Global Class Actions

So far, tech businesses have been relatively safe from representative class actions, while they could be targeted in the scope of different types of class actions (consumer, data, and environmental class actions). Out of the nearly 40 class actions that were launched in France, only three were initiated against tech companies: two data class actions against an internet service provider and a social media company, and a consumer class action against an online marketplace. The data class action initiated against the internet service provider was declared inadmissible in late 2024 by the Paris Judicial Court, which held that the association did not represent a class of data subjects in a similar situation. Whether more class actions will be brought against tech companies as a result of the recent transposition of EU Directive 2020/1828 into French law and, hence, the extension of the scope of class actions to many areas of law remains to be seen. Rather than class actions, which are a very long route to compensation, the Plaintiffs' bar is currently targeting tech businesses in the scope of collective actions (i.e., an accumulation of individual claims in the same court proceedings) and one should expect to see more of that type of action than class actions, notably as they represent a more flexible procedural mechanism available whatever the issue at stake.

Because they operate globally, in both a very regulated and harmonized legal environment, tech businesses face a genuine litigation contagion risk. To best prepare, companies should monitor politics, consumer associations, and existing litigation at both domestic and EU levels to identify emerging regulatory challenges and be able, when the time comes, to define a litigation strategy that can be easily declined in various jurisdictions, if not one strategy worldwide. Online minor protection clearly is one of those topics in France. Discussed for several years, it truly exploded in 2025: the French government (as well as many French politicians) has been vocal about it, clearly advocating for stricter regulation; the French Parliament has also taken up on the issue; and some French authorities (judicial and regulators) have been investigating and/or litigating cases touching upon this question. Depending on where current political and parliamentary initiatives land, this might nourish the growing appetite of the Plaintiffs’ Bar for these questions. More generally, with the DSA now in force, content regulation and intermediary liability issues should become increasingly prominent in future litigation.

The most significant development for class actions in Indonesia’s technology sector during 2025 has been the growing awareness of consumer rights in relation to data protection. Unlike finance, automotive, or consumer goods – which have occasionally faced class actions – the technology sector has historically seen very limited activity. Awareness, however, has begun to grow. Following the data breach at the Temporary National Data Center 2 in Surabaya, for example, the National Consumer Protection Agency (Badan Perlindungan Konsumen Nasional) encouraged affected individuals to consider pursuing a class action. While this did not immediately result in large-scale litigation, it reflects a gradual shift in perception: data security incidents are starting to be viewed as a possible basis for collective claims. This suggests that data protection, rather than traditional product or service disputes, may increasingly be seen as a potential driver of class actions in the technology space, though the practice remains at an early stage of development.

The expiry of the sunset period under Law No. 27 of 2022 on Personal Data Protection (“Indonesian PDP Law”) may give rise to new class action lawsuits in the technology sector, particularly in relation to data protection. Although the Indonesian PDP Law does not specifically regulate the procedure for class actions, it clearly sets out the rights and obligations of data controllers, processors, and data subjects, thereby opening the possibility for data subjects to enforce their rights against controllers or processors through class actions in accordance with the procedures under SC Reg 1/2002. This makes a collective claim realistic, although the actual practice is still developing and is still in its infancy. 

Companies, however, would be well advised to prepare. Practical steps include:

1. Strengthening compliance frameworks: ensuring that data governance policies and security practices align with PDP Law requirements.
2. Enhancing incident response: developing clear protocols for detecting, reporting, and mitigating data breaches.
3. Raising organizational awareness: educating management and employees on the potential exposure to class actions and the reputational risks of non-compliance.

By taking these measures, companies can reduce the likelihood of being targeted in early test cases and demonstrate good faith compliance as the regulatory framework matures.

In 2025, Mexico replaced career judicial appointments with judges elected by popular vote, significantly reshaping the structure and functioning of the judicial system. Additionally, Mexico’s class action system faced significant challenges: strict commonality requirements, the opt-in model, and protracted appeals processes often delay justice. For technology companies, this creates prolonged exposure in disputes over data privacy, digital services, and consumer contracts, which can disrupt growth and innovation strategies in key markets.

For the tech sector, Mexico’s shift means greater volatility around the enforcement of consumer protection, AI regulation, and platform liability, where judges may be influenced by societal concerns about digital harms. Companies should anticipate uneven interpretations of regulatory frameworks and invest in adaptive, cross-border compliance planning.

We continue to see an increase in AI-related lawsuits, with several actions challenging the training of AI models on copyrighted content. There are now over 40 lawsuits (the majority of which are putative class actions) alleging violations of copyright law for training and deploying AI models using copyrighted works. Recently, the first AI copyright class action was certified in the Northern District of California, including up to 7 million putative class members. Bartz v. Anthropic PBC, 2025 WL 1993577 (N.D. Cal. July 17, 2025). But before the issue could be considered in what would have been a high-stakes appeal to the Ninth Circuit, the parties announced an agreement in principle on August 26, 2025, the details of which are not yet publicly available. 

