Included below:

• Artificial Intelligence (AI)
• Board Diversity
• Consumer Data Protection & Data Privacy
• Donor Privacy and Confidentiality
• Charitable Solicitation
• Nonprofit Governance
• Salary Disclosure

Artificial Intelligence (AI)

PROPOSED LAWS:

New York AB 768, sponsored by Asm. Alex Bores, D-New York City, was introduced and referred to the Assembly Consumer Affairs and Protections Committee on January 8. Assemblymember Bores does not hold any ranking positions. The bill, titled the “New York Artificial Intelligence Consumer Protection Act,” would amend existing law to prevent the use of artificial intelligence algorithms to discriminate against protected classes. It would require developers and deployers of high-risk AI decision systems to implement risk management policies, conduct bias and governance audits, and provide transparency and documentation to ensure compliance with anti-discrimination laws. Additionally, the bill would mandate consumer notifications and provide mechanisms for consumers to correct data and appeal adverse decisions made by AI systems.

Texas HB 1709, sponsored by Rep. Giovanni Capriglione, R-Keller, was prefiled on December 23 for the upcoming legislative session that is scheduled to begin on January 14. Representative Capriglione is the chair of the House Artificial Intelligence & Emerging Technologies and Pensions, Investments & Financial Services committees. The bill would regulate the use of artificial intelligence (AI) systems by certain business entities and state agencies. It would require developers and deployers of high-risk AI systems to conduct impact assessments, disclose AI interactions to consumers and implement risk management policies. The bill would also establish the Texas Artificial Intelligence Council and the Artificial Intelligence Regulatory Sandbox Program to oversee AI development and ensure ethical use.

STATES THAT HAVE PASSED BILLS INTO LAW:

NOW LAW: Colorado SB205 Colorado Becomes the First State to Enact Comprehensive AI Legislation. The new law becomes effective February 1, 2026. It applies generally to developers and deployers of “high risk AI systems,” which are defined as AI systems that make, or are a substantial factor in making a consequential decision. The law also defines “consequential decision” as “any decision that has a material legal or similarly significant effect on the provision or denial to any consumer of, or the cost or terms of: (a) education enrollment or an education opportunity, (b) employment or an employment opportunity, (c) a financial or lending service, (d) an essential government service, (e) health-care services, (f) housing, (g) insurance, or (h) a legal service.”

The law is aimed at addressing AI bias, establishing a requirement of human oversight throughout the life cycle of AI systems, and requiring significant documentation around the use of AI.

It applies to any person doing business in Colorado who develops an “AI system” or deploys a “high-risk AI system.” In effect, this means that it applies to any organization using a high-risk AI system, whether or not that system is consumer-facing. Importantly, the law explicitly excludes a Private Right of Action, leaving enforcement solely to the Colorado Attorney General.

NOW LAW: California AB 2013/Chapter 817 was signed into law by Democratic Gov. Gavin Newsom on September 28, 2024 and takes effect on January 1, 2025. This law requires, on or before January 1, 2026, and before each time thereafter, that a generative AI system or service, or a substantial modification to such a system or service, released on or after January 1, 2022, is made available to Californians for use, regardless of whether the terms of that use include compensation, a developer of the system or service to post on the developer’s internet website documentation regarding the data used to train the generative AI system or service. Documentation is required to include a high-level summary of the datasets used in the development of the system or service.

NOW LAW: California SB 896/Chapter 928 was signed into law by Democratic Gov. Gavin Newsom on September 29, 2024 and takes effect on January 1, 2025. This law will bring the California Privacy Protection Agency into the reporting creation aspect of this bill. The law will create the Artificial Intelligence Accountability Act as a follow up to Sen. Bill Dodd’s, D-Napa, CR 17, as he stated in his press release. Additionally, the law requires state agencies to develop a risk report for potentially the most significant uses of artificial intelligence. It will also require state agencies to alert users when they are interacting with artificial intelligence.

FAILED BILLS:

California SB 1047 was vetoed by Democratic Gov. Gavin Newsom on September 29, 2024. It was not overridden. This bill would have established safety and security protocols for large developers of advanced AI models that require over $100 million to train or meet a certain computing power threshold. In his veto message, the governor stated that focusing on regulating large artificial intelligence models based on size and cost could create a false sense of security. He expressed concern that the bill’s approach may overlook potential risks from smaller, specialized models and could stifle innovation. 

