“We need someone who is focused on our concerns, our issues … how we work and how we relate to our donors and fulfill our missions.” - Steve Abrahamson, Vice President, Direct Response, National Audubon Society

Legislation in the States

Last Updated January 2025

Included below:

Artificial Intelligence (AI)
Board Diversity
Consumer Data Protection & Data Privacy
Donor Privacy and Confidentiality
Charitable Solicitation
Nonprofit Governance
Salary Disclosure

This information is prepared by TNPA staff based on reports supplied by FOCUS, a Leonine business.

Artificial Intelligence (AI)

STATES THAT HAVE PASSED BILLS INTO LAW:

NOW LAW: Colorado SB205 Colorado Becomes the First State to Enact Comprehensive AI Legislation. The new law becomes effective February 1, 2026. It applies generally to developers and deployers of “high risk AI systems,” which are defined as AI systems that make, or are a substantial factor in making a consequential decision. The law also defines “consequential decision” as “any decision that has a material legal or similarly significant effect on the provision or denial to any consumer of, or the cost or terms of: (a) education enrollment or an education opportunity, (b) employment or an employment opportunity, (c) a financial or lending service, (d) an essential government service, (e) health-care services, (f) housing, (g) insurance, or (h) a legal service.”

The law is aimed at addressing AI bias, establishing a requirement of human oversight throughout the life cycle of AI systems, and requiring significant documentation around the use of AI.

It applies to any person doing business in Colorado who develops an “AI system” or deploys a “high-risk AI system.” In effect, this means that it applies to any organization using a high-risk AI system, whether or not that system is consumer-facing. Importantly, the law explicitly excludes a Private Right of Action, leaving enforcement solely to the Colorado Attorney General.

NOW LAW: California AB 2013/Chapter 817 was signed into law by Democratic Gov. Gavin Newsom on September 28, 2024 and takes effect on January 1, 2025. This law requires, on or before January 1, 2026, and before each time thereafter, that a generative AI system or service, or a substantial modification to such a system or service, released on or after January 1, 2022, is made available to Californians for use, regardless of whether the terms of that use include compensation, a developer of the system or service to post on the developer’s internet website documentation regarding the data used to train the generative AI system or service. Documentation is required to include a high-level summary of the datasets used in the development of the system or service.

NOW LAW: California SB 896/Chapter 928 was signed into law by Democratic Gov. Gavin Newsom on September 29, 2024 and takes effect on January 1, 2025. This law will bring the California Privacy Protection Agency into the reporting creation aspect of this bill. The law will create the Artificial Intelligence Accountability Act as a follow up to Sen. Bill Dodd’s, D-Napa, CR 17, as he stated in his press release. Additionally, the law requires state agencies to develop a risk report for potentially the most significant uses of artificial intelligence. It will also require state agencies to alert users when they are interacting with artificial intelligence.

PROPOSED BILLS:

California SB 1047 was vetoed by Democratic Gov. Gavin Newsom on September 29, 2024. It was not overridden. This bill would have established safety and security protocols for large developers of advanced AI models that require over $100 million to train or meet a certain computing power threshold. In his veto message, the governor stated that focusing on regulating large artificial intelligence models based on size and cost could create a false sense of security. He expressed concern that the bill’s approach may overlook potential risks from smaller, specialized models and could stifle innovation.

Board Diversity

STATES THAT HAVE PASSED BILLS INTO LAW:

NOW LAW: Illinois SB 2930/Public Act 635 was signed by Democratic Gov. J.B. Pritzker on July 1, 2024 and effective as of January 1, 2025. The law will, in part, provide that a nonprofit, within 30 days after filing its annual AG990-IL Charitable Organization Annual Report, that reports grants of $1 million or more to other charitable organizations would need to post on its website, if applicable, the aggregated demographic information of the corporation’s directors and officers, including race, ethnicity, gender, disability status, veteran status, sexual orientation and gender identity.

States: Consumer Data Protection / Data Privacy

Below is a comprehensive list of state activity. If you are interested in a broader overview of the issue, please read more here.

STATES THAT HAVE PASSED BILLS INTO LAW:

NOW LAW: California (from the CA AG website): The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law. This law secures new privacy rights for California consumers, including:

The right to know about the personal information a business collects about them and how it is used and shared;
The right to delete personal information collected from them (with some exceptions);
The right to opt-out of the sale of their personal information; and
The right to non-discrimination for exercising their CCPA rights.

Businesses are required to give consumers certain notices explaining their privacy practices. The CCPA applies to many businesses, including data brokers.

NOW LAW: California SB 362/Chapter 709 was signed by Democratic Gov. Gavin Newsom on October 10, 2023 with the bill taking effect January 1, 2026. This law, dubbed the Delete Act, seeks increased limitations on data brokers that amass and sell personal information collected online. It will create a portal for residents to remove personal data that has been collected by the 486 registered data brokers in the state, from purchase history to internet browsing habits. The law will also require data brokers to register with the California Privacy Protection Agency and disclose the types of information they collect.

