Vertical guide · Updated June 2026
Privacy class action attorney time tracking: CCPA class action coordination, BIPA statutory damages expert calls, and state privacy AG investigation advisory
Privacy class action practice — California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.) and California Privacy Rights Act private right of action, Illinois Biometric Information Privacy Act (740 ILCS 14/1 et seq.) § 20 statutory damages class actions, Washington My Health MY Data Act class actions, state privacy AG investigations by California, Colorado, Connecticut, Texas, and Virginia enforcement offices — generates three billing-gap sources driven by opposing counsel's class certification briefing schedule, the biometric damages expert's statistical analysis schedule, and the state AG's enforcement investigation calendar: CCPA/CPRA class action coordination calls on plaintiff's briefing schedule (6 active class actions × 6 calls × 35 min × 55% untracked = 11.6 hours = $5,220–$8,700/year at $450–$750/hr), BIPA § 20 statutory damages class certification expert calls on the expert's modeling schedule (4 BIPA matters × 6 calls × 40 min × 55% = 8.8 hours = $3,960–$6,600/year), and state privacy AG investigation advisory calls on the AG's enforcement schedule (8 matters × 4 calls × 28 min × 55% = 8.2 hours = $3,690–$6,150/year). For a solo or small-firm privacy class action practice, the annual billing gap is $13,000–$21,000.
TL;DR
ClaimHour captures every CCPA class certification strategy call that arrives when plaintiff files the class certification motion on the court's schedule, every BIPA biometric scan count expert briefing call that arrives when the expert reaches a modeling milestone on the expert's computational schedule, and every state AG investigation notice response advisory call that arrives when California, Colorado, Connecticut, Texas, or Virginia enforcement staff initiates the next phase of the investigation — passively, no timer, no audio, no call contents. $29–$59/mo. No PMS required.
CCPA/CPRA class action coordination: calls on plaintiff's class certification briefing schedule
California Consumer Privacy Act § 1798.150 provides a private right of action for data breaches involving personal information where the business failed to implement and maintain reasonable security procedures. Class actions filed under § 1798.150 generate coordination calls that arrive on plaintiff's class certification briefing schedule: when plaintiff's counsel files a class certification motion on the court's case management schedule, the defense attorney must immediately coordinate with the client's privacy officer, IT security team, and breach coach to gather evidence of reasonable security measures for the manageability and superiority arguments — and those coordination calls arrive on the defense attorney's calendar driven by plaintiff's filing date, not by any date the defense attorney controls. CAFA settlement administrators, state AG offices responding to § 1715(b) 90-day notice obligations, and privacy notice adequacy experts call on their own independent processing and analysis schedules throughout the case lifecycle.
Six CCPA/CPRA class action coordination call types: (1) CCPA § 1798.150 class certification strategy call with privacy officer and IT security team (30–45 min) — arrives when plaintiff files the class certification motion on the court's schedule, triggering immediate evidence-gathering on reasonable security implementation; (2) privacy notice adequacy expert briefing call (25–35 min) — arrives when the expert has reviewed the client's privacy notices on the expert's analysis schedule; (3) CAFA § 1715(b) state AG notice response advisory call for each state AG that responds during the 90-day review window (20–30 min per state AG response) — arrives on each state AG's enforcement calendar as the AG's office reviews the proposed class settlement; (4) data breach notification state deadline coordination call with outside breach coach (20–30 min) — arrives when each state AG or notification vendor identifies a statutory notification deadline on the incident timeline; (5) common question briefing strategy call with in-house privacy counsel (25–35 min) — arrives on in-house counsel's availability when the Rule 23(a) commonality and Rule 23(b)(3) predominance briefing strategy needs to be developed; (6) class settlement claims administration oversight call with settlement administrator (20–30 min) — arrives on the settlement administrator's processing schedule when claim review or dispute resolution requires attorney input. At 55% untracked: 6 class actions × 6 calls × 35 min × 55% = 11.55 hours ≈ 11.6 hours = $5,220–$8,700/year at $450–$750/hr.
The CPRA amendments effective January 1, 2023 expanded the private right of action to cover breaches of sensitive personal information (§ 1798.121) and added a new category of data subject rights (§ 1798.100(a)(2)). Class actions under the CPRA generate structurally identical coordination calls to CCPA § 1798.150 actions but with an additional call type for sensitive data classification advisory when the breach involves health, financial, or biometric data classified as sensitive personal information under § 1798.121.
BIPA § 20 statutory damages expert calls: calls on the expert's modeling schedule
Illinois Biometric Information Privacy Act § 20 provides $1,000 per negligent violation and $5,000 per intentional violation per affected person per collection event. Under Cothron v. White Castle System, Inc., 2023 IL 128004 (Ill. 2023), the Illinois Supreme Court held that each biometric scan of a unique individual constitutes a separate BIPA violation — meaning a class encompassing millions of biometric scans from workplace time clocks, photo tagging systems, or facial recognition access control generates aggregate statutory exposure that can exceed the defendant's total enterprise value. The statutory damages expert — a labor economist, statistician, or database expert — analyzes the biometric scan database to estimate the total count of unique individuals and unique scan events for class certification purposes, and all expert coordination calls arrive when the expert reaches a milestone on the expert's own computational modeling schedule, not on the court's briefing calendar.