Board Diversity

STATES THAT HAVE PASSED BILLS INTO LAW:

NOW LAW: Illinois SB 2930/Public Act 635 was signed by Democratic Gov. J.B. Pritzker on July 1, 2024 and effective as of January 1, 2025. The law will, in part, provide that a nonprofit, within 30 days after filing its annual AG990-IL Charitable Organization Annual Report, that reports grants of $1 million or more to other charitable organizations would need to post on its website, if applicable, the aggregated demographic information of the corporation’s directors and officers, including race, ethnicity, gender, disability status, veteran status, sexual orientation and gender identity. In January 2025, the American Alliance for Equal Rights sued the state alleging the law violates the 1st and 14th Amendments of the U.S. Constitution. In March, the U.S. Department of Justice successfully petitioned to intervene in the case on the side of AAER.

States: Consumer Data Protection / Data Privacy

Below is a comprehensive list of state activity. If you are interested in a broader overview of the issue, please read more here.

PROPOSED LAWS (CARRYOVER FROM 2024):

Massachusetts HB 4632 passed the Joint Advanced Information Technology, the Internet and Cybersecurity Committee on May 13, 2024. The bill is the new draft of several privacy bills including HB 60, HB 63, HB 80, HB 83 and SB 227. The bill, to be known as the “Massachusetts Data Privacy Act,” contains numerous definitions that determine the applicability of the bills’ various provisions and would define a “covered entity” as a person, other than an individual acting in a non-commercial context, that alone or jointly with others determines the purposes and means of collecting, processing or transferring covered data. “Covered entity” would also include a person that controls, is controlled by or is under common control with the covered entity. “Covered entity” would not include an entity that is acting as a service provider. The bill also contains many novel definitions that include covered high impact social media, covered algorithm, covered language, large data holder and small business. The bill would not apply to government agencies or certain persons that meet the following criteria for the preceding three calendar years:

• The person’s average annual gross revenues during the period did not exceed $20 million.
• The person, on average, did not annually collect or process the covered data of more than 75,000 individuals during the period beyond the purpose of initiating, billing for, finalizing or otherwise collecting payment for a requested service or product, as long as all covered data for that purpose was deleted or de-identified within 90 days, except when necessary to investigate fraud or as consistent with a covered entity’s return policy.
• No component of the person’s revenue comes from transferring covered data during a year or part of a year if the person is an entity that has been in existence for less than one year.

The bill would prohibit a covered entity from collecting or transferring covered data unless the collection, processing or transfer is limited to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the individual to whom the data pertains. The bill would specify numerous allowed purposes for the collection, processing or transferring of covered data including but not limited to the completion of a transaction, fulfillment of an order and providing first party advertising. The bill would require covered entities to obtain a consumer’s affirmative consent before engaging in or directing the transfer of covered data or engaging in targeted advertising and would also be required to provide consumers with the opportunity to opt out. The bill would also grant various individual rights involving covered data including:

• The right to access their covered data, except back up or archival data, that is collected, processed or transferred by a covered entity or service provider within the preceding 24 months.
• The right to correct a verifiable substantial inaccuracy, inaccuracy or substantially incomplete information.
• The right to delete covered data of the individual that is processed by the covered entity and make reasonable efforts to notify all third parties or service providers to which the covered entity transferred the covered data of the individual’s deletion request.

The bill also contains provisions that would establish a data broker registry. The bill would provide for enforcement by the attorney general, district attorney or municipal counsel. The bill also contains a private right of action with damages of $5,000 per person per violation annually adjusted for inflation or actual damages, whichever is greater among other specified damages and relief. A similar privacy bill, SB 2770, which is the new draft of SB 25, passed the Joint Advanced Information Technology, the Internet and Cybersecurity Committee on May 9, 2024. No further action was taken in 2024.

