California Bill for CCPA Whistleblower Protections and Awards

CA CPPA Newsroom

Published February 24th, 2026

Detected February 27th, 2026

Summary

The California Privacy Protection Agency (CalPrivacy) is sponsoring AB 2021, a bill to establish whistleblower protections and an award program under the California Consumer Privacy Act (CCPA). The bill aims to incentivize individuals to report violations and protect them from retaliation.

View original document View source feed page

What changed

Assemblymember Pilar Schiavo, sponsored by the California Privacy Protection Agency (CalPrivacy), has introduced Assembly Bill 2021 (AB 2021), titled the Whistleblower Protection and Privacy Act. This bill seeks to create comprehensive whistleblower protections within the California Consumer Privacy Act (CCPA) framework. Key provisions include establishing an award program to incentivize individuals to report potential CCPA violations and implementing anti-retaliation measures to safeguard whistleblowers from adverse actions by their employers. The bill is modeled after similar whistleblower laws in financial services and anti-fraud contexts, allowing whistleblowers to receive a portion of enforcement awards and prohibiting employer retaliation.

This proposed legislation will have significant implications for technology and data-driven companies operating in California. Companies will need to ensure robust internal compliance mechanisms are in place, as the bill is designed to empower insiders to report potential misconduct. Compliance officers should monitor the progress of AB 2021 through the legislative process. If enacted, companies must update their policies and practices to prevent retaliation against employees who report potential CCPA violations. The bill's success hinges on its ability to encourage insider reporting, thereby increasing transparency and accountability in California's privacy landscape. The comment deadline for this bill is not specified in the provided text, but its legislative status suggests a need for proactive review and potential engagement.

What to do next

Monitor the legislative progress of Assembly Bill 2021 (AB 2021).
Review internal policies and procedures related to data handling and employee reporting of potential privacy violations.
Prepare for potential updates to CCPA compliance strategies if AB 2021 is enacted.

Source document (simplified)

Newsroom

CalPrivacy Sponsors Whistleblower Protection Bill

February 24, 2026

SACRAMENTO, CA — Assemblymember Pilar Schiavo introduced AB 2021, sponsored by the California Privacy Protection Agency (CalPrivacy), to establish comprehensive whistleblower protections under the California Consumer Privacy Act (CCPA). The bill, known as the Whistleblower Protection and Privacy Act, supports whistleblowers in two key ways — by creating an award program to incentivize these individuals to speak up about potential violations and by establishing anti-retaliation provisions to protect them once they come forward.

“Companies are collecting and selling data about our children, family, friends, and neighbors every day. California’s privacy laws create strong protections on what companies can collect and sell, but illegal handling still happens,” said Ass emblymember Schiavo. “ CalPrivacy does everything it can to find and penalize bad actors, but the whistleblower protection and support AB 2021 provides will allow experts with insider knowledge to help CalPrivacy take action quickly to stop companies that harm us and our loved ones by unlawfully selling our private or sensitive data.”

Technology and data-driven companies often have complex business practices that are intentionally hidden from the public for competitive advantage. This lack of visibility can cloak wrongdoing and make it time-consuming for regulators to uncover potential violations. Whistleblowers are critical in exposing misconduct. However, coming forward is risky without legal protections. Whistleblowers can face job loss, isolation, and even lawsuits.

“In our data-driven economy, where companies typically process personal information behind closed doors, privacy laws work best when insiders can report violations without fear,” said Tom Kemp, Executive Director of CalPrivacy. “All the privacy rules in the world mean little if the people who see violations can’t speak up without losing everything.”

AB 2021 supports whistleblowers by offering financial incentives to encourage these individuals to speak up and by protecting them from retaliation after coming forward. Similar to whistleblower laws in the financial services and anti-fraud contexts, the bill allows whistleblowers to share in a portion of an enforcement award and, at the agency’s discretion, permits their attorney to collaborate on the action. Additionally, like many other California laws, employers are prohibited from retaliating against whistleblowers when they report. Taken together, these provisions encourage and protect whistleblowers.

“Anti-retaliation alone does little to motivate whistleblowers to take the first step,” said Maureen Mahoney, CalPrivacy’s Deputy Director of Policy & Legislation. “We’re grateful to Assemblymember Schiavo for authoring this bill that provides real support to the brave individuals who come forward to protect the privacy of Californians.”

Whistleblower protections are one of the key elements recommended for technology laws in a report issued last year by the Joint California Policy Working Group on Frontier AI Models. CalPrivacy is proud to sponsor this important bill which seeks to implement that recommendation and increase transparency and accountability in California’s privacy law.

About Us

The California Privacy Protection Agency (CalPrivacy) is committed to promoting the education and awareness of consumers’ privacy rights and businesses’ responsibilities under the California Consumer Privacy Act, Delete Act, and Opt Me Out Act.

Consumers can visit Privacy.ca.gov to access helpful and up-to-date information and tips on how to exercise their rights, protect their personal information, and learn about the Delete Request and Opt-out Platform (DROP). In addition, CalPrivacy’s website provides important information about Board Meetings, announcements, and the rulemaking process.