Nigeria’s Data Regulator Opens Privacy Probe Into Temu’s Operations

Nigeria’s Data Protection Commission (NDPC) has opened a formal investigation into Temu’s data practices amid allegations that the fast-growing eCommerce platform may be violating the Nigeria Data Protection Act (NDP Act) 2023.

The inquiry, ordered by the National Commissioner and CEO, Dr. Vincent Olatunji, focuses on how Temu collects, processes, and transfers personal data belonging to Nigerian users. It follows rising concern over the platform’s handling of personal information in Africa’s largest internet market.

According to a February 16, 2025 press release, the NDPC is examining several aspects of Temu’s operations. Areas of scrutiny include:

• Allegations of online surveillance of users
• Possible lack of transparency in data processing
• Compliance with data minimisation principles
• The platform’s overall accountability and duty of care
• Protocols for cross-border transfers of Nigerian users’ data

Preliminary NDPC findings suggest that Temu processes the personal data of roughly 12.7 million individuals in Nigeria. Globally, the platform is estimated to have about 70 million daily active users, underscoring the scale of its data operations and the potential impact of any regulatory action.

The Commission has framed the Temu probe as part of a broader effort to ensure that digital platforms treating Nigeria as a growth market also treat Nigerian data with what it calls appropriate safeguards under the NDP Act.

The Temu investigation is the latest in a series of assertive moves by Nigeria to enforce privacy and competition rules on global tech companies.

Under the current legal framework, the NDPC has reminded third-party processors—companies that handle data on behalf of others—that they must independently verify compliance with the NDP Act. Processors that participate in non-compliant activities risk being held directly liable under Nigerian law.

The Commission has become increasingly active since its establishment. In March 2025, it ordered investigations into TikTok and Truecaller over their data practices. By July 2025, it had imposed a ₦766.24 million fine on MultiChoice Nigeria after a year-long probe into intrusive data processing and illegal cross-border data transfers affecting both subscribers and non-subscribers.

Other regulators have also moved against major tech firms. In April 2025, Nigeria’s Competition and Consumer Protection Tribunal upheld a $220 million fine against Meta, parent company of WhatsApp and Facebook, for discriminatory and exploitative conduct. A separate NDPC fine of $32.8 million against Meta over behavioural advertising was later resolved via a consent judgment in October 2025, with Meta agreeing to specific corrective privacy measures for Nigerian users.

The NDPC frames these actions as part of a decisive shift away from what it sees as unchecked data harvesting. The Commission’s position is that growth strategies built on aggressive data exploitation are no longer acceptable in Nigeria’s digital economy.

Temu is also under pressure beyond Nigeria. In late 2025, South Africa’s National Consumer Commission (NCC) opened a formal investigation into Temu and Shein, focusing on compliance with the country’s Consumer Protection Act and raising concerns about the companies’ reliance on algorithms and data-mining to drive consumer engagement.

For global platforms, regulators’ actions in Nigeria and South Africa point to a tougher operating environment across key African markets, where authorities are more willing to challenge the data and algorithmic practices that underpin high-growth eCommerce and social platforms.

As the Temu case proceeds, its outcome is expected to signal how far Nigeria is prepared to go in enforcing “localised data ethics” and whether platforms that fall short will face steep fines or even effective exclusion from the market.