AB 2021 adds a formal whistleblower mechanism to the California Consumer Privacy Act (CCPA) enforcement framework and directs the California Privacy Protection Agency (CPPA) to review and, where appropriate, designate those complaints for administrative enforcement. The bill defines “original information” and “original source,” requires whistleblower complaints to be submitted through counsel (with narrow paths for anonymous filing), and conditions eligibility for awards on counsel representation and declarations under penalty of perjury.
If the agency designates a complaint for enforcement and the whistleblower is eligible, AB 2021 requires the agency to award the whistleblower at least 15% but no more than 33% of fines collected (calculated after the statutorily required 5% grant allocation). The bill establishes a new Consumer Privacy Whistleblower Subfund to hold awards and any attorney-fee penalties, preserves confidentiality of whistleblower identities (with agency exceptions), and creates a private civil remedy for employees, contractors, and agents who suffer retaliation for whistleblowing.
At a Glance
What It Does
Creates a route to submit CCPA whistleblower complaints to the California Privacy Protection Agency, lets the agency designate complaints for enforcement, and mandates whistleblower awards equal to 15–33% of collected administrative fines (after the 5% grant allocation). It also permits the agency to assess a penalty to cover a whistleblower’s attorney fees and creates a dedicated whistleblower subfund.
Who It Affects
Directly affects the California Privacy Protection Agency, businesses and service providers subject to the CCPA, employees/contractors with inside knowledge, and private attorneys who will file and prosecute whistleblower complaints. It also affects the allocation of funds within the Consumer Privacy Fund.
Why It Matters
The bill converts confidential insider tips into a structured bounty-and-enforcement pipeline, shifting a portion of enforcement incentives toward private counsel and whistleblowers, changing how CPPA sources investigations, and altering the funding mix available to the agency and grant programs.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
AB 2021 adds new definitions and a pathway that turns insider knowledge about CCPA violations into formal whistleblower complaints filed with the California Privacy Protection Agency. The bill defines “original information” and “original source” narrowly so that only information derived from the whistleblower’s independent knowledge or analysis qualifies, and it requires complaints to include substantially all material evidence the whistleblower possesses.
To be eligible for an award, a whistleblower must submit a complaint through counsel; the attorney files the complaint both by certified mail and electronically through the agency website. The agency may designate complaints for administrative enforcement but retains discretion over whether to pursue enforcement and how to use the information provided.
The attorney who files the complaint may assist the agency but may not represent the agency in the enforcement action.If the agency designates a complaint and the whistleblower meets eligibility requirements, the agency must award the whistleblower between 15% and 33% of fines collected in that enforcement action or settlement, after the statutorily required 5% allocation to the Consumer Privacy Grant Subfund. The agency must consider factors such as the significance of the whistleblower’s information, the degree and timeliness of cooperation, resources conserved, remediation efforts, and unique hardships when setting the award percentage.The bill also permits anonymous filings but requires the whistleblower’s attorney to verify identity and certify completeness under penalty of perjury; prior to payment the whistleblower must disclose their identity to the agency.
Whistleblower identities are confidential and exempt from the California Public Records Act except when disclosure is necessary to advance an investigation or enforcement action. Separately, the agency may assess an administrative penalty to cover a whistleblower’s reasonable attorney’s fees; those sums, and whistleblower awards, are deposited into a newly created Consumer Privacy Whistleblower Subfund and paid out only upon legislative appropriation.Finally, AB 2021 creates a private civil remedy for employees, contractors, and agents retaliated against for lawful acts in furtherance of a whistleblower complaint or to stop CCPA violations.
The remedy includes reinstatement, double back pay with interest, special damages, attorney’s fees, possible punitive damages, and a three-year statute of limitations.
The Five Things You Need to Know
The agency must pay eligible whistleblowers between 15% and 33% of fines collected in an enforcement action or settlement, calculated after the 5% grant allocation to the Consumer Privacy Grant Subfund.
A whistleblower must be represented by an attorney to be eligible; counsel must file the complaint by certified mail (return receipt requested) and electronically via the agency’s website.
Anonymous complaints are allowed only if the whistleblower’s attorney certifies—under penalty of perjury—that they verified the whistleblower’s identity and reviewed the complaint for completeness and truthfulness; the whistleblower must reveal their identity to the agency before any award is paid.
The bill creates a Consumer Privacy Whistleblower Subfund to hold whistleblower awards and any attorney-fee penalties; award and fee payments are subject to legislative appropriation.
Employees, contractors, and agents who suffer retaliation for whistleblowing can sue for reinstatement, twice back pay plus interest, special damages, attorney’s fees, and possibly punitive damages, with a three-year time limit to bring suit.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Definitions: original information and original source
This section narrows qualifying whistleblower disclosures by defining “original information” as information derived from the whistleblower’s independent knowledge or analysis and not already known to the agency (unless the whistleblower was the original source). It also defines “original source” with time and contribution thresholds (voluntary disclosure to the state prior to a public disclosure, or materially added knowledge). Practically, this shuts down bounty claims based solely on public reports or media and limits awards to insiders or investigators who bring material new facts.
Adjusting fine allocations to account for awards
The amendment preserves the statutory fine caps for administrative enforcement but changes the deposit language so that the amount going into the Consumer Privacy Subfund is reduced by any whistleblower award the agency determines payable. In practice, awards will reduce the agency’s net receipts from fines and therefore the pool the agency can immediately use for enforcement absent future appropriations.
