The Rise of Class Actions in Data Protection: What Companies Should Expect (original) (raw)

Class action lawsuits are on the rise, and laws such as the European Union's (EU) Directive 2020/1828 make it easier for consumers to bring collective action against companies that breach EU privacy and data protection laws.

This article explains what data protection class actions are, the role of Directive 2020/1828, common triggers behind data protection class actions, their legal and financial impact, and how businesses can limit their risk.

On this page≡

1. What Are Data Protection Class Actions?
2. Why Are Data Protection Class Actions on the Rise?
3. What Is Directive 2020/1828 (RAD) and What Does It Require?
3.1. What Is a Qualified Entity?
4. What Can Trigger Data Protection Class Actions?
5. What Are the Potential Consequences of Data Protection Class Actions?
6. How Can Companies Reduce the Risk of Data Protection Class Actions?
6.1. Maintain a Privacy Policy
6.2. Choose a Lawful Basis for Processing Personal Data
6.3. Limit Processing of Personal Data
6.4. Ensure Third Parties Protect Personal Data
6.5. Keep Personal Data Secure
6.6. Conduct Data Protection Impact Assessments (DPIAs)
6.7. Appoint a Data Protection Officer (DPO)
6.8. Ensure Publicly Available Electronic Communications Services Are Secure
6.9. Get Consent
7. Summary

What Are Data Protection Class Actions?

A data protection class action is a collective lawsuit that is filed by a group of individuals who believe their privacy or data protection rights have been violated by an organization.

These lawsuits can result from issues such as data breaches, failure to protect personal information, unlawful sharing of personal data, failure to obtain valid consent, or excessive data collection.

Personal information is data that can be used to identify an individual (such as names, addresses, and ID numbers) and is protected by data protection and privacy laws such as the EU's General Data Protection Regulation (GDPR) and the ePrivacy Directive.

These laws require businesses that collect or process (use) personal information to take steps to protect the data, such as ensuring they have a valid legal reason for processing the data, providing notice of their data collection practices, and limiting the collection of data to that which is necessary to fulfill their purposes.

Article 1 of the GDPR states that it contains rules for processing personal data and protects individuals' rights and freedoms, particularly those regarding the protection of their personal data.

GDPR Article 1 outlines the regulation subject-matter focusing on personal data protection and free movement within the Union

The privacy and data protection laws that apply to a company can depend on factors such as the location of the business and affected data subjects (individuals to whom personal data belongs), the type and size of the business, and the types and volume of personal data it processes.

For example, EU organizations that process personal data and companies located outside of the EU that offer goods or services to or track the behavior of individuals in the EU must comply with the GDPR, while the ePrivacy Directive applies to providers of publicly available electronic communications services via public networks (such as internet service providers), as well as website and app operators that use cookies or other tracking technology.

Article 3 of the GDPR explains that it applies to organizations within the EU that process personal data, as well as organizations located outside of the EU that offer goods or services to or monitor the behavior of EU data subjects.

Details on GDPR Article 3 regulations concerning data processing by controllers and processors within the Union

Article 3 of the ePrivacy Directive explains that it applies to personal data that is processed for the purpose of providing publicly available electronic communications services via public networks.

ePrivacy Directive Article 3 applies to personal data processing in public communications networks

Why Are Data Protection Class Actions on the Rise?

There are several reasons why data protection class actions are increasing, including:

Globalization and an increase in online services
Stronger privacy laws
More public awareness of personal data rights

The National Law Review reported on a 2024 Lex Machina Consumer Protection Litigation Report that found that data protection class actions in the US are on the rise, with 2,040 data breach class actions filed in 2023–nearly triple the number from 2022.

Lex Machina report highlights rise in data breach class actions, totaling 2,040 filed in 2023

Class actions in Europe are continuing to grow as well, with the 2025 CMS Class Action Report finding that 97 claims were filed in 2024.

Key findings of the CMS 2025 report indicate growth in European class actions and financial impacts

The CMS European Class Action Report 2025 found that 7% of class action claims in 2024 were data protection claims.

CMS 2024 claims distribution highlights consumer law as the most significant at 54 percent

What Is Directive 2020/1828 (RAD) and What Does It Require?

The EU's Directive 2020/1828, also known as the Representative Actions Directive (RAD), makes it easier for consumers to take collective action when their privacy or data protection rights are violated.

The RAD came into force on December 24, 2020, and requires member states to have at least one procedural mechanism in place to enable consumers to seek collective redress if they have been harmed by a breach of certain EU consumer laws, including data protection and privacy laws like the GDPR and the ePrivacy Directive.