Six BIPA statutory damages expert call types: (1) plaintiff's biometric scan count expert briefing call (30–45 min) — arrives when plaintiff's expert completes a database extraction or statistical modeling phase and reports results to plaintiff's counsel, who then calls defense counsel; (2) defense rebuttal expert methodology review call (30–40 min) — arrives when the defense's rebuttal expert completes the statistical rebuttal analysis on the rebuttal expert's schedule; (3) mediator settlement authority escalation call in the statutory damages range (25–35 min) — arrives on the mediator's negotiation schedule when the mediator has assessed the defendant's settlement range relative to the potential aggregate statutory exposure; (4) Daubert expert exclusion strategy advisory call with in-house litigation team (25–35 min) — arrives on in-house counsel's availability when the defense identifies grounds to challenge the plaintiff's expert's biometric count methodology under Daubert; (5) BIPA consent form adequacy advisory call with HR and product team (20–30 min) — arrives on the product team's development schedule when a new biometric collection feature launches and requires BIPA-compliant written consent under 740 ILCS 14/15(b); (6) per-scan vs. per-person statutory interpretation advisory call with outside BIPA specialist (20–30 min) — arrives when the case-specific facts require application of the Cothron per-scan interpretation to estimate class-wide exposure. At 55% untracked: 4 BIPA matters × 6 calls × 40 min × 55% = 8.8 hours = $3,960–$6,600/year at $450–$750/hr.
State privacy AG investigation advisory: calls on the AG's enforcement schedule
California AG, Colorado AG (Colorado Privacy Act, C.R.S. § 6-1-1301 et seq.), Connecticut AG (Connecticut Data Privacy Act, Conn. Gen. Stat. § 42-515 et seq.), Texas AG (Texas Data Privacy and Security Act, Tex. Bus. & Com. Code § 541.001 et seq.), and Virginia AG (Consumer Data Protection Act, Va. Code § 59.1-575 et seq.) each have enforcement authority under their respective state privacy statutes and send investigation notices on the AG's enforcement calendar. When a state AG sends an investigation notice, the privacy attorney advises the company on cure-period rights — California has no cure period under CPRA; Colorado has a 60-day cure period through January 2025 then discretionary; Connecticut has a 60-day cure period; Texas has a 30-day cure period; Virginia has a 30-day cure period — document preservation obligations, and investigation response strategy. All calls from the AG's enforcement staff arrive when the AG's investigative team reaches the relevant phase of the investigation on the AG's enforcement schedule, not on the privacy attorney's calendar. Cure remediation implementation calls from the company's privacy officer and product team arrive on the company's internal project and sprint calendar.
Four state privacy AG investigation advisory call types: (1) state AG investigation notice response strategy advisory call with privacy officer and in-house counsel (30–40 min) — arrives when the AG notice is received; the privacy attorney must advise on cure-period availability, document preservation, and investigation response scope on an immediate basis; (2) cure-period remediation plan development call with product and compliance team (25–35 min) — arrives on the product team's sprint schedule for implementing the cure remediation within the applicable cure period; (3) state AG enforcement staff supplemental document request advisory call (20–30 min) — arrives when the AG's investigative staff requests additional documents on the AG's investigation schedule, raising privilege, proportionality, and scope questions; (4) parallel AG investigation coordination call when multiple state AGs coordinate under the National Association of Attorneys General (NAAG) multistate investigation framework (20–30 min) — arrives when the NAAG coordination group reaches a decision on the joint investigation timeline or document production protocol. At 55% untracked: 8 matters × 4 calls × 28 min × 55% = 8.213 hours ≈ 8.2 hours = $3,690–$6,150/year at $450–$750/hr.
How ClaimHour fits privacy class action practice
If you defend CCPA/CPRA § 1798.150 class actions, BIPA § 20 statutory damages class actions, and advise on state privacy AG investigations — and your invoices consistently understate the class certification coordination calls that arrive when plaintiff files on the court's schedule, the BIPA expert briefing calls that arrive on the expert's computational modeling milestones, and the state AG investigation advisory calls from California, Colorado, Connecticut, Texas, and Virginia enforcement staff on the AG's investigation calendar — ClaimHour was built for that gap. The passive capture logs every client call (iOS call metadata: duration, timestamp, direction — not content), every email advisory session, and every document review session. A 2-minute evening digest surfaces each unmatched call for matter attribution. No audio. No call contents. No email bodies. Privilege is preserved under ABA Formal Opinion 512. Join the waitlist and we'll email when early access opens.
Related questions
How do CCPA/CPRA class action coordination calls generate billing gaps on the plaintiff's briefing schedule?