NOW LAW : California AB 1008/Chapter 802 was signed into law by Democratic Gov. Gavin Newsom on September 28, 2024 and takes effect on January 1, 2025. The law states that “publicly available” does not include information gathered from websites using automated mass data extraction; personal information can exist in various formats. The law defines terms related to personal information, such as advertising and marketing, aggregate consumer information and biometric information. It outlines what constitutes a business and the thresholds for data collection and processing that apply. The law describes business purposes for using personal information and specifies what qualifies as consumer consent. Additionally, it includes definitions for sensitive personal information, service providers and third parties, emphasizing the protection and proper handling of personal data.

NOW LAW: Colorado SB 190 was signed into law by Governor Polis on July 7, 2021. The law takes effect on July 1, 2023. Major provisions include:

Enable a consumer to opt-out of the processing of their personal information.
Confirm whether or not a controller is processing personal data concerning the consumer and to provide access to that information.
The right to correct inaccurate personal information.
The right to have personal information deleted.
Controllers would be required to provide a meaningful privacy notice to consumers detailing their various rights
Does not contain a private right of action.

Nonprofit organizations are NOT exempted from the requirements of the law.

NOW LAW: Connecticut SB 6/Public Act 22-15 was signed by Democratic Gov. Ned Lamont on May 10 and took effect July 1, 2023. The law grants consumers various rights including:

The right to confirm whether or not a controller is processing the consumer’s personal data.
The right to correct inaccuracies in their personal data.
The right to delete personal data provided by or obtained about the consumer.
The right to obtain a copy of the consumer’s personal data processed by the controller.
The right to opt out of the processing of the personal data for the purposes of targeted advertising, the sale of personal data or profiling in furtherance of decisions that produce legal or similarly significant effects.

Controllers will be required to respond to verified consumer requests within 45 days but could request an extension of an additional 45 days. Controllers will also be prohibited from processing the sensitive data of a consumer without their affirmative consent. The law will not apply to nonprofit organizations, does not provide a private right of action and will grant controllers a right to cure at the discretion of the attorney general.

NOW LAW : Delaware HB 154 was signed into law by Democratic Gov. John Carney on September 11, 2023 and took effect January 1, 2025. The law applies to “persons” that conduct business in the state, including nonprofits, or produce products or services that are targeted to state residents and:

Control or process the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
Control or process the personal data of not less than 10,000 consumers and derive more than 20 percent of gross revenue from the sale of personal data.

The law will grant consumers various rights including the right to delete data they provide and opt-out of the sale of their personal data. The law does not contain a private right of action but does contain a 60-day right to cure before the attorney general may initiate any action which would remain in place until December 31, 2025. After that date, the right to cure will be up to the discretion of the attorney general.

NOW LAW: Florida SB 262 was signed by Republican Gov. Ron DeSantis on June 6, 2023 and took effect July 1, 2024. The law will prohibit government employees or officers from using their positions or state resources for the purposes of social media content moderation. The law contains age-appropriate design code language.

The law will also grant consumers various rights including:

The right to confirm if a consumer’s personal data is being processed and providing access to the data.
The right to correct inaccurate consumer personal data.
The right to delete the consumer’s personal data provided by or obtained about the consumer.
The right to opt-out of processing of personal data for the purposes of targeted advertising, the sale of personal data or profiling in furtherance of decisions that produce legal or similar significant effects concerning the consumer.
The right to opt out of the collection of sensitive data, including precise geolocation data, or the processing of such data.

Controllers will be required to take action on consumer requests within 45 days but could request an extension of an additional 15 days and must establish a process that allows consumers to appeal a controller’s decision not to act on a request to exercise their rights. The law contains 45 day right to cure language. The law does not contain a private right of action and does not apply to nonprofits.

NOW LAW: Indiana SB 5 was signed by Republican Gov. Eric Holcomb on May 1 and takes effect January 1, 2026. The law will apply to businesses that conduct business in the state or produce products or services that are targeted to residents of the state and process the personal data of 100,000 or more consumers or processes the personal data of 25,000 or more consumers and derives more than 50 percent of their revenue from the sale of personal data. The law will grant consumers various rights including, but not limited to, the right to delete data and opt-out of the sale of their personal data. The law will apply to nonprofit organizations and does not contain a private right of action.

NOW LAW: Iowa SF 262 was signed by Gov. Kim Reynolds on March 28 and takes effect January 1, 2025. The law will apply to a person conducting business in the state or producing products or services that are targeted to consumers who are residents of the state and that during a calendar year does either of the following:

Controls or processes personal data of at least 100,000 consumers.
Controls or processes personal data of at least 25,000 consumers and derives over 50 percent of gross revenue from the sale of personal data.