Article 1 of the RAD explains that it requires member states to provide a procedural mechanism that allows qualified entities to bring representative actions for both injunctive and redress measures.

RAD Directive Article 1 discusses the purpose and rules for protecting collective consumer interests

Before the RAD, collective actions across member states were inconsistent and often limited. The RAD harmonized collective redress mechanisms, improving access to justice for consumers.

Now, companies that fail to comply with EU data protection and privacy laws can face both fines under existing regulations (such as the GDPR) and collective lawsuits under the RAD.

What Is a Qualified Entity?

A qualified entity is an organization or public body that represents consumers' interests and can file a lawsuit on behalf of a group of individuals, either within an EU country or across several member states.

The RAD requires EU member states to designate at least one qualified entity that can bring collective actions to seek injunctive or redress measures under the RAD framework.

An injunctive measure allows a court to order an organization to stop violating a law, such as processing data without consent.

If it is proven that an organization has harmed consumers, courts can order redress measures, such as compensation, refund, repair, replacement, or termination of a contract.

Article 3 of the RAD explains that redress measures can include compensation, refund, repair, replacement, price reduction, or termination of a contract.

RAD Definition of redress measure in legal terms including compensation, repair, and contract termination

What Can Trigger Data Protection Class Actions?

Anytime a company violates an EU privacy or data protection law that falls under RAD jurisdiction, it runs the risk of facing a data protection class action.

Annex I of the RAD lists the laws the framework applies to, including the ePrivacy Directive and the GDPR.

List of EU directives and regulations related to financial and data protection laws

Potential triggers of data protection class actions can include:

Data breaches. Data breaches can occur when cyberattacks, system vulnerabilities, or human error expose personal data. Data breaches can result in privacy violations, identity theft, and loss of consumer trust.
Inadequate security measures. If an organization's failure to implement appropriate security measures (such as those required by Article 32 of the GDPR) harms consumers, the organization can face class actions, even if a data breach doesn't occur.
Unlawful data processing. If an organization processes personal data unlawfully (such as without one of the legal bases required by Article 6 of the GDPR), qualified entities can bring a class action against the organization under the RAD.
Failure to obtain consent. The GDPR requires organizations that rely on consent to process personal data to ensure that consent is freely given, specific, informed, and unambiguous. Similarly, Article 5 of the ePrivacy Directive requires organizations to get consent before accessing or storing information (such as cookies) on a user's personal device, unless that information is strictly necessary to provide a service requested by the user. If an organization fails to get valid consent before processing personal data or storing or accessing certain cookies or tracking pixels, it could face collective litigation under the RAD.
Unlawful data sharing or transfers. Chapter 5 of the GDPR requires appropriate safeguards for personal data that is transferred outside of the EU. An organization may face class actions under the RAD if its failure to implement appropriate safeguards causes harm to consumers.
Failure to respond to data subject requests. Chapter 3 of the GDPR provides data subjects certain rights regarding their personal data, including the rights to access, delete, or correct personal data. Failure to respond to data subject requests within the required time frame can potentially result in class actions.
Excessive data collection. Article 5 of the GDPR requires organizations to limit the collection of personal data to that which is strictly necessary to fulfill their purposes. Excessive data collection could breach the GDPR's data minimization principle, and qualified entities could bring a collective action against an organization if their violation harmed multiple individuals.
Failure to notify data subjects of privacy practices. Article 13 of the GDPR requires organizations to provide data subjects with certain information, including the identity and contact information of the data controller (the entity that decides how and why to process personal data) and the data protection officer (DPO) and their reasons and legal basis for processing data, among other information. If multiple individuals are affected by a failure to provide this information, an organization could face a collective action.

What Are the Potential Consequences of Data Protection Class Actions?

A class action lawsuit brought against a company can result in legal, financial, and reputational consequences for the business.

Potential consequences of data protection class actions can include:

Interruptions to business operations. Authorities can order an organization to stop processing data or take steps to correct its noncompliant data processing practices, which can disrupt day-to-day business operations.
Reputational damage. When word gets out that an organization has been hit with a class action lawsuit due to its data processing practices, it can harm the organization's reputation and lead to lost business.
Financial repercussions. Courts can order organizations that have harmed consumers to pay compensation or offer refunds, repairs, or replacements. In addition, organizations may be required to pay regulatory fines for violating the GDPR.

A recent example of how costly data protection class actions can be is the class action brought against Google and the app developer Flo Health. The class action claimed that the companies violated the privacy of Flo app users by collecting data about users' menstrual health cycles and then using that information for targeted advertising purposes. Google and Flo Health will pay $56 million to settle.

In another case, Community Care Alliance, a nonprofit healthcare provider, agreed to pay a $1.09 million data breach settlement to customers affected by a data leak that exposed sensitive personal information, including Social Security numbers.

