Organizations that collect, use, and disclose data are paying closer attention to the growing risk of privacy class actions. With cross-border data transfers now becoming a routine part of day-to-day operations, proactive privacy compliance is now essential to mitigate litigation risk. This article explores emerging privacy class action trends across Canada, the US, the UK, and Europe, and highlights key developments organizations should monitor in 2025.
Canada
Shift from breach-based claims to consent and data governance class actions
Canadian privacy class actions are increasingly focused on whether organizations obtained valid consent to collect, use and disclosure of personal information. Plaintiffs are targeting improper personal data collection and the sharing of personal data with third parties for marketing or analytics purposes. This shift has highlighted several key risk areas, including broad terms and conditions that grant third parties rights to use customer data, inadequate consent mechanisms and third-party disclosures such as sharing data for targeted advertising or analytics.
De-identification as a live issue in privacy litigation
Recent privacy class actions have raised questions about whether information shared with third parties has been properly de-identified. In Hvitved v. Home Depot of Canada Inc., 2025 BCSC 18, the court certified a claim under the British Columbia Privacy Act relating to alleged unauthorized data sharing with Meta. A key issue was whether the shared data was truly anonymized or continued to constitute personal information. However in Clever v. Cadillac Fairview, the British Columbia Court denied certification due to lack of evidence of the unauthorized collection of personal information.
Québec: New rights and a low bar for authorization
Québec continues to be among the more accessible jurisdiction for plaintiffs at the certification stage. Recent legislative reforms under Law 25 have expanded the province’s privacy regime including (i) new right to punitive damages for intentional/grossly negligent violations; (ii) stricter rules around consent, data anonymization and data disposal; and (iii) heightened requirements when collecting data from minors under the age of 14.
United States
Online tracking claims on the rise
Plaintiffs are increasingly targeting companies over online tracking practices, including the use of cookies and pixels. These claims are being brought under state wiretapping and eavesdropping laws, which prohibit unauthorized interception of electronic communications. Recent cases have alleged that cookie banners appeared to offer opt-outs, but tracking continued regardless, forming the basis for claims of deceptive business practices. To reduce litigation risk, organizations should consider reviewing how cookie banners and privacy notices align with actual tracking technologies in use. Clear, well-functioning consent mechanisms and accurate disclosures are often central to defences against this type of class action.
Surge in VPPA class actions over embedded video content
The federal Video Privacy Protection Act (VPPA) is being used to bring class actions against companies for sharing video viewing data with third parties like Meta via tracking pixels. Plaintiffs allege this violates the VPPA’s requirement for express, standalone consent. Consent embedded in cookie banners or terms of use is insufficient. Companies should assess whether their current adtech configurations inadvertently share such data and consider whether steps can be taken to limit or remove it from outbound traffic to third parties.
Genetic data remains high-risk
The federal Genetic Information Nondiscrimination Act (GINA) and Illinois’ Genetic Information Privacy Act (GIPA) place limits on how organizations can collect and use genetic data. Recent class action claims have involved pre-employment medical evaluations where genetic data was requested. Given the sensitivity of this information and its potential impact, such as for insurance or job applications, courts are paying close attention to how genetic data is obtained and disclosed in the employment context.
United Kingdom
Regulatory complexity and a shift toward pragmatism
The UK’s regulatory landscape has grown increasingly complex, with the General Data Protection Regulation (GDPR) now applied alongside recent legislation regarding AI, children and online safety, competition and cybersecurity. This has created regulatory uncertainty and class action risk, particularly for tech-driven businesses navigating overlapping obligations. However, global policy trends appear to be shifting. Following signals from the US, the UK and the EU appear to be softening their approach. Policymakers are now emphasizing innovation and pragmatic enforcement, suggesting a more business-friendly regulatory climate may be on the horizon.
Courts push back on class action friendly opt-out claims
Courts in England and Wales remain cautious about privacy class actions that attempt to bypass individualized assessments of harm, particularly those brought as opt-out proceedings. Courts are focused on maintaining balance between claimants and data controllers, and are increasingly rejecting claims that appear commercially motivated or exaggerated.
