While there is no major ongoing or recently settled “H&M Customer Privacy Data Collection Class Action” targeting customer data specifically, H&M has faced multiple significant privacy enforcement actions and class lawsuits involving data collection practices. The company has been involved in multiple privacy controversies, ranging from employee biometric data collection without consent to large-scale regulatory fines for employee surveillance under GDPR, as well as improper handling of gift card data. These cases demonstrate the increasing scrutiny retailers face around how they collect, store, and use personal information.
H&M’s privacy issues have resulted in legal action on multiple fronts. In the United States, the company faced a class action lawsuit in Illinois involving the collection of employee fingerprints without proper consent. Internationally, H&M received a €35.3 million fine from German authorities for extensive employee surveillance that violated data protection laws. These cases reveal patterns of aggressive data collection and insufficient privacy safeguards at one of the world’s largest fashion retailers.
Table of Contents
- What Privacy Issues Has H&M Actually Faced?
- The Illinois Employee Biometric Class Action and What It Means
- The €35.3 Million German GDPR Fine and Employee Surveillance
- What About Customer Data at H&M?
- Key Warnings About Retailer Data Collection Practices
- Settlement Amounts and Compensation Outcomes
- What’s Happening Now and Future Outlook
- Conclusion
What Privacy Issues Has H&M Actually Faced?
H&M’s documented privacy problems center primarily on employee data collection rather than customer data, though the company has also mishandled customer-related data in separate settlements. The most high-profile case involved the illegal collection of employee biometric data in Illinois, where H&M required workers to use fingerprint scanners to clock in and out without obtaining proper informed consent or disclosures required by Illinois’s Biometric Information Privacy Act (BIPA). This practice affected numerous employees across multiple store locations, and a Cook County court certified the class action lawsuit, meaning employees could move forward with claims as a group. The German case was even more severe in scope.
Between 2014 and 2019, H&M collected extensive personal data from employees at its Nuremberg service center, including health information, details about illnesses, family circumstances, religious beliefs, and other highly sensitive information. The company lacked proper legal justification for collecting this data and did not adequately inform employees about the extent of the surveillance. When a technical error in October 2019 exposed this employee data company-wide for several hours, it compounded the violation. The Hamburg Data Protection Authority imposed a €35.3 million fine, one of the largest GDPR penalties at that time.
The Illinois Employee Biometric Class Action and What It Means
The Illinois case against H&M, Palacios et al. v. H&M Hennes & Mauritz LP, centers on the BIPA law, which imposes strict requirements on companies collecting biometric information like fingerprints. Under BIPA, companies must provide written notice, get informed consent, disclose how the biometric data will be used and stored, and clearly explain the data retention schedule.
H&M failed on multiple counts—employees were not given adequate notice that fingerprint scanners would be used for timekeeping, did not receive proper consent forms, and were not informed about how their biometric data would be handled. What makes this case particularly significant is that it was certified as a class action by a Cook County judge, meaning it proceeded as a group claim rather than individual lawsuits. This allows all affected employees to potentially recover damages without filing separate suits. However, the limitation of this case is that it only covers Illinois employees, as BIPA is state-specific legislation. Employees in other states do not have equivalent legal protections for biometric data collection, leaving workers in those locations with fewer remedies if they experienced similar treatment.
The €35.3 Million German GDPR Fine and Employee Surveillance
The German case reveals how H&M’s data practices extended far beyond simple timekeeping systems. At the Nuremberg service center, H&M conducted systematic employee monitoring and data collection that would be considered extreme surveillance by most standards. The company tracked and recorded employee health records, personal relationships, family situations, religious affiliations, and disciplinary issues—creating detailed psychological profiles of workers. Employees were not adequately informed about the scope of this surveillance, and the company had no legitimate business need to collect or retain much of this information.
This case demonstrated a critical distinction: the German case involved both an initial violation of GDPR principles and a secondary breach when employee data was accidentally exposed company-wide. The €35.3 million fine reflected not just the illegal collection but also the mishandling and security failure. H&M was required to offer financial compensation to employees who worked at the Nuremberg center for at least one month since May 2018. This case shows how data protection violations can accumulate: improper collection, plus inadequate security, plus exposure, equals exponentially higher penalties.
What About Customer Data at H&M?
