Nonprofits and the California Consumer Privacy Act

In the past decade, our lives have become more "extremely online." From Myspace to Facebook to whatever hip new app the kids are into these days, we keep putting additional little bits of ourselves out into the public information space. But recently, more and more people have become aware of the dangers of oversharing. Data privacy laws have sprung up in response.

On January 1, 2020, the California Consumer Privacy Act (CCPA) went into effect. (One note about the timing: while the law is currently in place, it specifies that California's attorney general will not enforce any actions under the law until July 1, 2020.)

While the law generally applies only to for-profit organizations, there are several instances where a nonprofit would need to evaluate their compliance:

• if the nonprofit controls or is controlled by a for-profit entity;
• if the nonprofit operates under a brand name it shares with a for-profit entity (such as a co-branded corporate foundation);
• if the nonprofit enters into a joint venture with a for-profit entity; or,
• if the nonprofit contracts with an entity that requires compliance with the CCPA.

Related to that final point, the Chronicle of Philanthropy points out, "While nonprofits are not covered by the law, the marketing companies that many large groups hire to work on direct-marketing appeals and other communications do have to comply." If your nonprofit works with one of these types of companies, you'll have to be aware of your organization's role in the data management process. This issue will mostly affect larger organizations that have the resources to rely on such for-profit companies to provide such services.

The cost for the use of these services may also increase, as service providers increase rates to compensate for the cost of compliance. In addition, as more people exercise their data privacy rights, the service providers, and the nonprofits they serve, may have less access to data to help find new donors or volunteers.

Even though the vast majority of nonprofit organizations in California are not currently affected by the law, many are preparing for future compliance; it is very possible that the law may someday be expanded to nonprofits. In addition, other states might adopt similar legislation. (For example, after the California Air Resources Board, or CARB, adopted stricter standards than the EPA for automobile emissions, 16 other states eventually signed on.)

Also, there are currently high thresholds for which businesses the law applies to (over $25 million in revenue, 50% of revenue from sales of consumer information, or the management of the information of over 50,000 users). It is very likely the thresholds could be lowered in the future.

Even if the law doesn't apply to your organization, voluntary compliance does offer some benefits. In the past, some people may have chosen to support a smaller organization specifically because they wanted to help an organization with less resources. However, will they continue to do so if the smaller organization does not offer the same privacy protections as larger organizations? By offering privacy assurances, you are also giving your organization a leg up on those who are not yet complying.

Whether or not your particular organization is currently affected by the law, here are some best practices to consider moving forward:

• Ensure your donors and volunteers that you will keep their information private, and set up methods for protecting their privacy, such as data encryption, limiting who has access to specific data, etc.
   
• Only collect the information you absolutely need. For example, if you do all of your requests for donations via email, do you need to collect phone numbers and addresses from donors? Also, some states have laws about what type of information is considered confidential and must be encrypted, such as social security numbers. Be sure to look into your local laws.
   
• Set up a process for dealing with privacy requests so that you can meet the needs of your donors and volunteers in a timely manner. If a person is requesting that their information be removed, he or she often wants it done NOW. A timely response can help boost your organization's reputation.

Your organization should try its best to be informed, transparent, and prepared. Take the time to learn about the laws affecting organizations in your state. Then inform your constituents about how you are meeting those privacy obligations. Lastly, try to go beyond the minimum amount of compliance. By taking additional steps now, you can save your organization plenty of work in the future.

Ultimately, the issue of data privacy comes down to trust between the individual and the organization handling the personal information. Your supporters trust you to do good work to make the world a better place. Don't lose their trust when it comes to privacy.