New Jersey AB 4811, sponsored by Asm. Bill Moen, D-Camden, was referred to the Assembly Science, Innovation and Technology Committee on October 20, 2022. The bill would require the Division of Consumer Affairs to establish and maintain a data broker registry. Data brokers would be required to pay a registration fee of $100 per year and provide the following information:

• The name and primary physical, email and internet addresses of the data broker.
• Whether the data broker permits a consumer to opt-out of the data brokers’ collection practices including the method to request an opt-out.
• A statement specifying the data collection, databases, or sales activities from which a consumer may not opt out.
• Whether the data broker uses a credentialing process for purchasers of the data.
• Any information the data broker has about the security breaches it has experienced.
• A separate statement detailing the data collection practices, database sales activities, and opt-out methods that are applicable to minors as well as whether the data broker has any knowledge that it possesses the brokered personal information of minors.
• Any information the division deems appropriate to implement.

Brokered personal information would include but not be limited to: name, address, date of birth, unique biometric data and social security number. Data brokers would not include e-commerce platforms, 411 directory assistance services, providing publicly available information related to a consumer’s business or profession, and providing publicly available information via real time alert services for health and safety purposes.

New Jersey AB 4741 sponsored by Assembly Deputy Speaker Herb Conway Jr., D-Delran, and Assembly Deputy Majority Leader William Moen, D-Barrington, was referred to the Assembly Science, Innovation and Technology Committee on September 12, 2024. The bill would amend the state’s current data privacy law to require a controller or processor to deidentify personal data before the data is sold. The bill would also prohibit the reidentification of previously deidentified data before or after data sale. Controllers and processors would also be prohibited from providing a third party with the means to reidentify the data or engaging a third party for the proposes of reidentifying the data.

PROPOSED LAWS (NEW IN 2025):

Alabama HB 283, sponsored by Rep. Mike Shaw, R-Vestavia Hills, passed the House Commerce and Small Business Committee on April 9. The bill would apply to a person that conducts business in the state or produce products or services targeted to consumers of the state that:

• Control or process the personal data of at least 50,000 consumers.
• Control or process the personal data of not less than 25,000 consumers and derive more than 25 percent of gross revenue from the sale of personal data.

The bill would grant consumers various rights including but not limited to the right to delete data provided by the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects. The bill does not contain a private right of action but does contain a 60-day right to cure.

Arkansas SB 258 was read for the second time in the Senate on April 7 and a previous committee amendment was read for the first and second times, adopted and the bill was ordered engrossed on the same day. It was read for the third time in the Senate and failed to pass. A motion was made to expunge the vote and the motion carried. This privacy bill, which also originally contained additional language relating to high risk AI models, would apply to a person that:

• Conducts business in the state or produces products or services, consumed by residents of this state.
• Processes or engages in the sale of personal data.
• Is not a small business as defined by the federal Small Business Administration.

It would apply to nonprofits with annual receipts that exceed $15 million in any of the preceding five calendar years. The bill would provide a consumer with various rights including but not limited to the rights to:

• Confirm whether a controller is processing the consumer’s personal data and access to that personal data.
• Correct inaccuracies in their personal data.
• Delete personal data provided by or obtained about the consumer.
• Opt out of the processing of their personal data for the purposes of targeted advertising, the sale of personal data or profiling in furtherance of a solely automated decision that produces legal or similarly significant effects.

The bill does not contain a private right of action.

California AB 566, sponsored by Asm. Josh Lowenthal, D-Long Beach, was filed on February 12 and has not yet been referred to a committee. The bill would require a business developing or maintaining a browser or mobile operating system to include a setting that enables a consumer to send an opt-out preference signal. The bill would authorize the California Privacy Protection Agency to adopt regulations to enforce the bill.

California SB 361 has been scheduled for hearing in the Senate Appropriations Committee on April 21 at 10:30 AM. The bill would require a data broker to provide additional information to the California Privacy Protection Agency, including whether the data broker collects consumers’ login or account information, various government identification numbers, citizenship data, union membership status, sexual orientation status and biometric data.

Connecticut SB 1356 was reported out of the Legislative Commissioners’ Office and tabled for the calendar on April 9. It is now pending on the Senate floor. If enacted as substituted, this bill would amend various consumer privacy and online monitoring laws, such as modifying applicability thresholds for data controllers and processors and imposing additional requirements for the disclosure or sale of personal, sensitive and consumer health data. The bill would remove the Gramm-Leach-Bliley Act entity exemption and would replace it with a data-only exemption.

