The already demanding compliance landscape created by the California Consumer Privacy Act (CCPA) and California’s ever-expanding patchwork of privacy laws is set to face heightened scrutiny. Assembly Bill 2021 (AB 2021), if enacted, would incentivize whistleblowers to report CCPA violations by rewarding them between 15% to 33% of all fines collected through an administrative enforcement action or settlement arising from their complaint, while simultaneously shielding them from employer backlash.
Given that CalPrivacy’s prior enforcement actions have resulted in fines upward of $1.35 million, awards under AB 2021 could represent a substantial windfall for whistleblowers. In light of the heightened attention and escalating enforcement climate, and to the extent not already a regular part of their operations, companies subject to the CCPA should consider implementing mechanisms to continuously assess their compliance measures and be prepared to evidence defensible risk management approaches respecting data privacy.
Whistleblower Complaints and Awards
AB 2021 would allow whistleblowers to submit a complaint disclosing material information pertaining to a company's CCPA violation(s) directly to CalPrivacy, with the assistance of an attorney. To guard against employer retaliation, the Bill permits anonymous submissions, provided the whistleblower’s attorney certifies, under penalty of perjury, the whistleblower's identity and the accuracy of the complaint. Upon receipt, CalPrivacy would be authorized to pursue an enforcement action against the company for the alleged violation(s).
Where CalPrivacy designates a complaint for administrative enforcement, AB 2021 would entitle the whistleblower to collect between 15% to 33% of the fines recovered through the resulting administrative action or settlement. The precise award percentage would turn on factors, including “[t]he significance of the information provided by the whistleblower to the success of the administrative enforcement action or settlement.” The agency could compound a company’s overall fines by assessing an additional administrative penalty to cover the whistleblower’s reasonable attorney’s fees.
Protections for CCPA Whistleblowers
Beyond the award scheme, AB 2021 would introduce broad protections for individuals who file CCPA complaints. Any employee, contractor, or agent discharged, demoted, suspended, threatened, harassed, or in any other manner discriminated against in the terms and conditions of employment because of steps taken in furtherance of a whistleblower complaint would be entitled to relief. Available remedies include reinstatement, two times the amount of back pay plus interest, and compensation for special damages. The Bill also permits punitive damages to be assessed against retaliating employers.
Recommendations for Companies
In light of the heightened scrutiny and escalating enforcement environment, companies should consider:
- Conducting a full audit and implementing regular reviews of their CCPA compliance program. A comprehensive audit allows companies to identify and remediate gaps in their privacy practices before they become the subject of a whistleblower complaint. Given that AB 2021 would financially reward individuals for surfacing violations, proactive self-assessment and regular reviews is a critical first line of defense—and demonstrates good-faith compliance efforts to regulators if an enforcement action does arise.
- Implementing a robust internal whistleblower process and addressing any internal staff complaints and concerns promptly and in good faith. Providing employees, contractors, and agents with a trusted internal channel to raise privacy concerns makes it less likely they will turn to external reporting mechanisms such as AB 2021. A well-functioning internal process can surface compliance issues early, allow the company to remediate them voluntarily, and reduce the risk that grievances escalate into formal whistleblower complaints to CalPrivacy.
- Fostering a collaborative and cooperative work environment that promotes a culture of resolving privacy issues as a team. Companies that treat privacy compliance as a shared organizational responsibility, rather than the exclusive domain of legal or IT, are better positioned to identify and address issues before they rise to the level of regulatory violations. A culture of openness also reduces the conditions that give rise to whistleblowing in the first place, namely employees who feel their concerns are being ignored or suppressed.
- Reviewing and strengthening confidentiality and data handling agreements. Whistleblower complaints are more likely to originate from individuals with insider access. Companies should review NDAs, employment agreements, and data access protocols, not to suppress legitimate reporting, but to ensure sensitive compliance information is appropriately compartmentalized.
- Training employees and managers on privacy compliance obligations. Many CCPA violations stem from operational gaps rather than deliberate misconduct. Regular, role-specific training reduces the risk of violations occurring in the first place and signals a good-faith compliance culture to regulators.
- Assessing third-party vendor and contractor compliance. AB 2021 whistleblowers need not be direct employees—contractors and agents are explicitly covered and can entangle companies in problems that they did not originate. Companies should audit service provider agreements and data processing practices, as third-party violations can still expose the company to enforcement risk.
- Engaging outside privacy counsel to evaluate enforcement exposure. Given the financial stakes, a privileged assessment of current CCPA compliance gaps, before a whistleblower complaint surfaces, may be prudent.
- Monitoring legislative developments in California and other states pursuing comparable privacy whistleblower legislation. AB 2021 may be an early indicator of a broader legislative trend. Several states have been expanding their privacy enforcement frameworks, and whistleblower incentive programs have proven effective in analogous regulatory contexts, such as securities and tax enforcement. Staying ahead of emerging developments allows companies to adapt their compliance programs in advance rather than in response to new legal obligations.
Freshfields is closely monitoring the progress of AB 2021 and related privacy legislative developments. Please reach out to your usual Freshfields contact if you have questions about how this legislation may affect your organization.
