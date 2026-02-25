On February 17, 2026, California Assembly Member Pilar Schiavo introduced California Assembly Bill 2021 (AB 2021), which would amend the California Consumer Privacy Act of 2018 (CCPA) to create a formal whistleblower complaint and award program administered by the California Privacy Protection Agency (CalPrivacy). The concept of a whistleblower program was first discussed at CalPrivacy’s Board meeting in late 2025 and could have significant implications for companies doing business in California.

AB 2021’s Whistleblower Regime

If passed, AB 2021 would establish a program for individuals to submit whistleblower complaints to CalPrivacy regarding companies’ privacy practices. CalPrivacy could then designate those complaints for administrative enforcement. If the administrative enforcement process were to result in a monetary settlement or penalty, an eligible whistleblower could potentially receive an award between 15 and 33 percent of collected fines or settlement proceeds. Notably, though, a whistleblower must be represented by counsel in order to receive an award.

AB 2021 also includes anti retaliation protections for employees and contractors, confidentiality safeguards for whistleblower identities, the ability to submit complaints anonymously through counsel, and authority for CalPrivacy to assess additional penalties to cover reasonable whistleblower attorney’s fees. AB 2021 would also create a new, standalone cause of action allowing employees, contractors, or agents to sue for retaliation related to CalPrivacy whistleblowing, with remedies that include reinstatement, two times the amount of back pay, plus interest, compensatory damages, and attorneys’ fees.

Comparable Whistleblower Regimes

While AB 2021 would establish the first ever whistleblower regime related to privacy violations, AB 2021’s proposed regime contains elements of other whistleblower programs, such as the Securities and Exchange Commission’s (SEC) whistleblower program, and the U.S. Department of Justice’s (DOJ) Civil-Cyber Fraud Initiative.

Like the SEC’s whistleblower program, AB 2021 does not permit whistleblowers to file a qui tam action—i.e., whistleblowers cannot initiate their own civil suits against companies for alleged privacy violations. Rather, whistleblowers must file a complaint with CalPrivacy, and then CalPrivacy can determine whether to further investigate or pursue the whistleblower complaint. Substantively, however, AB 2021’s closest analogue appears to be the DOJ’s Civil-Cyber Fraud Initiative. This initiative, which has been strongly enforced across administrations, seeks to ensure that defense contractors implement the information security requirements outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171.

Implications for Businesses

AB 2021, if enacted, is likely to cause significant challenges for organizations operating in California. Employees and contractors (both within and outside of California) would be incentivized to report, through their own counsel, potentially sensitive company information to the government, even if the company is actively working to meet its compliance obligations, and arguably even if the employee or contractor is directly responsible for compliance. In addition, the employee or contractor would be entitled to make the report anonymously (at least until an award is issued or unless disclosure is otherwise required by CalPrivacy). And, to the extent that the company were to learn of such reporting, the employee or contractor would be entitled to retaliation protections, even if the reporting was meritless or unwarranted, and even if the company was not subject to the CCPA in the first place. In turn, those protections would create litigation risks in disciplining or terminating the individual, even when such discipline or termination has nothing to do with the reporting.

In sum, companies doing business in California should be aware of AB 2021 and its potential implications, which could be significant both for companies’ privacy obligations and compliance as well as their employee and contractor relations.