Georgia SB 111 passed the Senate on March 3 and is pending in the House Technology and Infrastructure Innovation Committee.  Nonprofits that do not sell data are exempt from the bill. The bill would apply to a person that conducts business in the state by producing products or services targeted to consumers of the state that exceeds $25 million in revenue and that:

• Control or process the personal data of not less than 25,000 consumers and derive more than 50 percent of gross revenue from the sale of personal data.
• Control or process the personal data of at least 175,000 consumers.

The bill would grant consumers various rights including but not limited to the right to delete data provided by or obtained about the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects. The bill does not contain a private right of action.  It contains a 60-day right to cure. Last session SB 473, also sponsored by Senator Albers, passed the Senate but died on the House floor.

Maryland HB 1089, sponsored by Del. Jared Solomon, D-Rock Creek Forrest was scheduled for a hearing in the House Economic Matters Committee on February 25. The bill would establish a data broker registry with the comptroller. Data brokers would be required to provide a declaration that states whether precise geolocation data and consumer health data is part of their data brokering activity as well as whether or not a consumer can opt out among other requirements. The bill would also establish a six percent tax on the gross revenue of data brokers. A companion bill, SB 904, has been scheduled for a hearing in the Senate Budget and Taxation Committee on March 5 at 1:00 PM.

Montana SB 297 passed the Senate on February 24 and is now pending in the House Judiciary Committee. The bill would amend the state’s data privacy law by specifying controllers could not disclose specified information, such as a social security number, in response to a consumer request but would be required to confirm with sufficient particularity that they have collected such information.  It would also require controllers to provide notice to consumers whenever they make a material change to their privacy notice.

New Mexico HB 410 passed the House Commerce and Economic Development Committee with a substitute on March 3 and is now pending in the House Judiciary Committee. This bill does not apply to nonprofits. The bill would apply to businesses that satisfy one or more of the following thresholds:

• Controls or processes the personal data of at least 35,000 consumers or more.
• Controls or processes the personal data of at least 10,000 consumers and derives more than 20 percent of gross revenue from the sale of personal data.

The bill would grant consumers various rights including the right to correct inaccurate data, the right to delete data provided by or obtained about the consumer and the right to opt out of data sharing or sale. There would be opt-in requirements for children’s data and sensitive data. It would not provide a private right of action but would provide a 30-day right to cure.

New Mexico SB 420 passed the Senate Tax, Business and Transportation Committee on February 28 and is now pending in the Senate Judiciary Committee.  The bill would apply to covered entities defined as a sole proprietorship, partnership, limited liability company, corporation, association, affiliate or other legal entity that:

• Is organized or operated for the profit or financial benefit of the entity’s shareholders or other owners.
• Offers online features, products or services to consumers in New Mexico.
• Alone or jointly with others, determines the purposes and means of collecting personal data directly from consumers, using data for targeted advertising, or engaging in the brokerage of personal data.

Covered entities would be required to provide consumers various rights, including:

• Access all the consumer’s personal data that was processed by the covered entity or their service provider.
• Obtain the consumer’s personal data processed by a covered entity in a structured, readily usable, portable and machine-readable format.
• Correct inaccuracies in their personal data.
• Delete the consumer’s personal data that is stored by covered entities.

Covered entities would be prohibited from processing personal data for purposes of targeted advertising or the brokerage of personal data without the consumer first opting in to those purposes by clear and conspicuous means. The bill contains a private right of action but also contains a time limited right to cure for three years.

Oklahoma SB 546 passed the House Government Modernization and Technology Committee on April 9. The bill does not apply to nonprofits. The bill would apply to a person that conducts business in the state or produce products or services targeted to consumers of the state that:

• Control or process the personal data of at least 50,000 consumers.
• Control or process the personal data of not less than 25,000 consumers and derive more than 50 percent of gross revenue from the sale of personal data.

The bill would grant consumers various rights including the right to delete data provided by the consumer; the right to opt-out of the sale of their personal data; the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects. The bill does not contain a private right of action but does contain a 30-day right to cure.

Vermont HB 208, sponsored by Rep. Monique Priestly, D-Bradford, was referred to the House Commerce and Economic Development Committee on February 12.  It is cosponsored by committee chair Rep. Mike Marcotte, R-Newport, and vice-chair Rep. Edye Graning, D-Jericho. The bill would apply to a person that conducts business in the state or produce products or services targeted to consumers of the state that:

• Control or process the personal data of at least 25,000 consumers, excluding data processed purely for the purpose of complete a payment transaction.
• Control or process the personal data of not less than 12,000 consumers and derive more than 25 percent of gross revenue from the sale of personal data.