Creates the Consumer Privacy Whistleblower Subfund and clarifies fund uses
This section adds a dedicated Whistleblower Subfund inside the existing Consumer Privacy Fund. The agency must deposit awarded sums and any attorney-fee penalty collections there; those funds are payable only upon appropriation. The provision keeps the existing Grant Subfund and its 5% allocation and preserves the agency’s exclusive use rules for other subfunds, but makes clear that awards reduce the already-designated enforcement subfund proceeds.
Submission and agency designation of whistleblower complaints
This short section authorizes anyone to submit a whistleblower complaint to the CPPA and gives the agency discretion to designate a complaint for administrative enforcement. It also clarifies that a whistleblower’s counsel cannot represent the agency in the resulting enforcement action and that agency action based on a complaint creates no private right of action on the agency’s behalf.
Award formula, factors, and attorney-fee penalty
The core mechanics live here: awards must be at least 15% and no more than 33% of collected fines (after the 5% grant allocation). The agency must decide the exact percentage in its final order and weigh factors such as informational significance, degree of cooperation, timeliness, resources conserved, remediation efforts, and unique hardships. The section also lets the agency impose an administrative penalty to compensate a whistleblower’s reasonable attorney’s fees; those penalties flow into the Whistleblower Subfund.
Eligibility rules, formalities, and disqualifications
This section requires whistleblowers to make a penalty-of-perjury declaration that the complaint information is true to the best of their knowledge and requires counsel to submit complaints via certified mail and electronically. It lists numerous disqualifiers—government or foreign data authority employees, close family members of such employees, persons convicted of related crimes, repeat filings based on the same facts, failure to assist in the investigation, and lack of counsel—narrowing who can receive awards and helping limit opportunistic claims.
Anonymous filings, confidentiality, and disclosure exceptions
AB 2021 permits anonymous submissions but makes the whistleblower’s attorney certify identity verification, review, and consent to disclose identity if needed to evaluate false-statement allegations. The bill designates whistleblower identities confidential and exempts them from the California Public Records Act, while allowing the agency to require or disclose identity when necessary to advance an investigation or enforcement action. Importantly, the bill requires the whistleblower to reveal their identity to the agency before any award payment.
Anti-retaliation civil remedy for employees, contractors, and agents
This provision creates a private right for employees, contractors, and agents who suffer discrimination, discharge, or harassment for lawful whistleblowing or efforts to stop CCPA violations. Remedies include reinstatement with seniority, double back pay plus interest, compensation for special damages, reasonable attorney’s fees and costs, possible punitive damages, and any other relief the court deems proper, with a three-year limitations period.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Insider whistleblowers and their counsel — the bill creates a structured financial incentive (15–33% of fines) and a formal route to enforcement, plus confidentiality protections and statutory eligibility rules that professionalize bounty claims.
- California Privacy Protection Agency — CPPA gains a steady pipeline of investigative leads and outside assistance that can make enforcement more efficient, plus statutory factors to weigh when assessing the usefulness of tips.
- Consumers — indirectly benefit from expanded detection and remediation of privacy violations if whistleblower-driven enforcement exposes systemic problems that the agency then corrects, potentially increasing compliance across covered entities.
Who Bears the Cost
- Businesses and service providers subject to the CCPA — face higher enforcement risk, potential larger net payouts (fines plus attorney-fee penalties), and the prospect that insider tips will trigger investigations that might otherwise not occur.
- Employers — risk civil suits and enhanced remedies (double back pay, reinstatement, punitive damages) when employees or contractors allege retaliation for whistleblowing, raising HR and litigation exposure.
- California Privacy Protection Agency and state budget — the agency must manage whistleblower submissions, confidentiality obligations, and awards administration; awards and fee payments are subject to legislative appropriation, creating budgeting and timing complications and potential payment delays.
Key Issues
The Core Tension
The bill’s central dilemma is this: increase enforcement by financially rewarding insiders and thereby surface concealed CCPA violations, or preserve public oversight and guardrails by limiting private bounty incentives and maintaining the agency’s full fine revenues for public enforcement—AB 2021 does both and in doing so risks empowering private counsel and diverting funds the agency would otherwise use for direct enforcement.
AB 2021 trades stronger incentives for the risk that whistleblower-driven enforcement shifts the locus of power toward private counsel. By requiring attorney representation and allowing attorneys to file and certify anonymous complaints, the bill professionalizes bounty claims but also creates market opportunities for contingency-fee litigation and potential conflicts of interest where counsel drive filings for fee capture rather than public interest.
The bill attempts to curb opportunism through tight definitions (original information, original source), multiple disqualifications, and a penalty for materially false statements, but those safeguards depend heavily on agency screening and later judicial review.
Another practical tension is fiscal: awards and attorney-fee penalties are deposited into a new Whistleblower Subfund but are payable only on appropriation. The statute simultaneously reduces the agency’s immediately available share of fines by the award amount.
That creates a timing mismatch where the CPPA may lose enforcement resources at the moment it gains new investigative leads, and whistleblowers may face uncertain timing of actual payments. Confidentiality rules protect whistleblowers from public exposure, but exempting identity from public records and allowing agency disclosure when needed creates discretionary judgments that could be litigated, particularly where the public interest in disclosure conflicts with witness safety or employer due process rights.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.