The law will grant consumers various rights including the right to delete data they provided and opt-out of the sale of their personal data. The law does not contain a private right of action but does contain a 30-day right to cure before the attorney general can initiate any action. Controllers would also be required to provide a reasonably accessible, clear and meaningful privacy notice.

NOW LAW: Kentucky HB 15 was signed by Democratic Gov. Andy Beshear on April 4, 2024 and takes effect January 1, 2026. The law will not apply to nonprofits. The law will apply to persons that conduct business in the state or persons that produce products or services that are targeted to state residents and:

Control or process the personal data of at least 100,000 consumers.
Control or process the personal data of not less than 25,000 consumers and derive more than 50 percent of gross revenue from the sale of personal data.

The law will grant consumers various rights including but not limited to the right to delete data provided by or obtained about the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects. The law does not contain a private right of action but does contain a 30-day right to cure.

NOW LAW: Maryland SB 541/Chapter 455 was signed by Democratic Gov. Wes Moore on May 9, 2024. Effective October 1, 2025, the act applies to “persons” that conduct business in the state or persons that produce products or services that are targeted to state residents and during the preceding calendar year:

Control or process the personal data of at least 35,000 consumers, excluding data processed solely to complete a payment transaction.
Control or process the personal data of not less than 10,000 consumers and derive more than 20 percent of gross revenue from the sale of personal data.

The act grants consumers various rights including the right to delete data provided by or obtained about the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects. A consumer would be permitted to opt out using global privacy controls.

NOW LAW: Minnesota HF 4757/Chapter 121 was signed by Democratic Gov. Tim Walz on May 24, 2024 and takes effect July 31, 2025, with a delayed effective date of July 31, 2029 for institutions regulated by the Office of Higher Education. Nonprofits are not exempt from the law. The law will apply to “persons” that conduct business in the state or produce products or services that are targeted to state residents and:

Control or process the personal data of not less than 100,000 consumers.
Control or process the personal data of not less than 25,000 consumers and derive more than 25 percent of gross revenue from the sale of personal data.

The law will grant consumers various rights including the right to delete data concerning the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similar significant effects. The law contains an exemption and alternative requirements for small businesses and also contains a time limited 30-day right to cure until January 31, 2026.

NOW LAW: Montana SB 384/Chapter 681 was signed into law by Republican Gov. Greg Gianforte on May 19, 2023. The bill will apply to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state and:

Control or process the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
Control or process the personal data of not less than 25,000 consumers and derive more than 25 percent of gross revenue from the sale of personal data.

The law will grant consumers various rights including the right to delete data they provided and opt-out of the sale of their personal data. The law does not contain a private right of action but does contain a 60-day right to cure before the attorney general could initiate any action.

NOW LAW: Nebraska LB 1074 passed the legislature, was signed by Republican Gov. Jim Pillen on April 17, 2024, and took effect January 1, 2025. The law will not apply to nonprofits. The law contains both privacy and banking provisions. The privacy provisions will apply to anyone who conducts business in this state or produces a product or service consumed by residents of this state, processes or engages in the sale of personal data and is not a small business as defined under the federal Small Business Act. The law will grant consumers various rights including the right to delete data provided by or obtained about the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising, the sale of data or profiling in furtherance of decisions that produce legal or similarly significant effects. The law does not contain a private right of action but does contain a 30-day right to cure.

NOW LAW: New Hampshire SB 255/Chapter 5 was signed by Republican Gov. Chris Sununu on March 6, 2024 and took effect January 1, 2025. The law will not apply to nonprofits. The law will apply to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state that controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, or controlled or processed the personal data of not less than 10,000 consumers and derived more than 25 percent of their gross revenue from the sale of personal data. The law will grant consumers various rights including the right to collect inaccuracies in their personal data and delete their data. The law does not contain a private right of action but does contain a 60-day right cure.

NOW LAW: New Jersey SB 332/Chapter 266 was signed by Democratic Gov. Phil Murphy on January 16, 2024 and takes effect January 15, 2025. Nonprofits are not exempt from the law. The law will apply to controllers that conduct business in the state or produce products or services that are targeted to residents of the state, and that during a calendar year meet one or more of the following thresholds:

Control or process the personal data of not less than 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
Control or process the personal data of not less than 25,000 consumers and derives or receives a discount on the price of goods or services, from the sale of personal data.

The law will grant consumers various rights including the right to delete data concerning the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or the sale of their data. Users will be able to opt-out of the processing of their data for the purposes of targeted advertising or the sale of their data via a user selected universal opt-out mechanism. The law does not contain a private right of action.

NOW LAW: New Jersey SB 2930/Chapter 16 was signed by Democratic Gov. Phil Murphy on June 5, 2024 and took effect September 3, 2024. This law will make broad changes to the state’s public records law, including in part prohibiting public records requests made by or for data brokers and would prohibit data obtained through records requests from being sold. The law also contains a data broker registry requirement.