The bill would grant consumers various rights, including  the right to know whether or not their data is or will be used in any artificial intelligence system; the right to obtain a list of specific third parties to which the controller disclosed their personal data;  the right to delete data; the right to opt out of processing for the purposes of targeted advertising.

The bill would also require controllers to limit the collection of data to what is reasonably necessary and proportionate to maintain a specific product or service requested by the consumer. Controllers would be prohibited from processing sensitive data, unless strictly necessary, or selling sensitive data. Controllers would also be required to complete data protection assessments for all processing activities that present a heightened risk of harm to the consumer.

The bill contains a private right of action with exemptions for controllers that earned less than $25 million in the previous year among other exemptions. Representative Priestly is sponsoring other privacy bills, which were also referred to the House Commerce and Economic Development Committee on that same day, including: · HB 210, which is an age-appropriate design code bill;  HB 211, which would amend the state’s data broker registry to require the state to set up an accessible deletion mechanism to all consumers to opt out of all data brokers registered in the state.

Similar Senate bills were also recently filed, including: SB 69, an age-appropriate design code bill, sponsored by Sen. Wendy Harrison, D-Brattleboro, which was heard in the Senate Institutions Committee on February 18, 19 and 20. The committee heard testimony from the bill sponsor, the Electronic Privacy Information Center and Attorney General Charity Clark who testified in support of the bill.

Vermont SB 71 was heard in the Senate Institutions Committee on February 28. The committee received a walkthrough of the bill from legislative council. The bill would apply to nonprofits with very limited exceptions. The bill would apply to a person that conducts business in the state or produce products or services targeted to consumers of the state that:

• Control or process the personal data of at least 25,000 consumers, excluding data processed purely for the purpose of completing a payment transaction.
• Control or process the personal data of not less than 12,000 consumers and derive more than 25 percent of gross revenue from the sale of personal data.

The bill would grant consumers various rights, including:

• The right to know whether or not their data is or will be used in any artificial intelligence system and for what purpose.
• The right to obtain a list of specific third parties to which the controller disclosed their personal data. If the controller does not maintain that data in a consumer specific format then a list of third parties to which the controller has disclosed data.
• The right to delete data, including derived data, provided by or obtained about the consumer.
• The right to opt out of processing for the purposes of targeted advertising, the sale of data or profiling in furtherance of decisions that produce legal or similarly significant effects.

Controllers would be prohibited from processing sensitive data, unless strictly necessary, or selling sensitive data. Controllers would also be required to complete data protection assessments for all processing activities. The bill contains a private right of action with exemptions for controllers that earned less than $25 million in the previous year among other exemptions. Consumers would be required to notify the attorney general 65 days prior to filing a claim and if the attorney general determines the claim is frivolous the consumer would be prohibited from proceeding.

Washington HB 1671, sponsored by House Technology, Economic Development and Veterans Committee Vice Chair Shelley Kloba, D-Kirkland, passed that committee with a substitute on February 14 and referred to Appropriations on Feb 18. The bill would afford a consumer various rights, including:

• The right to confirm whether a controller is collecting or processing personal data, the right to access their personal data and confirm whether or not their data is used for the purposes of automated decision making.
• The right to obtain a specific list of third parties to which a controller has transferred a consumer’s personal data.
  • The right to correct inaccuracies in their personal data.
  • The right to delete personal data concerning the consumer, including data the controller provided from another source and derived data.

Violations would be considered an unfair or deceptive trade practice under the Consumer Protection Act, which includes a private right of action for consumers. The substitute, in part, would modify the definition of consumer to exclude nonresidents whose personal information is collected in Washington.

Washington HB 1887 was heard in the House Consumer Protection and Business Committee on February 21. The committee had been scheduled to vote on the bill, but no action was taken. The bill would create a data broker registry as well as impose a graduated severance tax on data brokers based on the number of residents whose data is collected.

STATES THAT HAVE PASSED BILLS INTO LAW:

NOW LAW: California (from the CA AG website): The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law. This law secures new privacy rights for California consumers, including:

• The right to know about the personal information a business collects about them and how it is used and shared;
• The right to delete personal information collected from them (with some exceptions);
• The right to opt-out of the sale of their personal information; and
• The right to non-discrimination for exercising their CCPA rights.

