McCarter & English, LLP | Contents of this website may contain attorney advertising. | Results may vary depending on your particular facts and legal circumstances.

Share

Alternative Dispute Resolution & Mediation
Artificial Intelligence
Bankruptcy, Restructuring & Litigation
Blockchain, Smart Contracts & Digital Currencies
Business Litigation
Cannabis
Corporate
Crisis Management
Cybersecurity & Data Privacy
Delaware Corporate, LLC & Partnership Law
Design, Fashion & Luxury
E-Discovery & Records Management
Energy & Utilities
Environment & Energy
Financial Institutions
Food & Beverage
Government Affairs
Government Contracts & Global Trade
Government Investigations & White Collar Defense
Healthcare
Hospitality
Immigration
Impact Investing
Insurance Recovery, Litigation & Counseling
Intellectual Property
Labor & Employment
Latin America
Life Sciences
Manufacturing
Products Liability, Mass Torts & Consumer Class Actions
Public Finance
Real Estate
Renewable Energy
Sports & Entertainment
Tax & Employee Benefits
Technology Transactions
Transportation, Logistics & Supply Chain Management
Trusts, Estates & Private Clients
Venture Capital & Emerging Growth Companies
Search By:

3.2.2026

Employees with boots on the ground and direct insight into a company’s day-to-day operations and internal decision-making often know a company best. Often, they possess far more actionable information than regulators ever could. California is looking to capitalize on that knowledge by proposing a whistleblower incentive program for the California Consumer Privacy Act. If passed, AB 2021 (the Act) would offer whistleblowers financial incentives for reporting potential violations and would prohibit retaliation against them.

Financial Incentives

Under the Act, whistleblowers will be required to submit complaints to the California Privacy Protection Agency (CalPrivacy) for investigation. If CalPrivacy designates a complaint for administrative enforcement and it leads to a penalty or settlement, a whistleblower can receive between 15 percent and 33 percent of fines collected. Additionally, the Act requires whistleblowers to be represented by counsel but permits CalPrivacy to assess additional administrative penalties to cover the whistleblower’s reasonable attorneys’ fees. Whistleblowers are also allowed to submit complaints anonymously through counsel.

The US Securities and Exchange Commission’s (SEC) whistleblower program follows a similar regime and has seen success in incentivizing whistleblowers. In a 2025 report to Congress, the SEC reported it received approximately 27,000 whistleblower tips and made whistleblower awards totaling more than $60 million to 48 individuals. Since its inception in 2011, the SEC has awarded over $2.2 billion to hundreds of whistleblowers whose information contributed to successful enforcement actions.

Anti-Retaliation

The Act also creates protections against retaliation for employees, contractors, or agents who report or assist with whistleblower complaints and gives a new private right of action for retaliation related to CalPrivacy whistleblowing. The potential remedies include reinstatement, double the back pay, interest, compensatory damages, and attorneys’ fees.

While AB 2021 remains in the early stages of the legislative process, companies should monitor its progress closely. If enacted, the Act could take effect in January 2027 and would materially reshape privacy enforcement in California by encouraging increased scrutiny of operations from insiders with firsthand knowledge. Companies should view this proposal as a signal to proactively and critically evaluate and strengthen their privacy compliance programs now, before whistleblower incentives increase the likelihood that internal compliance gaps are brought to the attention of regulators.

The McCarter & English Cybersecurity and Data Privacy team will continue to monitor new developments and is available to advise on how your company can prepare for its potential impact. For more information, please contact the authors or any member of the McCarter & English Cybersecurity & Data Privacy team.