NOW LAW: Oregon SB 619 was signed by Democratic Gov. Tina Kotek on July 18, 2023, and took effect July 1, 2024. The law does not exempt nonprofits. The law will apply to any person that conducts business in this state, or that provides products or services to residents of this state, and that during a calendar year either controls or processes:

The personal data of 100,000 or more consumers, personal data from 100,000 or more devices that identify or that link to or are reasonably linkable to one or more consumers, or personal data from a combination of 100,000 or more consumers and devices.
The personal data of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal data.

It will grant consumers various rights including the right to delete personal data whether or not the data was previously provided, obtain a copy of that data and opt out of the sale or sharing of their data. The law does not contain a private right of action.

NOW LAW: Oregon HB 2052 was signed by Democratic Gov. Tina Kotek on July 27, 2023, and took immediate effect with the registration provisions becoming operative January 1, 2024. The law will require data brokers to annually register with the Department of Consumer and Business Services. The law will impose a $500 penalty for each day the company fails to register with a maximum penalty of $10,000.

NOW LAW: Rhode Island SB 2500, became law without the signature of Democratic Gov. Dan McKee on June 26, 2024 and takes effect January 1, 2026. Nonprofits are exempt from the law. The law will apply to persons that conduct business in the state or persons that produce products or services that are targeted to state residents and:

Control or process the personal data of not less than 35,000 consumers.
Control or process the personal data of not less than 10,000 consumers and derive more than 20 percent of gross revenue from the sale of personal data.

The law will grant consumers various rights including the right to correct inaccuracies in their personal information, the right to delete data provided by or obtained about the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects. The law does not contain a right to cure or a private right of action.

NOW LAW: Texas HB 4 was signed by Republican Gov. Greg Abbott on June 18, 2023 and took effect July 1, 2024. It does not apply to nonprofit organizations. The law will in part require controllers to honor global privacy controls such as a browser setting as a request to opt-out and exempt and includes 501(c)19 under the definition of a nonprofit organization. The law will apply only to a person that:

Conducts business in this state or produces a product or service consumed by residents of this state.
Processes or engages in the sale of personal data.
Is not a small business as defined by the United States Small Business Administration.

The law will grant consumers various rights, including the right to their personal data and to opt out of the processing of their personal data for various purposes such as the sale of data. The law contains 30 day right to cure and does not contain a private right of action.

NOW LAW: Utah SB 227 was signed by Republican Gov. Spencer Cox on March 24 and takes effect December 31, 2023. The law will grant consumer’s various rights including:

The right to confirm whether a controller is processing the consumer’s personal data.
The right to correct inaccurate personal data.
The right to delete the consumer’s personal data.
The right to opt-out of the processing of their data for the purposes of targeted advertising or the sale of personal data.

The law does not apply to nonprofit organizations and does not contain a private right of action.

NOW LAW: Virginia SB 1392, known as the Virginia Consumer Data Protection Act, was signed by Governor Ralph Northam on March 2, 2021, and took effect on January 1, 2023.  The CDPA grants consumers the right to confirm, correct, and delete personal data and opt-out of use of data for advertising or sale.  It includes an opt-in consent requirement for sensitive data.  Nonprofits are largely exempt.

PROPOSED LAWS:

Massachusetts HB 4632 passed the Joint Advanced Information Technology, the Internet and Cybersecurity Committee on May 13, 2024. The bill is the new draft of several privacy bills including HB 60, HB 63, HB 80, HB 83 and SB 227. The bill, to be known as the “Massachusetts Data Privacy Act,” contains numerous definitions that determine the applicability of the bills’ various provisions and would define a “covered entity” as a person, other than an individual acting in a non-commercial context, that alone or jointly with others determines the purposes and means of collecting, processing or transferring covered data. “Covered entity” would also include a person that controls, is controlled by or is under common control with the covered entity. “Covered entity” would not include an entity that is acting as a service provider. The bill also contains many novel definitions that include covered high impact social media, covered algorithm, covered language, large data holder and small business. The bill would not apply to government agencies or certain persons that meet the following criteria for the preceding three calendar years:

The person’s average annual gross revenues during the period did not exceed $20 million.
The person, on average, did not annually collect or process the covered data of more than 75,000 individualsduring the period beyond the purpose of initiating, billing for, finalizing or otherwise collecting payment for a requested service or product, as long as all covered data for that purpose was deleted or de-identified within 90 days, except when necessary to investigate fraud or as consistent with a covered entity’s return policy.
No component of the person’s revenue comes from transferring covered data during a year or part of a year if the person is an entity that has been in existence for less than one year.