How Can Companies Reduce the Risk of Data Protection Class Actions?

Taking steps to comply with the GDPR and the ePrivacy Directive–such as maintaining a Privacy Policy and limiting data processing–can help your company prevent data protection class actions under the RAD.

Maintain a Privacy Policy

A Privacy Policy is a legal document that explains how you handle people's personal data and how they can exercise their privacy rights.

Maintaining a clearly written, regularly updated, and easily accessible Privacy Policy can help you comply with several privacy and data protection laws, including the GDPR.

A GDPR-compliant Privacy Policy should include the following clauses:

The identity and contact information of your organization, representative, and DPO (if applicable)
What personal data you collect and process
Your reasons, legal basis, and legitimate interests (if applicable) for processing personal information
Third parties you share personal data with
Whether you transfer personal data to a third country and what safeguards are implemented
How long you retain personal data
A list of data subjects' privacy rights, including the right to withdraw consent and file a complaint with a supervisory authority
Whether the personal data is part of a statutory or contractual requirement and the potential consequences of not providing the data
Whether your organization relies on automated decision-making (including profiling), how it works, and the potential consequences of the system

The table of contents of Gannett's Privacy Policy includes clauses about its reasons for processing personal information, users' privacy rights, and transferring information internationally, among others.

You can put a link to your Privacy Policy wherever you intend to collect personal data so that users have a chance to read it before their data is processed.

Many companies put a link to their Privacy Policy within their website footer or in a pop-up box that users have to click out of before they can access a website.

USA Today's website footer contains links to its legal agreements, including its Privacy Policy.

Choose a Lawful Basis for Processing Personal Data

To comply with the GDPR, organizations must choose at least one of the following six legal bases before processing personal data:

Consent. An organization must obtain consent that is freely given, specific, informed, and unambiguous before processing data subjects' personal data.
Contract. The data processing is necessary to fulfill a contract with the data subject.
Legal obligation. The data processing is necessary to comply with a legal obligation.
Vital interests. The data processing is necessary to protect someone's life.
Public task. The data processing is necessary to carry out a task in the public interest.
Legitimate interests. The data processing is necessary for an organization's or a third party's legitimate interests.

Article 6 of the GDPR lists the lawful bases for processing data, including consent and legitimate interests.

GDPR Article 6: Legal bases

Keep in mind that if you rely on legitimate interests for processing data, you'll need to perform a balancing test to ensure your legitimate interests aren't overridden by the data subject's fundamental rights and freedoms.

Conducting a legitimate interests assessment (LIA) can help you determine your purpose for processing personal data, whether and to what extent the processing is necessary, and how the processing will impact data subjects' rights and freedoms.

The UK Information Commissioner's Office (ICO) maintains a sample LIA template that includes questions you can ask to determine whether legitimate interest is the right basis to rely on for your data processing activities.

Sample LIA template from the Information Commissioner's Office detailing purpose test questions

Limit Processing of Personal Data

The GDPR requires applicable organizations to limit data processing to that which is necessary to fulfill their purposes.

Article 5 of the GDPR lists its data processing principles, including data minimization.

GDPR Article 5 excerpt on personal data processing principles, highlighting data minimisation and accuracy

Ensure Third Parties Protect Personal Data

If you disclose personal data to third parties or have other entities process personal data on your behalf, you should include data protection clauses within your contracts to ensure third parties comply with privacy law requirements.

Article 28 of the GDPR explains that agreements between data processors and data controllers should be governed by a binding contract that details why and how the data is to be processed and ensures the data is processed according to the controller's instructions.

GDPR - Article 28 - section on data processing regulations for processors and controllers, including contract requirements

Keep Personal Data Secure

Article 32 of the GDPR requires organizations to implement security measures to keep personal data secure.

GDPR Article 32: Section 1: Security of processing

Security measures can include firewalls, encryption, multi-factor authentication, security guards and cameras, device locks, and alarm systems. It's also a good idea to develop and maintain an incident detection and response team and a plan for responding to data breaches.

Additionally, if you are transferring personal data internationally, you will need to ensure the data is transferred to a country that provides equivalent protections for personal data or provide appropriate safeguards.

Article 46 of the GDPR lists appropriate safeguards for transferring personal data to third countries, including binding corporate rules and certain standard data protection clauses.

GDPR clause outlining appropriate safeguards for data protection without requiring specific authorization

Conduct Data Protection Impact Assessments (DPIAs)

The GDPR requires an organization to conduct a DPIA if its data processing is likely to present a high risk to individuals' rights and freedoms (such as in the case of data processing that uses new technologies, large-scale processing of sensitive data, or large-scale systematic monitoring of publicly accessible areas).

