“Privacy means people know what they’re signing up for, in plain language, and repeatedly. I believe people are smart. Some people want to share more than other people do. Ask them.”[1]
This year, nonprofits are advised to be especially attentive to emerging data privacy requirements. Six states adopted comprehensive data privacy laws in 2023 (Oregon, Texas, Tennessee, Montana, Iowa, and Indiana), making a total of eleven states that have done so in the past three years. Of these eleven, Colorado and Oregon offer virtually no nonprofit exemptions under their state statutes, and other state exemptions may be less inclusive than expected.
The new laws potentially impact nonprofit website operations and nonprofits’ handling of wide ranging personally identifiable information (PII) including donor information, program participants, charitable beneficiaries, employee information, newsletter programming, texting, phoning, and other online outreach. This article provides an action-oriented framework to equip nonprofit leaders to navigate the changing terrain of data privacy legal compliance in the following ways.
1. Understand the specifics of each law: The new state laws differ from each other, in some cases significantly. Nonprofit operational teams should familiarize themselves with each law’s requirements.
2. Identify and categorize collected data: Identify the types of personal information collected and processed, the purpose of collection, and who it is shared with.
3. Implement privacy policies: Ensure your privacy policy is up-to-date, clear, and reflects the organization’s actual practices.
4. Invest in secure data storage and management systems: The new state laws demand stringent data security measures. Nonprofits should evaluate their data storage and management systems to ensure they are secure.
5. Prepare for possible breaches: Certain statutes impose new, augmented data breach response requirements, for which nonprofits are well-advised to implement data breach response plans.
6. Train staff: Nonprofits should regularly train staff and volunteers concerning the importance of data privacy and applicable compliance requirements.
7. Conduct regular audits: Regular audits of organizational data handling help improve ongoing compliance and provide opportunities for adjustments as necessary.
The next sections, starting with recent history of data privacy law in the US, expound the above recommendations in light of the new 2023 state statutes and their applicability to nonprofits.
Part 1 – Historical Context of Data Privacy in the US
Unlike international privacy law, which is shaped by large, comprehensive national frameworks, such as the EU’s General Data Protection Regulation (GDPR), US regulation of data privacy has historically been according to a patchwork of case-specific federal statutes and a few individual state laws.
The Federal Amalgam of Privacy Laws, Pre-2020
Major federal laws have historically laid the groundwork for modern privacy regulation in the US. These include the FTC Act (which targets unfair/deceptive commercial practices), GLBA (relating to nonpublic personal information by financial institutions), HIPAA (focusing on health data), COPPA (protecting children’s online privacy), CAN-SPAM (controlling non-solicited pornography and marketing), and TCPA (affecting things like auto dialers and automated text messages for donor outreach). Many nonprofits have routinely conformed their data handling practices to these relatively well-known federal laws.
Recently, the American Data Privacy and Protection Act (ADPPA) had the potential to radically reshape the landscape of US privacy law. Approved by the House Committee on Energy and Commerce in July 2022, the ADPPA aimed to transform the current amalgam-like approach to privacy law by pre-empting existing state laws, broadening the jurisdiction of the FTC, and introducing potential exemptions. Among the key features of the ADPPA were enhanced data control for consumers, increased transparency, special protections for children under 16, the establishment of data security protocols, anti-discrimination measures, and the creation of Data Protection Officers or equivalents. However, the bill stalled waiting for approval by the full U.S. House of Representatives last year.
State Level Requirements, Pre-2020
Prior to 2020, like their federal counterparts, several state laws formed an uneven mixture of US privacy law, with California’s Consumer Privacy Act (CCPA) being an outlier in terms of its comprehensive approach. Other notable state laws include the Massachusetts Data Security Regulation (protecting sensitive data), Maine’s Act to Protect the Privacy of Online Consumer Information (regulating internet service providers), and Nevada’s online privacy laws (regulating the sharing and sale of personal information).
It is also worth noting that all 50 states have adopted statutory requirements related to data breaches. Nonprofits are generally subject to such data breach notification laws.
2021-2022 State Level Frameworks Expand
The years 2021 and 2022 marked a period of rapid development in US privacy law. Specifically, in 2021-22, several states adopted comprehensive data privacy frameworks: Utah, Colorado, Virginia, Connecticut, and California. The new laws mirrored the California statute in protecting US consumer privacy rights such as the right to access, delete, and port data, as well as the right to opt out of certain data processing activities. These laws also imposed various obligations on businesses, including the need for increased transparency, consent to process children’s personal information, and enhanced security measures. Importantly, the laws also provided for enforcement through respective state attorneys general and at least one (CCPA/CPRA) established a private right of action.
Notably, among these new legislative measures, Colorado’s statute stands out as it does not offer nonprofit organizations an exemption from compliance.