Positive acts required for tort liability
In Warren v. DSG Retail [2021] EWHC 2168, the High Court struck out claims in tort where a cyberattack caused the data breach, finding that no positive act by the data controller triggered tortious liability. While claims under the Data Protection Act remain possible, they are less attractive to litigation funders because after-the-event insurance premiums cannot be recovered, and potential damages tend to be modest.
Competition law as the next frontier?
As procedural safeguards limit privacy class actions in the High Court, claimant firms are increasingly looking to the UK Competition Appeals Tribunal (CAT) to pursue privacy adjacent collective actions under competition law theories. In Gormsen v. Meta [2024] CAT 11, the claimant alleges Meta abused its dominant position. The £2.3 billion claim is a high-profile attempt to reframe privacy issues as competition violations, sidestepping the hurdles of privacy tort litigation.
European Union
Damages assessment remains uncertain
Under the GDPR, even minor non-material harms can qualify for damages if real and proven. While the absence of a seriousness threshold broadens access to redress, Courts across the EU retain discretion to assess whether harm occurred and to determine compensation amounts. Dutch Courts have generally awarded modest amounts for minor privacy harms (e.g., €250–€500) and require credible, individualized substantiation, such as evidence of psychological harm to support non-material damage claims. In Stichting Cuing Court v. TikTok, the Court allowed material damage claims to proceed but found that non-material damages were too individualized for collective treatment, though that ruling is under appeal.
The Netherlands: A key jurisdiction
The Dutch system has become a key jurisdiction for privacy class actions, bolstered by early adoption of a comprehensive collective action statute and the EU’s Representative Actions Directive. However, procedural hurdles, including strict representativeness standards, governance transparency and funding disclosures have limited success rates. Several high-profile claims are currently progressing. In Privacy Collective v. Oracle and Salesforce, the class alleges GDPR violations via unlawful cookie tracking; currently in the merits phase following a successful admissibility appeal. In Consumentendbond & Data Privacy Stichting v. Meta, Meta was found liable for sharing user data without valid consent and the class action is now in the damages quantification phase.
With privacy litigation on the rise, taking proactive steps to assess consent practices, data sharing and governance across jurisdictions is essential to managing risk and staying ahead of regulatory developments.
***
Neil Rabinovitch is co-leader of Dentons’ national Class Action group and a member of the Litigation and Dispute Resolution group in the Firm’s Toronto office. His practice focuses on commercial litigation and insolvency with an emphasis on class action defence, product liability defence, cross-border restructurings, shareholder disputes, franchising, mortgage remedies, banking, real estate and commercial leasing.
Kelly Osaka is a Partner at Dentons in the Litigation and Dispute Resolution group, the Privacy and Cybersecurity group, and co-lead of the Privacy Litigation subgroup. Based in Calgary, Kelly brings a wealth of experience to assisting clients across industries including energy, financial services, real estate and technology.
Sandra Hauser is the head of Dentons’ US Commercial Litigation practice and serves on the Firm's Global Litigation and Dispute Resolution Leadership team. A leading lawyer in the financial services sector, Sandy is both part of the Firm's Chambers-recognized Insurance Litigation team and is ranked by The Legal 500 as a Leading Lawyer for Securities Litigation: Defense — one of only 47 recognized nationally, and 1 of only 8 women.
Louisa Caswell is the head of the Disputes division for Dentons in the UK. She is a leading commercial litigator with an outstanding record in big-ticket trials and complex cross-border disputes. Louisa is known for her expertise in corporate/M&A disputes including shareholder disputes, warranty and indemnity claims, and post-completion disputes over deferred consideration and earn-outs.
Roberto Lipari is a partner in Dentons’ Rome office and Head of the Europe Litigation and Dispute Resolution practice. Roberto has extensive experience in litigation and international arbitration and regularly represents sovereign entities, as well as domestic and foreign clients, in a broad range of disputes involving corporate, commercial, white-collar crime, investigation, investment and financial matters across different industries and jurisdictions.