A DPIA should include the following:

A description of the proposed processing activities and their purposes (including the controller's legitimate interest, if applicable)
An assessment of the necessity and proportionality of the data processing in relation to the purposes
An assessment of the risks to data subjects' rights and freedoms
The steps the organization intends to take to address those risks

Article 35 of the GDPR describes the types of data processing that require a DPIA, including those using new technologies and certain data processing that is based on automated processing (including profiling).

Data protection impact assessment requirements under GDPR for high-risk processing activities

Appoint a Data Protection Officer (DPO)

The GDPR requires organizations to appoint a DPO if any of the following apply:

The data processing is carried out by a public authority or body (except for courts)
The controller or processor's core activities require regular, systematic, and large-scale monitoring of data subjects
The controller or processor's core activities consist of large-scale processing of sensitive data or personal data concerning criminal convictions and offenses

A DPO is responsible for:

Advising the data controller or processor and staff involved in data processing about how to comply with applicable data protection laws
Monitoring data protection law compliance
Training staff
Advising on DPIAs and monitoring DPIA performance
Communicating and cooperating with supervisory authorities

Article 37 of the GDPR lists the situations in which an organization must appoint a DPO, including when the core activities of the data controller or processor consist of large-scale, systematic monitoring of data subjects.

GDPR Article 37: DPO Must Be Appointed

Ensure Publicly Available Electronic Communications Services Are Secure

Article 4 of the ePrivacy Directive requires providers of publicly available electronic communications services to ensure their services are secure and inform users of any network security risks.

Article 4 of ePrivacy Directive on security measures for electronic communications services

The ePrivacy Directive requires website and app operators to get consent before accessing or storing certain information on users' devices or sending mass marketing emails, texts, or automated marketing calls.

Article 13 of the ePrivacy Directive explains that organizations must get consent from recipients before sending direct marketing automatic calls, faxes, or emails.

Text of ePrivacy Directive Article 13 discussing unsolicited communications and marketing consent requirements

In addition, organizations cannot monitor, intercept, or record communications and related traffic data without user consent (unless they have legal authorization to do so).

Article 5 of the ePrivacy Directive requires organizations to protect the confidentiality of communications and obtain user consent before storing or accessing information on users' devices, unless the storage or access is strictly necessary to provide a service requested by the user.

Text of ePrivacy Directive Article 5 covering confidentiality of communications and data protection

To comply with the ePrivacy Directive's cookie consent requirements, you should:

Provide information to users about what data each cookie tracks
Explain why you are using cookies
Get user consent before using any cookies other than strictly necessary cookies

You should keep a record of the consent you obtain. It's also important to allow users to access your website or app even if they refuse the use of certain cookies, and provide a way for users to withdraw their consent that is as easy as it was for them to give consent initially.

One way to comply with these requirements is to use a cookie consent banner that gives users information about a website's cookies and how they can adjust their cookie preferences.

The London Zoo's cookie consent banner pops up when users visit its site and explains why it processes data. It contains links to its list of partners and Cookie Settings center, and gives users the option to accept all cookies before navigating to the site.

London Zoo Cookie consent popup with privacy settings and data processing information

Summary

A data protection class action under the RAD is a collective lawsuit brought by a qualified entity on behalf of a group of individuals whose privacy or data protection rights have been violated by the same company.

Globalization, digitization, and stronger privacy laws have all contributed to a rise in data protection class actions. In addition, laws such as the RAD make it easier for consumers to bring collective lawsuits against organizations that have violated their privacy rights, and may contribute to an increase in data protection class actions.

The RAD requires member states to have a procedural mechanism that enables consumers to seek collective redress if they have been harmed by violations of certain EU consumer laws, including data protection and privacy laws such as the GDPR and the ePrivacy Directive.

Data protection class action triggers can include:

Data breaches
Inadequate security measures
Unlawful data processing
Failure to obtain consent when required
Unlawful data sharing or transfers
Failure to respond to data subject requests
Excessive data collection
Failure to notify data subjects of privacy practices

Companies can minimize the risk of RAD data protection class actions by taking steps to comply with the GDPR and the ePrivacy Directive, including:

Maintaining a Privacy Policy
Choosing a lawful basis for processing personal data
Limiting the collection of personal data to that which is strictly necessary
Ensuring third parties protect personal data
Keeping personal data secure
Conducting DPIAs
Appointing a DPO
Ensuring publicly available electronic communications services are secure
Getting consent before sending marketing automated calls, texts, or emails or storing or accessing information (like cookies) on users' devices
Keeping communications confidential