Nigeria’s data protection watchdog has thrown down the gauntlet at one of the world’s fastest-growing e-commerce platforms. On Monday, February 16, the Nigeria Data Protection Commission (NDPC) ordered an immediate investigation into Temu, the Chinese-founded shopping app that has become ubiquitous across smartphones on the continent. The probe, signed off by NDPC National Commissioner and CEO Dr. Vincent Olatunji, could represent a watershed moment for digital regulation in Africa — and yet another bruising chapter in Temu’s increasingly fraught global regulatory story.
What Triggered the Investigation?
The NDPC’s action wasn’t sparked by a single incident. According to a statement from Babatunde Bamigboye, the Commission’s Head of Legal, Enforcement and Regulations, the investigation was triggered by a cluster of concerns that together paint a picture of a platform that may have scaled aggressively in Nigeria without adequately scaling its compliance infrastructure alongside it.
Specifically, the Commission is scrutinising Temu over six key areas: online surveillance through personal data processing, accountability, data minimisation, transparency, duty of care, and cross-border data transfers. That last item is arguably the most consequential. When a Nigerian consumer’s shopping habits, device identifiers, payment metadata, and location history flow to servers outside Nigeria — potentially to China, where Temu’s parent company PDD Holdings is headquartered — the legal and geopolitical implications become significantly more complex.
Preliminary findings from the NDPC indicate that Temu currently processes the personal data of approximately 12.7 million Nigerians. Globally, the platform boasts around 70 million daily active users, underscoring just how much data is churning through its systems at any given moment.
Why This Matters for Nigeria
Nigeria is no regulatory backwater. With the Nigeria Data Protection Act (NDP Act) enacted in 2023, the country built one of the continent’s most comprehensive data privacy frameworks — and the NDPC has been increasingly willing to use it with force.
The Commission fined Fidelity Bank ₦555.8 million in 2024 for data breaches, and followed that up with a landmark ₦766.24 million penalty against MultiChoice Nigeria in 2025 after finding the pay-TV giant engaged in intrusive data processing of both subscribers and non-subscribers. The NDPC also ordered a compliance audit of all MultiChoice data collection channels in Nigeria following that ruling.
Under the NDP Act, companies found guilty of serious violations face fines of up to 2% of their Annual Gross Revenue or ₦10 million, whichever is higher. For a company of Temu’s scale, that figure could be substantial. More critically, persistent non-compliance could ultimately result in a ban from operating in Nigeria altogether — a market the platform has clearly bet big on.
Temu only entered the Nigerian market in late 2024, arriving with an intense marketing blitz across social media and mobile app stores. Its rapid user acquisition — going from zero to 12.7 million data subjects in a matter of months — is precisely what has drawn regulatory eyes.
The NDPC also issued a notable warning to third parties: processors who handle data on behalf of platforms like Temu, without first verifying that those platforms comply with the NDP Act, may themselves be held liable. That’s a direct shot across the bow at local logistics companies, payment processors, and other Nigerian businesses plugged into Temu’s supply chain.
Temu’s Growing Global Regulatory Nightmare
What’s happening in Nigeria is not happening in isolation. Temu has found itself at the center of a widening global regulatory storm that raises fundamental questions about how the platform collects, stores, and monetises user data.
In the United States, Arkansas became the first state to sue Temu in June 2024, with Attorney General Tim Griffin alleging the app functions effectively as “dangerous malware,” accessing sensitive device data without proper user consent. Multiple other states have since followed — Nebraska and Kentucky among them — with lawsuits alleging violations of consumer protection and data privacy laws, and raising concerns about Temu’s ties to China’s PDD Holdings and the possibility that data could be shared with Chinese government agencies.
In Europe, the story is equally turbulent. The EU designated Temu a Very Large Online Platform (VLOP) under its Digital Services Act in May 2024, triggering the most stringent compliance obligations in the bloc. The European Commission opened formal proceedings against Temu in October 2024 and preliminarily found the platform in breach of the DSA in mid-2025, citing a “high risk” that consumers would encounter illegal products on the marketplace. The Commission called Temu’s October 2024 risk assessment “inaccurate,” noting it relied on generic industry information rather than platform-specific data. DSA violations can carry fines of up to 6% of global annual revenue.
South Africa has also joined the growing chorus of concern. In late 2025, the country’s National Consumer Commission launched a formal investigation into both Temu and Shein, examining their compliance with the Consumer Protection Act and their use of algorithms and data-mining techniques to drive consumer engagement.
The pattern is clear: regulators across three continents have independently arrived at similar concerns about the same platform.
The Data Question That Underlies Everything
At the core of every investigation into Temu is an uncomfortable question that regulators and analysts keep asking: what is the real business model here?
Temu’s pricing often defies economic logic for a conventional retailer. The platform is widely understood to subsidise shipping heavily, sometimes selling products below cost. Some analysts have suggested that the platform’s true long-term asset isn’t its inventory — it’s the granular, behavioural data it accumulates from hundreds of millions of users. Identity information, browsing history, purchase patterns, device fingerprints, IP addresses, payment metadata — for a platform handling 12.7 million Nigerian users’ data alone, that is an extraordinarily valuable dataset.
The Center for Strategic and International Studies (CSIS) raised red flags in 2024 about the potential for PDD Holdings — Temu’s parent — to share user data with Chinese government agencies under Chinese law, adding a geopolitical dimension to what might otherwise be treated as a straightforward consumer data dispute.
Temu has consistently denied wrongdoing. Following a 2024 claim by a hacker alleging the theft of 87 million user records, Temu conducted an internal investigation and stated it found no match between the sample data published and its own user records. The company has not, as of publication, issued a response to the NDPC’s probe.
Africa’s Regulatory Moment
The NDPC’s investigation into Temu arrives at an inflection point for digital regulation across the African continent. Nigeria, as the continent’s largest internet market, is increasingly asserting what commentators are calling digital sovereignty — the right to set the terms on which foreign technology companies may access and process the data of its citizens.
The commission has made clear that scale will not be treated as a shield. If anything, the 12.7 million Nigerians whose data Temu processes represent a magnitude of exposure that demands proportionately rigorous scrutiny, not less.
No timeline has been announced for the conclusion of the investigation. What is certain is that the outcome will reverberate well beyond Temu. Every e-commerce platform, fintech, and digital services company operating or eyeing expansion in Nigeria is now watching this case carefully. A decisive enforcement action would send an unambiguous signal: Africa’s largest economy has both the legal architecture and the regulatory appetite to hold global tech giants accountable.
The era of growing first and complying later may be coming to an abrupt end in Nigeria.