Businesses are required to give consumers certain notices explaining their privacy practices. The CCPA applies to many businesses, including data brokers.

NOW LAW: California SB 362/Chapter 709 was signed by Democratic Gov. Gavin Newsom on October 10, 2023 with the bill taking effect January 1, 2026. This law, dubbed the Delete Act, seeks increased limitations on data brokers that amass and sell personal information collected online. It will create a portal for residents to remove personal data that has been collected by the 486 registered data brokers in the state, from purchase history to internet browsing habits. The law will also require data brokers to register with the California Privacy Protection Agency and disclose the types of information they collect.

NOW LAW: California AB 1008/Chapter 802 was signed into law by Democratic Gov. Gavin Newsom on September 28, 2024 and takes effect on January 1, 2025. The law states that “publicly available” does not include information gathered from websites using automated mass data extraction; personal information can exist in various formats. The law defines terms related to personal information, such as advertising and marketing, aggregate consumer information and biometric information. It outlines what constitutes a business and the thresholds for data collection and processing that apply. The law describes business purposes for using personal information and specifies what qualifies as consumer consent. Additionally, it includes definitions for sensitive personal information, service providers and third parties, emphasizing the protection and proper handling of personal data.

NOW LAW: Colorado SB 190 was signed into law by Governor Polis on July 7, 2021. The law takes effect on July 1, 2023. Major provisions include: 

• Enable a consumer to opt-out of the processing of their personal information. 
• Confirm whether or not a controller is processing personal data concerning the consumer and to provide access to that information. 
• The right to correct inaccurate personal information. 
• The right to have personal information deleted.
• Controllers would be required to provide a meaningful privacy notice to consumers detailing their various rights
• Does not contain a private right of action.

Nonprofit organizations are NOT exempted from the requirements of the law.

NOW LAW: Connecticut SB 6/Public Act 22-15 was signed by Democratic Gov. Ned Lamont on May 10 and took effect July 1, 2023. The law grants consumers various rights including:

• The right to confirm whether or not a controller is processing the consumer’s personal data.
• The right to correct inaccuracies in their personal data.
• The right to delete personal data provided by or obtained about the consumer.
• The right to obtain a copy of the consumer’s personal data processed by the controller.
• The right to opt out of the processing of the personal data for the purposes of targeted advertising, the sale of personal data or profiling in furtherance of decisions that produce legal or similarly significant effects.

Controllers will be required to respond to verified consumer requests within 45 days but could request an extension of an additional 45 days. Controllers will also be prohibited from processing the sensitive data of a consumer without their affirmative consent. The law will not apply to nonprofit organizations, does not provide a private right of action and will grant controllers a right to cure at the discretion of the attorney general. 

NOW LAW : Delaware HB 154 was signed into law by Democratic Gov. John Carney on September 11, 2023 and took effect January 1, 2025. The law applies to “persons” that conduct business in the state, including nonprofits, or produce products or services that are targeted to state residents and:

• Control or process the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
• Control or process the personal data of not less than 10,000 consumers and derive more than 20 percent of gross revenue from the sale of personal data.

The law will grant consumers various rights including the right to delete data they provide and opt-out of the sale of their personal data. The law does not contain a private right of action but does contain a 60-day right to cure before the attorney general may initiate any action which would remain in place until December 31, 2025. After that date, the right to cure will be up to the discretion of the attorney general. 

NOW LAW: Florida SB 262 was signed by Republican Gov. Ron DeSantis on June 6, 2023 and took effect July 1, 2024. The law will prohibit government employees or officers from using their positions or state resources for the purposes of social media content moderation. The law contains age-appropriate design code language.

The law will also grant consumers various rights including:

• The right to confirm if a consumer’s personal data is being processed and providing access to the data.
• The right to correct inaccurate consumer personal data.
• The right to delete the consumer’s personal data provided by or obtained about the consumer.
• The right to opt-out of processing of personal data for the purposes of targeted advertising, the sale of personal data or profiling in furtherance of decisions that produce legal or similar significant effects concerning the consumer.
• The right to opt out of the collection of sensitive data, including precise geolocation data, or the processing of such data.

