Overview
On February 17, 2026, California Assembly Member Pilar Schiavo introduced California Assembly Bill 2021 (AB 2021), which proposes a whistleblower incentive program for the California Consumer Privacy Act (CCPA). The program would enable individuals to report companies' data privacy practices to the California Privacy Protection Agency (CalPrivacy), then receive an award equal to 15% to 33% of fines or settlement proceeds resulting from any subsequent CalPrivacy enforcement action based on the report. The initiative represents a possible paradigm shift in privacy enforcement. Currently, only the Washington My Health My Data Act contains a private right of action for violations of privacy law not associated with data breach. While not a true private right of action, the California bill would represent a first-of-its-kind incentive for private actors (including employees) to report privacy issues to California regulators, upping the compliance stakes considerably.
To receive a financial award, whistleblowers would need to be represented by an attorney and declare under penalty of perjury that the information submitted with their complaint is true and correct to the best of their knowledge and belief. In the current webform, reporting individuals have the option of providing a sworn or unsworn . In addition to establishing a financial incentive for whistleblowers, the bill includes strong anti-retaliation protections for employees, and confidentiality provisions. An employee (including contractors and agents) would be entitled to pursue a civil action against their employer if their employer engages in "specified forms of discrimination in the terms and conditions of their employment" because of lawful acts done by the employee in furtherance of a whistleblower complaint or CalPrivacy enforcement action under the bill, or "other efforts to stop one or more violations of the CCPA." AB 2021 would also authorize a person to submit a whistleblower complaint anonymously and classify the person's identity as confidential and exempt from disclosure under the California Public Records Act.
If enacted, AB 2021 could significantly affect privacy compliance, internal reporting dynamics, and employer‑employee/contractor relationships for companies that process the personal information of California residents. While this program would be the first of its kind for data privacy violations, AB 2021 is similar in structure and purpose to the Securities and Exchange Commission's (SEC) whistleblower program (agency-driven without a private right of action) and the US Department of Justice's (DOJ) Civil-Cyber Fraud Initiative (intended to target cybersecurity noncompliance among defense contractors). Steptoe will continue to monitor this and other developments. Should you have any questions regarding this pending legislation, please contact the authors below.
