Samsung collected too much personal data from customers and failed to adequately secure it, leading to two data breaches this year and potentially millions of harmed individuals, a class-action lawsuit filed in September alleges.

The complaint, filed in U.S. District Court for the Northern District of California, claims Samsung violated the California Consumer Privacy Act (CCPA) by failing to protect the personally identifiable information (PII) of California residents. The lawsuit’s two plaintiffs, on behalf of the class, question whether Samsung “implemented and maintained reasonable security procedures and practices appropriate to the nature of the information to protect the PII under the CCPA.”

The lawsuit also alleges violations of the Michigan Identify Theft Protection Act for Samsung failing to timely disclose the second of the two breaches it suffered this year.