Part II - 2023 Developments in US Privacy Law
Federal Proposals
Following ADPPA’s failure to pass the House in 2022, federal lawmakers have renewed their commitment to advancing data privacy legislation. However, their approach in the 118th Congress has been fragmented, addressing the issue through various measures rather than a single, cohesive strategy. In the first half of 2023, six distinct bills related to consumer privacy have been introduced, with two of them— the Data Care Act and the Online Privacy Act—standing out as comprehensive consumer privacy frameworks, both as revamped versions of ADPPA.
Four narrower bills have also been introduced. These include (1) the Informing Consumers about Smart Devices Act, which requires device makers to disclose any cameras or microphones; (2) the UPHOLD Privacy Act, which establishes protections for personally identifiable health and location data; (3) the DELETE Act, which would direct the FTC to create a system for individuals to request the deletion of their personal information from data brokers; and (4) the Stop Spying Bosses Act, which focuses on providing workplace privacy.
The development of the new bills underscores the federal government’s recent emphasis on privacy concerns. While Congress has not yet passed a comprehensive federal privacy law, nonprofits are still subject to current federal privacy laws, including COPPA, HIPAA, CAN-SPAM, and TCPA, as outlined above. For now, nonprofits should monitor new federal developments, but prioritize their attention on the evolving state-level privacy law landscape, which is discussed in more detail in the next section.
2023 State Developments and General Applicability Issues
In 2023, the number of states enacting comprehensive data privacy laws has more than doubled, with six new state statutes passing in the last several months.
In terms of applicability, as discussed above, nonprofits are generally subject to the requirements of the new Oregon law, just as they are to the requirements of the Colorado statute. Beyond that, the nonprofit exemptions require careful reading of the statutes and application to specific facts.
What does “nonprofit” mean?
At issue for purposes of the exemption under the various statutes is the definition of “nonprofit”. In some cases, “nonprofit” is tied to the entity’s federal tax exemption under certain subsections of 501(c) of the Internal Revenue Code (IRC), not to its state classification as a nonprofit corporation. For example, under Montana’s new statute, certain nonprofits – like labor unions, fraternal benefit societies, and social clubs – would not be exempt from the law’s requirements because organizations described under sections 501(c)(5), 501(c)(7), and 501(c)(8) are not included in the definition of “nonprofit.” Social welfare organizations described under IRC Section 501(c)(4) are considered “nonprofit” for the purposes of statutory exemption in Montana, though would not be “nonprofits” for the purpose of exemption under Indiana’s statute.
Where is the “nonprofit” formed?
To further complicate the analysis, it is worth noting that some state’s nonprofit exemptions arise from an entity’s jurisdiction of formation – that is, formation under that state’s nonprofit corporation statute (sometimes in conjunction with tax exemption classification). Therefore, the exemption may be inapplicable to an entity formed under the law of a different state. For example, in Texas, an entity qualifies for the “nonprofit” exemption if it is formed under nonprofit corporate laws of Texas or is exempt under IRC section 501(c)(3), 501(c)(4), 501(c)(6), 501(c)(12), or 501(c)(19). Given the foregoing, if an Oklahoma nonprofit social club described under IRC section 501(c)(7) handled the personal information of Texas residents inconsistently with the Texas data privacy statute, it could be subject to the Texas attorney general’s intervention, because it was not formed under the Texas nonprofit statute, and section 501(c)(7) is not one of the enumerated tax classifications Texas designates as “nonprofit” for purposes of the act.
In view of the foregoing complexities, exemption should be assessed on a state-by-state basis in view of the organization’s tax classification, state of incorporation or formation, and expected operations.
Part III – 2023 State Statutes Breakdown
This section provides a breakdown of the six newest state statutes and notable aspects of each law. We have divided the states by their nonprofit exemption or lack thereof. Such exemption, as discussed above, depends on how the term “nonprofit” is defined. We focus more on the new Oregon statute, because of its general applicability to nonprofits, but also briefly discuss the other five states’ statutes for nonprofits seeking to undertake broad compliance efforts, discussed further below.
No Exemption for Nonprofits
Oregon
The Oregon Consumer Privacy Act (OCPA), effective July 1, 2024, is a broad data privacy framework that does not provide an exemption for nonprofits. The OCPA contains the following key data privacy protection provisions.
• Consumer Rights and Controller Obligations: The OCPA places a strong emphasis on consumer rights, providing consumers with the ability to obtain disclosures related to their personal information, to request data deletion, and to exercise their right to opt out of data sales. Controllers[2] (including many nonprofits receiving user data on their websites and donor portals) are bound to honor these rights, and importantly, consumers have the right to nondiscrimination or restriction of organizational services should they choose to exercise any of their enumerated data rights.
• Deidentified Data: Controllers that possess deidentified data bear the responsibility of ensuring this data cannot be linked to individual identities. They are also obligated to refrain from reidentifying such data and must ensure third-party recipients adhere to the OCPA’s guidelines through contractual agreements.
