Global Class Actions

So far, tech businesses have been relatively safe from representative class actions, while they could be targeted in the scope of different types of class actions (consumer, data, and environmental class actions). Out of the thirty-five class actions that were launched in France, only three were initiated against tech companies: two data class actions against an internet service provider and a social media, and a consumer class action against an online marketplace. The data class action initiated against the internet service provider was declared inadmissible in late 2024 by the Paris Judicial Court, which held that the association did not represent a class of data subjects in a similar situation. Whether more class actions will be brought against tech companies as a result of the transposition of EU Directive 2020/1828 into French law — currently being discussed in Parliament — and hence the extension of the scope of class actions to many areas of law remains to be seen. Rather than class actions, which are a very long route to compensation, the Plaintiffs' bar is currently targeting tech businesses in the scope of collective actions (i.e., an accumulation of individual claims in the same court proceedings) and one should expect to see more of that type of action than class actions, notably as they represent a more flexible procedural mechanism available whatever the issue at stake.

Because they operate globally, in both a very regulated and harmonized legal environment, tech businesses face a genuine litigation contagion risk. To best prepare, companies should monitor consumer associations and existing litigation at both domestic and EU levels to be able, when the time comes, to define a litigation strategy that can be easily declined in various jurisdictions, if not one strategy worldwide.

In 2024, there was an increase in AI-related lawsuits, with several actions challenging the training of AI models on copyrighted content. There are now close to 40 lawsuits (the majority of which are putative class actions) alleging violations of copyright law for training and deploying AI models using copyrighted works. 

Website operators also continued to face a wave of litigation based on the use of alleged web “tracking” technologies, including pixels, beacons, cookies, and software development kits (SDKs). Notably, even more suits have been filed alleging that these technologies violate the decades-old pen register and trap and trace device provisions of the California Invasion of Privacy Act (CIPA) (CIPA § 638.51) by capturing incoming electronic information, such as website users’ IP addresses and other basic device information that identifies the originating source of that information or outgoing information. Courts are grappling with how to interpret these statutory provisions, as plaintiffs seek to repurpose old laws in a novel and new context. We are also beginning to see other website technology suits — particularly asserting claims under the wiretapping provision of CIPA (CIPA § 631) and/or the Video Privacy Protection Act (VPPA) (18 U.S.C. § 2710)—reach the class certification and summary judgment stages, which will be key to monitor as companies assess risk. See, e.g., Griffith v. TikTok, Inc., 2024 WL 5279224 (C.D. Cal. Dec. 24, 2024) (dismissing CIPA wiretapping and other claims at summary judgment); Frasco v. Flo Health, Inc., 2024 WL 4280933 (N.D. Cal. Sept. 23, 2024) (denying defendant’s summary judgment motion on CIPA wiretapping claim); Martinez v. D2C, LLC, 2024 WL 4367406 (S.D. Fla. Oct. 1, 2024) (denying certification of VPPA class); Torres v. Prudential Fin., Inc.,  2024 WL 4894289 (N.D. Cal. Nov. 26, 2024) (certifying CIPA wiretapping claim class).  

Another 2024 trend was counsel leveraging arbitration provisions in consumer-facing online terms to bring mass arbitration demands instead of class action lawsuits. In response, some companies targeted by mass arbitration demands worked to revise their terms and sought judicial intervention, while arbitration providers are revising their rules and fee structures to reduce filing costs. 

Looking ahead, we expect more clarity on the application of copyright law and the fair use doctrine to AI training. Some district courts have rejected the fair use defense, but decisions from district courts in California and New York addressing generative AI model training are expected in 2025. Companies developing models should closely monitor these developments as they refine compliance measures and consider whether to obtain licenses for training data to decrease potential exposure. 

We also expect the wave of privacy litigation against website operators to continue. As plaintiffs continue to test an array of statutory claims and seek to certify various nationwide and statewide classes, companies should consider (i) which technologies are necessary for their business operations, (ii) what information the technologies are configured to collect—in particular, any personally identifying information or potentially sensitive browsing information (e.g., regarding medical data), and (iii) whether to implement mitigation measures, including disclosures and consent mechanisms to address risk. 

The mass arbitration trend does not seem poised to slow down either. We expect that high arbitration fees will continue to be leveraged in attempts to pressure companies into early settlements. Companies can consider changes to their arbitration agreements designed to address mass arbitration scenarios specifically, while monitoring case law developments as these response mechanisms are tested in courts. 

Finally, we are starting to see more frequent class actions targeting IT outages. For example, following an IT outage in July 2024, CrowdStrike and its customers faced multiple class-action lawsuits. Similarly, in January 2025, Capital One experienced IT outages that led to a class action litigation. As this becomes a more common focus of litigation, companies seeking to mitigate risk can consider implementing IT outage plans focused on prevention, mitigation, and response management.