The bill would prohibit a covered entity from collecting or transferring covered data unless the collection, processing or transfer is limited to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the individual to whom the data pertains. The bill would specify numerous allowed purposes for the collection, processing or transferring of covered data including but not limited to the completion of a transaction, fulfillment of an order and providing first party advertising. The bill would require covered entities to obtain a consumer’s affirmative consent before engaging in or directing the transfer of covered data or engaging in targeted advertising and would also be required to provide consumers with the opportunity to opt out. The bill would also grant various individual rights involving covered data including:

The right to access their covered data, except back up or archival data, that is collected, processed or transferred by a covered entity or service provider within the preceding 24 months.
The right to correct a verifiable substantial inaccuracy, inaccuracy or substantially incomplete information.
The right to delete covered data of the individual that is processed by the covered entity and make reasonable efforts to notify all third parties or service providers to which the covered entity transferred the covered data of the individual’s deletion request.

The bill also contains provisions that would establish a data broker registry. The bill would provide for enforcement by the attorney general, district attorney or municipal counsel. The bill also contains a private right of action with damages of $5,000 per person per violation annually adjusted for inflation or actual damages, whichever is greater among other specified damages and relief. A similar privacy bill, SB 2770, which is the new draft of SB 25, passed the Joint Advanced Information Technology, the Internet and Cybersecurity Committee on May 9, 2024. No further action was taken in 2024.

New Jersey AB 4811, sponsored by Asm. Bill Moen, D-Camden, was referred to the Assembly Science, Innovation and Technology Committee on October 20, 2022. The bill would require the Division of Consumer Affairs to establish and maintain a data broker registry. Data brokers would be required to pay a registration fee of $100 per year and provide the following following information:

The name and primary physical, email and internet addresses of the data broker.
Whether the data broker permits a consumer to opt-out of the data brokers’ collection practices including the method to request an opt-out.
A statement specifying the data collection, databases, or sales activities from which a consumer may not opt out.
Whether the data broker uses a credentialing process for purchasers of the data.
Any information the data broker has about the security breaches it has experienced.
A separate statement detailing the data collection practices, database sales activities, and opt-out methods that are applicable to minors as well as whether the data broker has any knowledge that it possesses the brokered personal information of minors.
Any information the division deems appropriate to implement.

Brokered personal information would include but not be limited to: name, address, date of birth, unique biometric data and social security number. Data brokers would not include e-commerce platforms, 411 directory asssistance services, providing publicly available information related to a consumer’s business or profession, and providing publicly available information via real time alert services for health and safety purposes.

New Jersey AB 4741 sponsored by Assembly Deputy Speaker Herb Conway Jr., D-Delran, and Assembly Deputy Majority Leader William Moen, D-Barrington, was referred to the Assembly Science, Innovation and Technology Committee on September 12, 2024. The bill would amend the state’s current data privacy law to require a controller or processor to deidentify personal data before the data is sold. The bill would also prohibit the reidentification of previously deidentified data before or after data sale. Controllers and processors would also be prohibited from providing a third party with the means to reidentify the data or engaging a third party for the proposes of reidentifying the data.

States: Donor Privacy and Confidentiality

STATES THAT HAVE PASSED BILLS INTO LAW:

NOW LAW: Georgia SB 534 was signed by Republican Gov. Brian Kemp on May 2, 2022 and took immediate effect. The law prohibits state agencies, absent the showing of compelling interest, to impose any annual filing or reporting requirements on charitable organizations more stringent than specified under existing law. Any additional reporting or filing requirements are required to be narrowly tailored to achieve the compelling state interest. The bill defines charitable organizations as 501(C)3 organizations.

NOW LAW: Indiana HB 1212, sponsored by House Speaker Pro Tempore Mike Karickhoff, R-Kokomo, was signed by Republican Gov. Eric Holcomb and takes effect July 1. The law will prohibit, with certain exceptions, a state or local agency from collecting or disclosing information that identifies an individual or business entity as a member, supporter, volunteer, or donor of financial or nonfinancial support to a nonprofit organization.

NOW LAW: New Hampshire SB 302/Chapter 336 was signed by Republican Gov. Chris Sununu on July 25, 2022 and takes effect January 1. The law will prohibit a public agency from:

Requiring an individual or entity to provide the public agency with personal information.
Releasing, publicizing or otherwise publicly disclosing any data that directly or indirectly identifies a person as a member, supporter, volunteer, or donor of financial or nonfinancial support.
Requiring any current or perspective contractor or grantee to provide the agency with a list of entities exempt from federal income taxation to which it has provided financial or nonfinancial support.

NOW LAW: New York SB 4817A (companion A 1141A) was passed by the Senate on June 9, followed by the Assembly on June 10. It was delivered to Gov. Hochul on November 1 and she signed it into law on November 12, 2022.

This legislation was necessary to undo a rider on 2020 budget legislation inserted by then Gov. Cuomo. That rider would have required all nonprofits registered with the Attorney General under the solicitation law to perform a duplicative (literally) registration with the NY Dept of State. It also would have required confidential donor information (that provided in Form 990 Schedule B) to be provided to the Department but with looser protections than afforded to the same information by the AG’s office (the AG collected Sched B from registrants until dissuaded by the U.S. Supreme Court donor privacy decision in July 2021).