Controllers will be required to take action on consumer requests within 45 days but could request an extension of an additional 15 days and must establish a process that allows consumers to appeal a controller’s decision not to act on a request to exercise their rights. The law contains 45 day right to cure language. The law does not contain a private right of action and does not apply to nonprofits.

NOW LAW: Indiana SB 5  was signed by Republican Gov. Eric Holcomb on May 1 and takes effect January 1, 2026. The law will apply to businesses that conduct business in the state or produce products or services that are targeted to residents of the state and process the personal data of 100,000 or more consumers or processes the personal data of 25,000 or more consumers and derives more than 50 percent of their revenue from the sale of personal data. The law will grant consumers various rights including, but not limited to, the right to delete data and opt-out of the sale of their personal data. The law will apply to nonprofit organizations and does not contain a private right of action.

NOW LAW: Iowa SF 262 was signed by Gov. Kim Reynolds on March 28 and takes effect January 1, 2025. The law will apply to a person conducting business in the state or producing products or services that are targeted to consumers who are residents of the state and that during a calendar year does either of the following:

• Controls or processes personal data of at least 100,000 consumers.
• Controls or processes personal data of at least 25,000 consumers and derives over 50 percent of gross revenue from the sale of personal data.

The law will grant consumers various rights including the right to delete data they provided and opt-out of the sale of their personal data. The law does not contain a private right of action but does contain a 30-day right to cure before the attorney general can initiate any action. Controllers would also be required to provide a reasonably accessible, clear and meaningful privacy notice.

NOW LAW: Kentucky HB 15 was signed by Democratic Gov. Andy Beshear on April 4, 2024 and takes effect January 1, 2026. The law will not apply to nonprofits. The law will apply to persons that conduct business in the state or persons that produce products or services that are targeted to state residents and:

• Control or process the personal data of at least 100,000 consumers.
• Control or process the personal data of not less than 25,000 consumers and derive more than 50 percent of gross revenue from the sale of personal data.

The law will grant consumers various rights including but not limited to the right to delete data provided by or obtained about the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects. The law does not contain a private right of action but does contain a 30-day right to cure.

NOW LAW: Maryland SB 541/Chapter 455 was signed by Democratic Gov. Wes Moore on May 9, 2024. Effective October 1, 2025, the act applies to “persons” that conduct business in the state or persons that produce products or services that are targeted to state residents and during the preceding calendar year:

• Control or process the personal data of at least 35,000 consumers, excluding data processed solely to complete a payment transaction.
• Control or process the personal data of not less than 10,000 consumers and derive more than 20 percent of gross revenue from the sale of personal data.

The act grants consumers various rights including the right to delete data provided by or obtained about the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects. A consumer would be permitted to opt out using global privacy controls. 

NOW LAW: Minnesota HF 4757/Chapter 121 was signed by Democratic Gov. Tim Walz on May 24, 2024 and takes effect July 31, 2025, with a delayed effective date of July 31, 2029 for institutions regulated by the Office of Higher Education. Nonprofits are not exempt from the law. The law will apply to “persons” that conduct business in the state or produce products or services that are targeted to state residents and:

• Control or process the personal data of not less than 100,000 consumers.
• Control or process the personal data of not less than 25,000 consumers and derive more than 25 percent of gross revenue from the sale of personal data.

The law will grant consumers various rights including the right to delete data concerning the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similar significant effects. The law contains an exemption and alternative requirements for small businesses and also contains a time limited 30-day right to cure until January 31, 2026.

NOW LAW: Montana SB 384/Chapter 681 was signed into law by Republican Gov. Greg Gianforte on May 19, 2023. The bill will apply to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state and:

• Control or process the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
• Control or process the personal data of not less than 25,000 consumers and derive more than 25 percent of gross revenue from the sale of personal data.

The law will grant consumers various rights including the right to delete data they provided and opt-out of the sale of their personal data. The law does not contain a private right of action but does contain a 60-day right to cure before the attorney general could initiate any action. 

NOW LAW: Nebraska LB 1074 passed the legislature, was signed by Republican Gov. Jim Pillen on April 17, 2024, and took effect January 1, 2025. The law will not apply to nonprofits. The law contains both privacy and banking provisions. The privacy provisions will apply to anyone who conducts business in this state or produces a product or service consumed by residents of this state, processes or engages in the sale of personal data and is not a small business as defined under the federal Small Business Act. The law will grant consumers various rights including the right to delete data provided by or obtained about the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising, the sale of data or profiling in furtherance of decisions that produce legal or similarly significant effects. The law does not contain a private right of action but does contain a 30-day right to cure.

