Samsung collected too much personal data from customers and failed to adequately secure it, leading to two data breaches this year and potentially millions of harmed individuals, a class-action lawsuit filed in September alleges.

The complaint, filed in U.S. District Court for the Northern District of California, claims Samsung violated the California Consumer Privacy Act (CCPA) by failing to protect the personally identifiable information (PII) of California residents. The lawsuit’s two plaintiffs, on behalf of the class, question whether Samsung “implemented and maintained reasonable security procedures and practices appropriate to the nature of the information to protect the PII under the CCPA.”

The lawsuit also alleges violations of the Michigan Identify Theft Protection Act for Samsung failing to timely disclose the second of the two breaches it suffered this year.

Samsung’s requirement that users register and provide personal data to access certain devices like smart televisions and printers is unnecessary, the complaint said. The company requires customers to provide their name, date of birth, address, phone number, email address, and exact geolocation data before its devices can be used.

“[R]egardless of whether a consumer buys a printer, television, or a smartphone, consumers need to register their products with Samsung to access the features of their devices,” the suit alleged. “… By locking features, making products’ software updates inaccessible, and inhibiting intended use of products, defendant ensures that nearly every consumer who purchased any of the defendant’s devices, at some point, is required to provide their personal information through this mandatory registration in order to use the products.”

Samsung’s privacy policy and online advertisements “clearly and unequivocally state that any personal information provided to defendant will remain secure and protected,” the lawsuit stated.

The class includes millions of people who purchased Samsung products in the United States and whose data might have been compromised in a July data breach. Samsung experienced a separate data breach in April and should have taken steps to prevent the subsequent incident, the plaintiffs said.

Samsung “utterly failed to adequately secure its systems and allowed another breach to occur,” the lawsuit said. “… At the very minimum, defendant failed to archive customers’ PII; increase the layer of security for the customers’ PII; prevent customers’ PII to be accessible online (by moving this data to different servers, for example); and [take] other actions to ensure the safety of personal data and credentials.”

Samsung failed to inform affected customers about the second breach until Sept. 2, even though it said it knew about it as of Aug. 4.

The plaintiffs and other Samsung customers paid a premium for the company’s devices because they believed their personal data would be protected, the lawsuit said.

The suit seeks damages for the plaintiffs and all class members and a variety of actions by Samsung, including providing proper notice to all customers whose data might have been compromised, requiring the protection of all personal data it collects, and destroying and purging from its database all personal data it cannot provide reasonable justification for keeping.

Samsung did not respond to a request for comment.