Website operators also continue to face a wave of litigation based on the use of alleged web “tracking” technologies, including pixels, beacons, cookies, and software development kits (SDKs). Notably, even more suits have been filed alleging that these technologies violate the decades-old laws, such as the pen register and trap and trace device provisions of the California Invasion of Privacy Act (“CIPA”) (CIPA § 638.51) by capturing incoming electronic information, such as website users’ IP addresses and other basic device information. Increasingly, courts are skeptical that the collection of such basic information constitutes a concrete privacy injury to establish Article III standing. See, e.g., Kishnani v. Royal Caribbean Cruises Ltd., 2025 WL 1745726, at *4 (N.D. Cal. June 24, 2025) (finding “no legally protected privacy interest” in IP addresses or other basic device information); Mitchener v. CuriosityStream Inc., 2025 WL 2272413, at *4-5 (N.D. Cal. Aug. 6, 2025) (similar). 

Additionally, we are beginning to see other website technology suits – particularly asserting claims under the wiretapping provision of CIPA (CIPA § 631) and/or the Video Privacy Protection Act (VPPA) (18 U.S.C. § 2710) – reach class certification, summary judgment, and even trial, which will be key to monitor as companies assess risk. See, e.g., Griffith v. TikTok, Inc., 2024 WL 5279224 (C.D. Cal. Dec. 24, 2024) (dismissing CIPA wiretapping and other claims at summary judgment); Frasco v. Flo Health, Inc., 2024 WL 4280933 (N.D. Cal. Sept. 23, 2024) (denying defendant’s summary judgment motion on CIPA wiretapping claim); Martinez v. D2C, LLC, 2024 WL 4367406 (S.D. Fla. Oct. 1, 2024) (denying certification of VPPA class) Torres v. Prudential Fin., Inc.,  2024 WL 4894289 (N.D. Cal. Nov. 26, 2024) (certifying CIPA wiretapping claim class). For instance, a California federal jury recently found a company liable for CIPA § 632 violations based on the use of web tracking technologies that allegedly collected sensitive health information from users of a popular health tracking app. See Frasco v. Flo Health, Inc., No. 1:25-cv-00757 (N.D. Cal., Aug. 1, 2025). 

Another continuing trend in 2025 was plaintiffs’ firms leveraging arbitration provisions in consumer-facing online terms to bring mass arbitration demands instead of class action lawsuits. In response, some companies targeted by mass arbitration demands worked to revise their terms and sought judicial intervention, while arbitration providers are revising their rules and fee structures to reduce filing costs.

Looking ahead, we expect more clarity on the application of copyright law and the fair use doctrine to AI training. Some district courts have rejected the fair use defense, but others have acknowledged that the use of copyrighted works to train generative AI models may constitute fair use. See Bartz v. Anthropic PBC, 2025 WL 1741691, at *7-19 (N.D. Cal. June 23, 2025) (partially granting motion for summary judgment; finding use of copyrighted books to train LLM model was fair use). More decisions from district courts in California and New York addressing generative AI model training are expected in 2026. Companies developing models should closely monitor these developments as they refine compliance measures and consider whether to obtain licenses for training data to decrease potential exposure. 

We expect to continue to see key questions concerning privacy claims premised on website tracking technologies percolating up to the appellate level. See, e.g., Pileggi v. Washington Examiner, 2025 WL 2319550 (D.C. Cir. Aug. 12, 2025) (affirming district court’s dismissal of VPPA claims against the Washington Examiner, concluding that “consumer” under the VPPA does not include anyone who purchases non-video “goods or services”). For example, in August alone, two of the first published appellate decisions addressing web tracking-based wiretapping claims were decided. In Cook v. GameStop, 2025 WL 2250261 (3d Cir. Aug. 7, 2025), the Third Circuit affirmed the dismissal of a wiretapping claim brought under Pennsylvania’s Wiretapping and Electronic Surveillance Control Act (“WESCA”) premised on the use of Session Reply technology on the GameStop website, concluding that the alleged interception of user's non-sensitive browsing activities did not implicate a concrete privacy injury sufficient to establish Article III standing. The Ninth Circuit followed suit in Popa v. Microsoft Corp., 2025 WL 2448824, *5 (9th Cir. Aug. 26, 2025), similarly concluding that the plaintiff’s WESCA wiretapping claim failed to implicate any “embarrassing, invasive, or otherwise private information” sufficient to establish a concrete privacy injury to establish Article III standing. 

As the wave of privacy litigation against website operators continues, states may begin to look for legislative solutions. For instance, in California, the legislature sought to pass a bill, SB 690, that would amend CIPA to include a “commercial purpose” exception. On June 3, 2025, the California Senate unanimously passed SB 690, but the bill stalled before the Assembly’s Privacy and Consumer Protection Committee. The bill is likely to be reconsidered in 2026. Until legislatures step in to provide guidance on the scope of these privacy statutes, companies should consider (i) which technologies are necessary for their business operations, (ii) what information the technologies are configured to collect – in particular, any personally identifying information or potentially sensitive browsing information (e.g., regarding medical data), and (iii) whether to implement mitigation measures, including disclosures and consent mechanisms to address risk. 

The mass arbitration trend does not seem poised to slow down either. We expect that high arbitration fees will continue to be leveraged in attempts to pressure companies into early settlements. Companies can consider changes to their arbitration agreements designed to address mass arbitration scenarios specifically, while monitoring case law developments as these response mechanisms are tested in courts.