• Data Protection Assessment: An essential part of OCPA involves controllers undertaking and documenting data protection assessments. Especially when their activities might pose heightened risks to consumers – such as through profiling or targeted advertising – they are mandated to undergo these assessments. These assessments must be maintained for at least five years and be treated as confidential information.
• Oversight by the Attorney General: As the OCPA’s chief enforcement officer, the attorney general holds sweeping powers under the OCPA. From demanding testimonies and documents to imposing substantial penalties for violations (up to $7,500), the attorney general’s role is to ensure compliance with the OCPA’s provisions.
• Nonprofit Organizations: Notably, the OCPA’s scope encompasses a wide array of entities. Nonprofit organizations are not exempt, underscoring the OCPA’s intention to provide data protection across the board.
• No Private Right of Action: It’s significant to note that while the attorney general has authority to enforce the OCPA’s provisions, the act does not establish a private right of action. Thus, individual consumers cannot bring lawsuits based on violations of the OCPA.
Exemptions for Certain Nonprofits Described Under Section 501(c) of the Internal Revenue Code
As discussed above, the next two states provide nonprofit exemptions from their statutes based on the federal tax classification of certain entities.
Montana
The Montana Consumer Data Privacy Act (MCDPA), effective October 1, 2024, limits collection of consumer data to necessary extents and imposes data security practices. Nonprofits with federal tax exemption under IRC sections 501(c)(3), 501(c)(4), 501(c)(6) or 501(c)(12) are exempt under the act. Enforcement falls to the attorney general and requires a notice of violation before any legal action. Controllers holding deidentified data must prevent its association with individuals and ensure non-reidentification.
Indiana
The Indiana Consumer Data Protection Act (ICDPA), effective January 1, 2026, limits its exemptions for nonprofits to those described under IRC sections 501(c)(3), 501(c)(6), or 501(c)(12). The ICDPA establishes guidelines on consumer data protection, defining terms, outlining controller responsibilities, specifying consumer rights (including data access, correction, and deletion), and setting requirements for data processing and impact assessments. The act also delimits the scope of applicability, gives the attorney general enforcement authority, preempts local data processing regulations, and authorizes the publication of resources on the attorney general’s website.
Exemption for In-State Nonprofits and Certain Nonprofits Described Under Section 501(c)
The following statutes provide an exemption for nonprofits, where “nonprofit” is at least partially defined with reference to incorporation under the state’s statutes. These states also exempt organizations described under some subsections of IRC 501(c). As discussed above, nonprofit leaders should understand that such exemptions may not be applicable to nonprofits from other states.
Iowa
Iowa Consumer Data Protection Act (ICDPA), effective January 1, 2025, protects consumers’ data rights, including the right to access, delete, and opt-out of data sales. Controllers must respect data use limits, ensure security, gain explicit consent, and remain transparent. Furthermore, controllers may not discriminate against consumers exercising their rights. Enforcement lies with the attorney general, with penalties for violations.
Texas
The Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024, which exempts nonprofits from compliance, features unique applicability thresholds requiring compliance from entities that (1) conduct business in Texas, (2) process or sell personal information, and (3) are not classified as "small businesses" by U.S. Small Business Administration (SBA) standards. The TDPSA mandates explicit disclaimers in privacy notices for companies intending to sell sensitive or biometric information.
Exemption for In-State Nonprofits and All Nonprofits Described Under Section 501(c)
Tennessee
The Tennessee Information Protection Act (TIPA), effective July 1, 2025, contains the broadest definition of “nonprofit” including not only corporations formed under the state’s nonprofit corporation law, but also entities exempt from federal income under any subsection of IRC section 501(c), as well as any entity owned or controlled by a nonprofit organization. Most nonprofits should be exempt under the TIPA, regardless of the state of formation. Apart from the broad exemption, the TIPA focuses on consumer rights, allowing consumers to control, manage, and delete personal information, and to opt out of certain data processing activities. Additionally, Tennessee’s new statute provides a safe harbor for entities adhering to NIST security standards[3]. Such safe harbor is the first of its kind. The TIPA defines “personal information” as data linked or reasonably linkable to an identified individual. Enforcement rests with the attorney general, who can impose adjusted civil penalties up to $7,500 per violation.
Part IV – Consider: Is Data Privacy Compliance a “New Normal” for Nonprofits?
Given the speed with which data privacy statutes have developed, nonprofits are well-advised to recalibrate their thinking on operational compliance with these new statutes. Specifically, nonprofit leaders should consider the following compliance and implementation issues. Even when a statute might technically exempt a nonprofit, there are advantages in proactively adopting compliance measures.