Strong objections to wasteful duplicate reporting and to the prospective disclosure of private donor information led two New York nonprofits (Nonprofit New York and Lawyer’s Alliance) to lead a grassroots effort, joined by TNPA, to support SB 4817A. That effort was successful.

NOW LAW: Virginia SB 324/Chapter 19 was signed by Republican Gov. Glenn Youngkin on August 4, 2022 and took effect January 1, 2023. The law will prohibit a state agency from:

Requiring an individual or entity to provide the public agency with personal donor information.
Requiring any bidder, offeror, contractor or grantee of the organization to provide the agency with personal donor information.
Disclosing personal donor information without the express written permission of every individual who is identifiable from the potential release of such information, including identifiable as members, supporters or volunteers, or donors to the agency.

NOW LAW: Hawaii HB 2416 was signed by Governor David Ige on May 27, 2022, taking effect on January 1, 2023. The law in part requires 501(c)4 organizations operating as a noncandidate committee to disclose the name and address of donors who donate an aggregate of more than $10,000. The bill would prohibit donations from being used for electioneering communications, independent expenditures or contributions without the written consent of the donor.

States: Charitable Solicitation

STATES THAT HAVE PASSED BILLS INTO LAW:

NOW LAW: California AB 488 Governor Gavin Newsom signed the bill into law on October 7, 2021. The law took effect January 1, 2023.

TNPA participated in a multi-year stakeholder process for this legislation which resulted in many necessary changes to the original draft created by the Attorney General’s office. Nevertheless, significant issues remain to be resolved through the means of rulemaking during the course of the coming year. The Attorney General conducts the rulemaking. The bill’s stakeholders, including TNPA, will undoubtedly participate in the process.

The bill establishes new requirements for online fundraising by third parties. However, the legislation is NOT applicable to a charity’s own website and online fundraising. Entities defined in the legislation as a “fundraising platform” or “platform charity” would be required to register with the AG and to submit annual reports. The legislation requires a number of compelled disclosures designed to give prospective donors adequate information (such as fees to be deducted from the intended gift, how long it may take for the beneficiary nonprofit to receive its gift, etc.).

The new California categories of solicitation law oversight are unique and will surely draw the attention of charity officials in other states. It is likely other states will let the California experiment play out rather than rush to emulate. Nonprofits currently receiving significant funds from the newly regulated platforms will also be watching. It is not a forgone conclusion the legislation and forthcoming regulations will strike the right balance between protecting donors and allowing support dollars to flow to nonprofit missions.

NOW LAW: Colorado SB 129 was signed by Democratic Gov. Jared Polis on May 24, 2024 and took effect September 23, 2024. This donor privacy law will prohibit a public agency from requiring any person to provide the public agency with data that identifies a member of a nonprofit entity or compelling the disclosure of member-specific data and would provide for penalties for violations.

NOW LAW: Colorado SB 16 was signed by Democratic Gov. Jared Polis on June 7, 2024 and took effect on August 8, 2024. The law will authorize a taxpayer to make a charitable contribution to a charitable recipient organization through a qualified intermediary that forwards the contribution to the charitable recipient organization, rather than making the contribution directly to the charitable recipient organization, without losing the right to claim a state income tax credit.

NOW LAW: Georgia SB 433/Act 423 was signed by Republican Gov. Brian Kemp on April 22, 2024 and took effect July 1, 2024. The law will prohibit a charitable organization that accepts a contribution pursuant to a written donor-imposed restriction from violating the terms of that restriction. If a charitable organization violates the terms of a donor-imposed restriction, the law will grant the donor or their legal representative a private right of action.

NOW LAW: Georgia SB 412/Act 612 was signed by Republican Gov. Brian Kemp and took immediate effect (May 2024). The law permits the secretary of state, at their discretion, to suspend or revoke the registration of a charitable organization, paid solicitor or solicitor agent for violations of existing law. The law also raises the maximum penalties for violations to $10,000 for a single violation and $100,000 for multiple violations.

NOW LAW: Hawaii SB 2693/Act 211 was signed by Democratic Gov. Josh Green on July 5, 2024 and took immediate effect. The law establishes the offense of charitable fraud during a state of emergency. The offense would range from a misdemeanor if the value of the contributions received is less than $750 up to a class B felony for contributions received over $20,000.

NOW LAW: Hawaii SB 2983/Act 205 was signed by Democratic Gov. Josh Green on July 5, 2024 and takes effect January 1, 2026. The law will require charitable fundraising platforms to register with the attorney general before soliciting, permitting, or otherwise enabling solicitations for charitable purposes. Fundraising platforms and platform charities will be required to make various disclosures before a person can complete a donation or select or change a recipient charitable organization, including the maximum length of time it takes charitable organizations to receive the funds and the fees to be deducted. Fundraising platforms and platform charities will also be required to make periodic reports to the department on a provided form that will enable the department to ascertain whether charitable funds have been properly solicited, received, held, controlled or distributed.

