CCPA Security FAQs: What Other Legal Theories Could a Plaintiff Assert in a Data Breach Class Action in Addition to the CCPA?

August 20, 2019

For the last five years, BCLP has published the leading study of data breach class action litigation.1  As part of that study, BCLP has reviewed every data breach class action complaint against a private company filed in (or removed to) federal court.2  Among other variables, BCLP tracked the legal theories asserted by plaintiffs in data breach litigation.  

As our 2019 Data Breach Litigation Report indicates, plaintiffs asserted more than 25 legal theories in their attempts to recover against companies following data breaches.  While the most popular legal theories focused on negligence, state unfair and deceptive trade practice laws, or the alleged breach of an implied contract, the variety of counts included in complaints demonstrated the creativity of the plaintiffs’ bar as they struggled to identify legal theories that could withstand judicial challenge:3

While BCLP anticipates that in 2020 plaintiffs will congregate around the CCPA in an attempt to pursue the statutory damages referenced within Section 1798.150, plaintiffs are likely to continue to experiment with the legal theories identified above as alternative or supplementary sources of liability with regard to Californians, or as primary sources of liability with regard to residents of other states. 

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. See 2019 Data Breach Litigation Report available at

2. See 2019 Data Breach Litigation Report available at Note that the 2019 Data Breach Litigation Report excludes state court litigation as state courts are inconsistent in their publication of filed complaints and, as a result, inclusion of state-filed complaints that were not removed to federal court would inadvertently over-represent or under-represent the quantity of filings in any state depending upon whether a particular state (or a particular court) publishes electronic versions of case filings.

3. See 2019 Data Breach Litigation Report at 17 available at