1. Interactions with Non-exempt Entities: Even if a nonprofit is exempt, it often interacts with other entities that are subject to compliance requirements. Nonprofit compliance eases collaboration and data sharing with these entities.
2. Reputation and Trust: By voluntarily adhering to data protection and other compliance standards, nonprofits demonstrate their commitment to ethical practices. This may enhance organizational reputation and build greater trust with stakeholders, donors, and beneficiaries.
3. Future-proofing: Regulatory landscapes change quickly – as we have seen this year. By proactively adopting compliance measures, nonprofits position themselves advantageously should they later fall under regulatory scrutiny or should the statute change to include them.
4. Reduced Risk: Compliance often involves best practices that minimize risks. By following these practices, nonprofits can help prevent data breaches, financial irregularities, and other issues that could harm their reputation or result in legal action.
5. Operational Consistency: If a nonprofit operates in multiple jurisdictions or has dealings with entities in regions where such regulations are stringent, adopting a consistent approach to compliance may simplify operations.
6. Donor and Partner Expectations: Modern donors, partners, and stakeholders might expect exempt organizations to adhere to certain standards. Meeting these expectations may enhance relationships and funding opportunities.
For the foregoing reasons, even when certain statutory obligations might not apply, a proactive approach to compliance can offer numerous advantages.
Part V – Going Forward: Data Privacy Compliance Implementation
Nonprofit leaders are well advised to implement data privacy compliance for their organizations first as legally obligated, and further to augment policies and practices to their benefit, as outlined in the previous section.
1. Understand the specifics of each law: Nonprofits should work with qualified counsel to understand each law’s requirements and applicability to their specific corporate structure and operations. This initial evaluation should equip nonprofit leaders to develop a list of obligations that significantly informs the organization’s compliance efforts.
2. Identify and categorize collected data: Nonprofits should conduct an initial data audit to determine the specific types of personal information they collect and process. An audit will include descriptions of data types, including demographic, behavioral, and other relevant categories. The organization should understand the purpose for data collection, for example, for donor management, event registrations, volunteer coordination, or other organizational functions. Nonprofits should identify and document all entities or partners with whom they share this data, be they third-party vendors, affiliate organizations, or service providers.
3. Develop and implement privacy policies: Nonprofits should review and, if necessary, revise their privacy policies to ensure they remain current and accurately represent the organization’s data collection and processing practices. Privacy policies should be clear and understandable, and they should provide information concerning the ways in which the organization manages, stores, and shares personal information. Furthermore, nonprofits should ensure that the practices described in the policies are consistently upheld throughout their operations. Practices must match disclosures. Regular assessments and updates to privacy policies are essential, particularly considering evolving regulatory requirements and the dynamic nature of data-driven activities.
4. Invest in secure data storage and management systems. Nonprofits should undertake a comprehensive evaluation of their data storage and management systems to ascertain security strength and vulnerabilities and to rectify identified weaknesses. It’s also prudent for nonprofits to stay updated with industry best practices in data security.
5. Prepare for possible breaches: With all 50 states having now implemented data breach response requirements, the onus on nonprofits to be proactive in their preparation has never been more important. Nonprofits should establish well-defined breach response protocols that delineate clear roles and responsibilities for team members during such events. This includes identifying key personnel who will take the lead in coordinating the response, communicating with affected parties, and liaising with relevant authorities.
It’s equally important to ensure that these protocols are regularly reviewed and updated to accommodate any changes in state requirements or best practices. Nonprofits should also consider conducting periodic breach simulation exercises to test and refine their response mechanisms. Being proactive in this manner not only mitigates risks but also demonstrates a nonprofit’s commitment to safeguarding its stakeholders’ data and trust.
6. Staff Training: Given the rapid changes in data privacy compliance, nonprofits should implement regular training sessions that orient volunteers and staff to these laws, discuss their relevance to the organization, and warn of the potential repercussions of noncompliance. Such training sessions should also offer practical guidance on how to handle personal information responsibly and recognize potential threats or breaches. To keep up with changes and updates in applicable law, it is advisable for nonprofits to provide refresher courses and continuous education opportunities.
7. Regular audits: Nonprofits should plan for regular audits of their data handling and storage practices. Such audits should help organizations both evaluate the effectiveness of current protocols and identify potential areas of vulnerability or noncompliance. It is advisable for nonprofits to engage qualified professionals specializing in data privacy regulations for these assessments, where possible.
[1] Steve Jobs, in an interview at the D8 conference in June 2010, interviewed by Walt Mossberg and Kara Swisher.
[2] “Controller” under the OCPA means a person that, alone or jointly with another person, determines the purposes and means for processing personal information.
[3] NIST (National Institute of Standards and Technology) security standards are a set of guidelines and best practices designed to assist organizations in managing and reducing cybersecurity risks, protecting information and information systems, and ensuring the integrity, confidentiality, and availability of data.