NOW LAW: Illinois HB 1197/Public Acts 121 was signed by Democratic Gov. J.B. Pritzker on June 30, 2023 and takes effect January 1, 2023. The bill would provide that every charitable organization that receives contributions in excess of $750,000, rather than the $300,000 specified under existing law, would be required to file a written report with the attorney general with specified information. The bill would also require organizations that receive contributions in excess of $25,000 but less than $750,000 to file a simplified report with the attorney general.

NOW LAW: Indiana SB 302/Public Law 40, sponsored by Senate Judiciary Committee Chair Liz Brown, R-Fort Wayne, was signed by Republican Gov. Eric Holcomb on April 20, 2023 and takes effect July 1, 2023. The law will prohibit state agencies or officials from imposing filing or reporting requirements on charitable organizations that are more stringent or burdensome than those imposed by or authorized under state or federal law.

NOW LAW: Kentucky SB 70 was signed by Democratic Gov. Andy Beshear on April 9, 2024 and took effect July 14, 2024. The law will prohibit a charitable organization that accepts a contribution pursuant to a written donor-imposed restriction from violating the terms of that restriction. If a charitable organization violates the terms of a donor-imposed restriction, the law will grant the donor or their legal representative a private right of action.

NOW LAW: Louisiana SB 179/Act 262 was signed by Democratic Gov. John Bel Edwards on June 3, 2022 and took immediate effect. The law prohibits state agencies from imposing any annual filing or reporting requirements on charitable organizations more stringent than specified under existing law. The legislature can review any requirements that are more restrictive. The law defines charitable organizations as a person who holds himself out to be benevolent, civic, recreational, educational, voluntary, health, law enforcement, social service, philanthropic, fraternal, humane, patriotic, religious or eleemosynary organization.

NOW LAW: Mississippi SB 2545 was signed Republican Gov. Tate Reeves on April 15, 2024 and takes effect July 1. The law will define monetary donations to mean cash or cash equivalents. It also raised the audit threshold from $500,000 to $750,000.

NOW LAW: Missouri HB 2400 was signed by Gov. Mike Parsons on June 30, 2022, and took effect August 28, 2022. The law prohibits state agencies or state officials from imposing any annual filing or reporting requirements on charitable organizations that are more stringent than specified under existing law.

NOW LAW: New Hampshire SB 375/Chapter 173 was signed by Republican Gov. Chris Sununu on June 7, 2022 and takes effect August 6. The law will prohibit the state from imposing any annual filing or reporting requirement on a charitable organization that is more stringent than already required under existing law. The law will also raise the compulsory audit threshold for annual reporting by nonprofits from $1 million to $2 million.

NOW LAW: North Carolina SB 429/Session Law 119 was signed into law by Democratic Gov. Roy Cooper on September 14, 2023. The law took immediate effect with certain provisions taking effect October 1. The law will increase the qualifying income threshold for exemption from charitable solicitation requirements to $50,000 from $25,000. The law will also specify that licensure applications are considered filed as of the date they are postmarked or electronically submitted.

NOW LAW: South Dakota HB 1116 passed the Senate on February 21, 2024 and was signed by Republican Gov. Kristi Noem on February 28. The law takes effect July 1. The law will make fraudulent solicitation of charitable contributions a deceptive act or practice.

NOW LAW: Tennesse SB 1935/Chapter 773 was signed by Republican Gov. Bill Lee on April 8, 2022 and took immediate effect. The law removes requirements that financial statements, annual event applications, charitable solicitation applications and athlete agent registrations filed with the secretary of state be sworn under penalty of perjury.

NOW LAW: Tennessee HB 1707 was signed by Republican Gov. Bill Lee on March 7, 2024 and takes effect July 1. The law will amend various provisions regarding charitable solicitations in the state including, in part, adding to the definition of a charitable organization by including a person that is determined by the Internal Revenue Service to be a tax-exempt organization pursuant to the Internal Revenue Code. The law will also:

Authorize the secretary of state, by order, letter, or other appropriate means, to enjoin the charitable organization, professional fundraiser, or other person from continuing an act or violation, or committing other acts in furtherance of it, during the course of an investigation.
Require renewal registrations to be accompanied by a copy of forms required to be filed with the U.S. Internal Revenue Service, and any other information the secretary deems appropriate to substantiate how funds were raised and spent by the organization. At least two authorized officers of the organization, one of whom must be the chief fiscal officer, must certify that the information provided under this law is true and correct to the best of their knowledge.
Prohibit a person from making any representation that such person is soliciting contributions for or on behalf of a charitable organization or from using or displaying any emblem, device or printed matter belonging to or associated with a charitable organization for the purpose of soliciting or inducing contributions from the public without first being authorized to do so by the charitable organization.

NOW LAW: Utah HB 43 was signed by Republican Gov. Spencer Cox on March 13, 2024 and took effect May 1, 2024. The law removes a requirement that charitable organizations register with the Division of Consumer Protection. The law will also prohibit deceptive acts related to charitable solicitations, including falsely indicating that the supplier is affiliated with the charitable organization.