While the documented class actions and major enforcement actions have focused on employee data, H&M has also mishandled customer information separately. In 2024, the company settled with the New York Attorney General over the improper withholding of unclaimed gift card balances, with a settlement amount of $4.4 million. This built on a prior 2022 settlement of $36 million related to the same issue. While this case is not technically a “privacy data collection” lawsuit, it represents customer funds that should have been reported to New York’s Office of Unclaimed Funds, indicating H&M’s inconsistent approach to managing customer financial information.
The difference between these settlements and a full-scale customer privacy data collection class action is important to understand. Customer gift card mishandling and employee biometric collection represent distinct legal theories. A customer privacy data collection class action would require evidence that H&M collected personal information from customers without proper consent, used it beyond stated purposes, or failed to safeguard it. To date, there has not been a major certified class action along those lines. This does not mean H&M’s customer data practices are perfect, only that they have not resulted in the type of large-scale litigation that employee data collection did.
Key Warnings About Retailer Data Collection Practices
The H&M cases highlight a critical limitation in consumer protection: most large retailers collect vast amounts of personal data, but enforcement against that collection is sporadic and often requires either a specific violation of law (like BIPA for biometrics) or a major data breach. Retailers legally collect customer purchase history, location data, email addresses, phone numbers, and increasingly, biometric identifiers through mobile apps and in-store systems. Many customers don’t realize the scope of this collection or have limited ability to opt out without losing benefits like loyalty program rewards. H&M’s experiences show that regulatory enforcement is inconsistent across jurisdictions.
The German GDPR fine was substantial and deterrent, but it applied to employee data. In the United States, the BIPA case provided a remedy for a specific biometric violation in one state, but customers have fewer protections. This creates a patchwork where privacy violations affecting employees in Illinois trigger class action protections, while similar violations affecting customers may go unaddressed. Consumers shopping at retailers should assume their data is being collected extensively and should review privacy policies to understand what personal information they are providing.
Settlement Amounts and Compensation Outcomes
The amounts H&M has paid in privacy and data-related cases vary widely depending on the legal theory. The German fine of €35.3 million was a regulatory penalty, not direct compensation to affected employees, though employees were offered compensation separately. The Illinois biometric class action amount has not been finalized in public reporting, but BIPA cases typically award damages per employee per violation.
The New York gift card settlements totaling over $40 million reflected the value of customer funds that should have been transferred to the state unclaimed property program. These varying settlement amounts show that the cost of privacy violations depends heavily on the number of affected individuals, the jurisdiction, and the specific law violated. A single large fine from a European regulator can dwarf a consumer settlement in the United States, yet the class action approach in Illinois creates a per-person remedy that can be significant. For affected parties, the practical impact varies—some may receive small per-person payouts, while others may recover nothing if they don’t file claims, and still others may receive substantial individual recoveries depending on case outcomes.
What’s Happening Now and Future Outlook
As of 2026, no new major H&M customer privacy data collection class actions have been announced, suggesting the company has made some adjustments to its practices. However, the retail industry broadly faces increasing pressure from state attorneys general and privacy advocates over data collection, biometric surveillance, and data security. More states are considering biometric privacy laws modeled on BIPA, which would expand the types of claims that could be brought against retailers. The GDPR enforcement in Europe also continues to signal that companies with large-scale employee data systems face significant exposure.
Looking forward, consumers should expect the regulatory landscape around retailer data collection to tighten. The fact that H&M faced major enforcement in Europe and employee-focused class actions in the United States suggests that companies face liability from multiple directions simultaneously. If H&M or similar retailers were found to have engaged in unauthorized customer data collection, sharing, or biometric surveillance, new class actions could be filed. Customers concerned about H&M’s data practices should review the company’s privacy policy, opt out of non-essential data collection where possible, and monitor privacy-focused news sources for updates on data breaches or new enforcement actions.
Conclusion
H&M has faced multiple privacy-related legal actions and enforcement proceedings, though these have focused primarily on employee biometric data collection in Illinois and extensive employee surveillance in Germany rather than customer-specific privacy data collection. The company paid a €35.3 million GDPR fine for systematic employee data collection without proper consent, faced a certified class action in Illinois over fingerprint scanner use, and settled with New York over improper gift card fund handling.
These cases collectively demonstrate that even global retailers with strong brand reputations face serious consequences for inadequate privacy safeguards. If you are an H&M customer or employee concerned about data collection, monitor official settlement administration websites for any class action claims you may be eligible to join, review H&M’s current privacy policy to understand what data is being collected, and consider limiting the personal information you voluntarily provide beyond what is necessary for purchases. Stay informed about new regulatory actions through your state attorney general’s office, and report any data breaches or suspicious use of your information to the appropriate authorities.