Data privacy whistleblowers would get expanded protections under California proposal

California privacy authorities are pushing legislation that would give corporate whistleblowers better protections for reporting data privacy violations, broaden residents’ personal data deletion rights and make it easier for individuals to submit privacy requests.

The California Privacy Protection Agency (CPPA), which has a track record of successfully advocating for proposals in the state legislature, approved the three draft bills on Friday. The agency recently scored a victory when Gov. Gavin Newsom signed a bill requiring web browsers to make it easier for consumers to opt out of data sharing.

The whistleblower protection proposal is especially significant. It includes anti-retaliation safeguards and financial rewards for insiders who make regulators aware of company practices that violate state privacy law. It also would allow officials in the CPPA enforcement division to collaborate with whistleblowers’ attorneys.

“A financial awards program would incentivize whistleblowers to come forward with original, valuable information for investigation,” a CPPA memo about the proposal says. “A financial incentive would help to even the scales for whistleblowers who worry about the repercussions of speaking out.”

The memo also says CPPA enforcers would benefit from whistleblowers’ expertise on “highly technical” aspects of data processing and emerging technologies, leading to a “higher volume of meritorious cases that the agency could pursue to hold businesses accountable for violations.”

The proposal for legislation expanding consumers’ data deletion rights centers on the fact that state law currently only gives consumers the right to tell businesses to delete data the business has collected from them. CPPA is seeking to broaden those protections to allow consumers to request that businesses delete personal information collected from third parties as well.

“The current right to deletion may create a false sense of protection by failing to address

the full scope of data a company may hold and use to make decisions about individuals,” according to the memo.

The CPPA’s third piece of proposed legislation would make it simpler for consumers to exercise their privacy rights by requiring businesses to offer multiple ways for individuals to make such requests. Currently, businesses only need to provide an email address for consumers to contact.

CPPA emphasized that brick-and-mortar stores must provide two or more ways for consumers to contact them with privacy-related requests, including a toll-free number.