NOW LAW: Virginia HB 1748/Chapter 289 was signed by Republican Gov. Glenn Youngkin on March 23, 2023 and took effect July 1, 2023. The law will expand the definition of solicitation to include requests made via email. It will also require any contract between a professional solicitor and charitable or civic organization to specify the percentage of gross contributions that the civic organization will receive or the terms upon which a determination can be made. The contract will also be required to specify that at least every 90 days the professional solicitor would be required to provide the charitable or civic organization with access to and use of all information in the professional solicitor’s possession concerning contributors.

NOW LAW: Virginia HB 464 was signed by Gov. Youngkin on April 2, 2024 and took effect July 1, 2024. The law raises the audit threshold from $1 million to $1.5 million.

NOW LAW: Wisconsin AB 912/Act 151 was signed by Democratic Gov. Tony Evers on March 21, 2024 and took immediate effect. The law raises the audit threshold from $500,000 to $1 million.

States: Nonprofit Governance

NOW LAW: Illinois SB 2930 passed the Senate on April 10, 2024 and took effect January 1, 2025. The law provides that a nonprofit which reports grants of $1 million or more to other charitable organizations would need to post on its website, within 30 days after filing its annual AG990-IL Charitable Organization Annual Report, the aggregated demographic information of the corporation’s directors and officers, including race, ethnicity, gender, disability status, veteran status, sexual orientation and gender identity.

States: Salary Disclosure

Read more about this issue

STATES THAT HAVE PASSED BILLS INTO LAW:

NOW LAW: California SB 1162 /Chapter 559 was signed by Democratic Gov. Gavin Newsom on September 27, 2022, and took effect January 1, 2023. The law expands state pay data reporting requirements to cover contracted employees. The law requires a private employer having 100 or more employees to submit a pay data report to the Civil Rights Department. This law revises the timeframe in which a private employer is required to submit this information to require that it’s provisioned on or before the second Wednesday of May. This law requires the pay data report to include the median and mean hourly rate for each combination of race, ethnicity and sex within each job category. It also requires an employer, upon request, to provide an employee with the pay scale for the position in which the employee is currently employed. The law requires an employer with 15 or more employees to include the pay scale for a position in any job posting. The law requires an employer to maintain records of a job title and wage rate history for each employee for a specified timeframe, to be open to inspection by the labor commissioner

NOW LAW: Maryland HB 649/Chapter 271 alters the requirement that an employer disclose wage information to an applicant for employment. An employer will be required to disclose wage information in postings and to employees, as specified. A wage range disclosed by an employer will have to be set in good faith. The law also prohibits an employer from taking retaliatory action against employees and requires keeping a record of compliance for at least three years. The law was signed by Democratic Gov. Wes Moore on April 25, 2024 and took effect on October 1, 2024.

NOW LAW: Massachusetts HB 4890/Chapter 141 was signed by Democratic Gov. Maura Healey on July 31, 2024 and takes effect October 29, 2025. The law requires:

Annually, by February 1, a covered employer, subject to EEO-1 data report filing requirements, to submit to the state secretary a copy of its EEO-1 data report for the prior year.
In each odd-numbered year, not later than February 1, a covered employer, subject to federal EEO-3 data report or EEO-5 data report filing requirements, to submit to the state secretary a copy of its EEO-3 data report or EEO-5 data report, as applicable, covering the most recent filing period.
In each even-numbered year, not later than February 1, a covered employer, subject to federal EEO-4 data report filing requirements, to submit to the state secretary a copy of its EEO-4 data report covering the most recent filing period.

Employers will also be required to:

Disclose the pay range for a particular and specific employment position in posting it.
Provide the pay range for a particular and specific employment position to an employee who is offered a promotion, or transfer, to a new position with different job responsibilities.
Provide the pay range for a particular and specific employment position to an employee holding such position, or to an applicant for such position, upon request.

NOW LAW: Minnesota SF 3852/Chapter 110 is an omnibus labor policy act. Its provisions include requiring salary ranges be included in job postings. The act was signed into law by Gov. Tim Walz on May 17, 2024, and the relveant provisions are effective as of July 1, 2024, and Janury 1, 2025.

NOW LAW: New York SB 1326/Chapter 94 was signed by Gov. Kathy Hochul on March 3, 2023 and has effect from September 17, 2022 at the same time as SB 9427 from last session. The law specifies that existing laws on salary disclosure exclude remote work opportunities performed entirely out of state.

NOW LAW: Vermont HB 704 requires that job advertisements include the compensation or compensation range and job description for the advertised position. The act also prohibits employers from taking adverse action against current or prospective employees pursuant to the rights provided in the bill. The act was signed into law by Republican Gov. Phil Scott on June 4, 2024 and will take effect on July 1, 2025.