [3].

The rule was designed to stop foreign intelligence services from vacuuming up American data through commercial channels. But the lawsuits now being filed show it has a second life: as a consumer class action weapon.

Lenovo Isn't the First

Lenovo is the third company to face a class action under this rule. The first two were filed on the same day, September 2, 2025 [2]:

  • Porcuna v. Xandr, Inc. (Northern District of California): Xandr is a Microsoft subsidiary that runs a digital advertising platform. The suit alleges Xandr's tracking technology sent American consumer data to Temu, the Chinese e-commerce app owned by PDD Holdings.
  • Baker v. Index Exchange, Inc. (Northern District of Illinois): Index Exchange is a supply-side advertising platform. Same allegation: tracking tools funneling data to Temu.

The pattern across all three cases is identical: a company embeds tracking pixels, SDKs, or tag managers on its website. Those tools collect user data: IP addresses, device fingerprints, browsing behavior. The data flows through ad-tech intermediaries and ends up accessible to entities in China [2].

These are, by all indications, the first private lawsuits to use the Bulk Data Transfer Rule as a basis for class action claims. That makes them test cases for whether a national security rule can double as a consumer privacy tool.

Why This Matters for You

Here's the problem nobody talks about: ad-tech tracking doesn't stay where you think it stays.

When you visit a website (any website) the tracking tools embedded in the page collect data about you and fire it into a real-time bidding system. That system broadcasts your information to hundreds of potential ad buyers in milliseconds. Some of those buyers, or the platforms they operate on, are based in or connected to countries the U.S. government considers adversaries [2].

You didn't agree to send your IP address to Beijing. But the ad-tech pipeline doesn't ask. A pixel fires, your data enters the stream, and the DOJ says that stream now runs into restricted territory.

Lenovo is a massive company. It sells more PCs than any other manufacturer on the planet. If its website tracking tools are routing data to China through ad-tech systems, the same is almost certainly true for hundreds of other companies with Chinese parent companies, subsidiaries, or advertising partners.

Lenovo's Track Record

This isn't Lenovo's first privacy problem. In 2015, the FTC and 32 state attorneys general took action against Lenovo for preinstalling Superfish adware on consumer laptops. Superfish injected ads into browser sessions and used a self-signed root certificate that broke HTTPS encryption, effectively creating a man-in-the-middle vulnerability on every affected machine [4].

Lenovo settled with the FTC in 2017, agreeing to a 20-year program requiring the company to get user consent before preinstalling adware and to submit to third-party security audits. The settlement also prohibited Lenovo from misrepresenting the security features of its software [4].

The new lawsuit doesn't reference Superfish directly, but the complaint notes Lenovo's membership in the Information Technology Industry Council, suggesting the company should have been well aware of data-transfer obligations [1].

The Bigger Picture: Ad-Tech as a National Security Threat

The intelligence community has been warning about this for years. In 2024, the NSA and ODNI published guidance noting that commercially available data, the kind collected by ad-tech tracking, can reveal "sensitive and intimate details about individuals" and "poses significant risks to privacy and civil liberties" [3].

Senator Ron Wyden has repeatedly flagged the ad-tech pipeline as a surveillance backdoor. Real-time bidding data has been purchased by data brokers and resold to government agencies, foreign intelligence services, and anyone willing to pay. The DOJ's rule was supposed to shut one end of that pipeline: the end that leads to adversary nations.

These lawsuits are testing whether "supposed to" becomes "actually does."

What You Can Do

Block Third-Party Trackers

Use uBlock Origin or a similar content blocker to prevent tracking pixels from firing. Firefox with Enhanced Tracking Protection blocks most of these by default.

Use a Privacy-Focused Browser

Brave, Firefox, and Tor Browser block or limit ad-tech tracking. Chrome does not. Google's business model depends on it.

Check Your Devices

If you own a Lenovo laptop or PC, review what software came preinstalled. Check for analytics tools or "customer experience" programs that phone home. Disable what you don't need.

Use a VPN

A VPN masks your IP address from tracking tools. It won't stop all data collection, but it removes one of the identifiers these lawsuits specifically cite.

What Comes Next

The Lenovo case is still in its early stages. Class certification hasn't been decided. But the legal theory is now established: if a company's website tracking sends American data to an entity in a country of concern, that's a potential violation of federal law, one that can be enforced by private plaintiffs, not just the DOJ.

That opens the door to lawsuits against any company with Chinese-connected ad-tech. TikTok, Shein, AliExpress, and every app or website that uses Chinese-linked advertising infrastructure could face the same claims. The Xandr and Index Exchange suits show that even American companies can be targeted if their ad-tech pipeline touches China through intermediaries like Temu.

The DOJ built the rule to protect national security. Plaintiffs' lawyers are turning it into a class action engine. Whether that's the right tool for the job, the courts will decide. But for the first time, there's a federal rule that says sending your data to China isn't just shady, it's potentially illegal. And regular people can sue over it.

Sources

  1. Bloomberg Law: Lenovo Hit With Suit for Breaking US Bulk Data Transfer Rule (February 5, 2026)
  2. Hunton Andrews Kurth: Plaintiffs Allege Violation of Bulk Data Transfer Rule in Class Actions (February 2026)
  3. Jackson Lewis: The DOJ Bulk Data Transfer Rule: Are You Subject to It and What Does It Require?
  4. FTC: In the Matter of Lenovo, Inc. (2017)