CCPA § 1798.150 class actions generate coordination calls driven by plaintiff's filing dates and external party schedules rather than by defense counsel's calendar. Six call types: class certification strategy with privacy officer and IT security team (30–45 min), privacy notice adequacy expert briefing (25–35 min), CAFA § 1715(b) state AG notice response advisory (20–30 min per AG response), data breach notification state deadline coordination with breach coach (20–30 min), common question briefing strategy with in-house privacy counsel (25–35 min), and class settlement claims administration oversight (20–30 min). At 55% untracked: 6 class actions × 6 calls × 35 min × 55% = 11.6 hours = $5,220–$8,700/year at $450–$750/hr.
How do BIPA § 20 statutory damages expert calls generate billing gaps on the expert's modeling schedule?
Under Cothron v. White Castle System, Inc., 2023 IL 128004, each biometric scan is a separate BIPA violation, creating aggregate statutory exposure that can exceed a large employer's total enterprise value. The statutory damages expert analyzes biometric scan databases on the expert's own computational modeling schedule, and all expert coordination calls arrive at that expert's milestones. Six call types: plaintiff's biometric scan count expert briefing (30–45 min), defense rebuttal expert methodology review (30–40 min), mediator settlement authority escalation in statutory damages range (25–35 min), Daubert expert exclusion strategy advisory (25–35 min), BIPA consent form adequacy advisory with HR and product team (20–30 min), and per-scan vs. per-person statutory interpretation advisory (20–30 min). At 55% untracked: 4 BIPA matters × 6 calls × 40 min × 55% = 8.8 hours = $3,960–$6,600/year at $450–$750/hr.
How do state privacy AG investigation advisory calls generate billing gaps on the AG's enforcement schedule?
California, Colorado, Connecticut, Texas, and Virginia AGs each send investigation notices and supplemental document requests on their own independent enforcement calendars. Cure-period rights vary by state — California has no CPRA cure period; Colorado, Connecticut, Texas, and Virginia have 60-, 60-, 30-, and 30-day cure periods respectively — and cure remediation calls arrive on the company's sprint calendar. Four call types: state AG investigation notice response strategy advisory (30–40 min), cure-period remediation plan development with product and compliance team (25–35 min), state AG enforcement staff supplemental document request advisory (20–30 min), and parallel NAAG multistate investigation coordination (20–30 min). At 55% untracked: 8 matters × 4 calls × 28 min × 55% = 8.2 hours = $3,690–$6,150/year at $450–$750/hr.
How does privacy class action billing differ from other class action defense billing?
Standard class action defense billing — Rule 23 predominance briefing, expert deposition preparation, settlement administration — is largely work-product-driven and attorney-scheduled. Privacy class action billing differs because all three billing-gap sources are externally scheduled: CCPA class certification calls arrive on plaintiff's briefing schedule; BIPA expert calls arrive on the expert's biometric scan database modeling schedule driven by computational milestones; and state AG investigation calls arrive on each AG's independent enforcement calendar in a different phase for each of five major state enforcement offices. BIPA's Cothron per-scan exposure structure adds further pressure because mediator settlement authority calls arrive when the mediator assesses the defendant's range relative to the statutory maximum, not on the attorney's schedule. The combined annual billing gap is $13,000–$21,000/year.
Further reading
- Privacy class action attorney time tracking: BIPA per-scan fee petition arithmetic under Cothron, the CCPA § 1798.150 cybersecurity expert call cycle, and state privacy AG parallel investigation billing — long-form companion covering the fee petition mechanics: how Cothron per-scan arithmetic transforms BIPA § 20 fee petition degree-of-success analysis (a $12M settlement against a $7.56B per-scan maximum triggers Hensley proportionality challenges); the biometric scan count expert call cycle as both the settlement value driver and the fee petition methodology foundation; the CCPA § 1798.150 cybersecurity expert call cycle and CAFA AG notice advisory gap; and the In re Bluetooth common-fund lodestar cross-check vulnerability from missing scan count expert entries; full arithmetic: 53.1 untracked hours = $23,895–$39,825/year at $450–$750/hr
- Data privacy attorney time tracking — individual data privacy advisory billing gaps: CCPA data subject request coordination, state privacy AG investigation, GDPR cross-border advisory; the companion page for non-class-action privacy work
- Class action defense attorney time tracking — Rule 23 class certification response, co-defendant JDA coordination, CAFA settlement administration; the companion page for class action defense billing gaps that apply across all class action practice areas
- Cybersecurity attorney time tracking — data breach incident response calls and FTC cybersecurity enforcement advisory calls that run parallel to CCPA class action coordination in breach-triggered privacy class actions
- Consumer protection attorney time tracking — CFPB and FTC consumer protection enforcement advisory calls that often accompany CCPA enforcement actions and parallel state privacy AG investigations
- Securities fraud civil defense attorney time tracking — PSLRA discovery stay and SEC parallel investigation coordination calls for cases where a privacy data breach triggers securities fraud class action under Rule 10b-5 materiality for security incident disclosure failures
- Section 1983 civil rights attorney fee petition mechanics — § 1988 fee petition mechanics for any BIPA or privacy case that includes a § 1983 constitutional claim against a government actor using biometric data collection