NOW LAW: New Hampshire SB 255/Chapter 5 was signed by Republican Gov. Chris Sununu on March 6, 2024 and took effect January 1, 2025. The law will not apply to nonprofits. The law will apply to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state that controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, or controlled or processed the personal data of not less than 10,000 consumers and derived more than 25 percent of their gross revenue from the sale of personal data. The law will grant consumers various rights including the right to collect inaccuracies in their personal data and delete their data. The law does not contain a private right of action but does contain a 60-day right cure.

NOW LAW: New Jersey SB 332/Chapter 266 was signed by Democratic Gov. Phil Murphy on January 16, 2024 and takes effect January 15, 2025. Nonprofits are not exempt from the law. The law will apply to controllers that conduct business in the state or produce products or services that are targeted to residents of the state, and that during a calendar year meet one or more of the following thresholds:

• Control or process the personal data of not less than 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
• Control or process the personal data of not less than 25,000 consumers and derives or receives a discount on the price of goods or services, from the sale of personal data.

The law will grant consumers various rights including the right to delete data concerning the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or the sale of their data. Users will be able to opt-out of the processing of their data for the purposes of targeted advertising or the sale of their data via a user selected universal opt-out mechanism. The law does not contain a private right of action.

NOW LAW: New Jersey SB 2930/Chapter 16 was signed by Democratic Gov. Phil Murphy on June 5, 2024 and took effect September 3, 2024. This law will make broad changes to the state’s public records law, including in part prohibiting public records requests made by or for data brokers and would prohibit data obtained through records requests from being sold. The law also contains a data broker registry requirement.

NOW LAW: Oregon SB 619 was signed by Democratic Gov. Tina Kotek on July 18, 2023, and took effect July 1, 2024. The law does not exempt nonprofits. The law will apply to any person that conducts business in this state, or that provides products or services to residents of this state, and that during a calendar year either controls or processes:

• The personal data of 100,000 or more consumers, personal data from 100,000 or more devices that identify or that link to or are reasonably linkable to one or more consumers, or personal data from a combination of 100,000 or more consumers and devices.
• The personal data of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal data.

It will grant consumers various rights including the right to delete personal data whether or not the data was previously provided, obtain a copy of that data and opt out of the sale or sharing of their data. The law does not contain a private right of action.

NOW LAW: Oregon HB 2052 was signed by Democratic Gov. Tina Kotek on July 27, 2023, and took immediate effect with the registration provisions becoming operative January 1, 2024. The law will require data brokers to annually register with the Department of Consumer and Business Services. The law will impose a $500 penalty for each day the company fails to register with a maximum penalty of $10,000.

NOW LAW: Rhode Island SB 2500, became law without the signature of Democratic Gov. Dan McKee on June 26, 2024 and takes effect January 1, 2026. Nonprofits are exempt from the law. The law will apply to persons that conduct business in the state or persons that produce products or services that are targeted to state residents and:

• Control or process the personal data of not less than 35,000 consumers.
• Control or process the personal data of not less than 10,000 consumers and derive more than 20 percent of gross revenue from the sale of personal data.

The law will grant consumers various rights including the right to correct inaccuracies in their personal information, the right to delete data provided by or obtained about the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects. The law does not contain a right to cure or a private right of action.

NOW LAW: Texas HB 4 was signed by Republican Gov. Greg Abbott on June 18, 2023 and took effect July 1, 2024. It does not apply to nonprofit organizations. The law will in part require controllers to honor global privacy controls such as a browser setting as a request to opt-out and exempt and includes 501(c)19 under the definition of a nonprofit organization. The law will apply only to a person that:

• Conducts business in this state or produces a product or service consumed by residents of this state.
• Processes or engages in the sale of personal data.
• Is not a small business as defined by the United States Small Business Administration.

The law will grant consumers various rights, including the right to their personal data and to opt out of the processing of their personal data for various purposes such as the sale of data. The law contains 30 day right to cure and does not contain a private right of action.

NOW LAW: Utah SB 227 was signed by Republican Gov. Spencer Cox on March 24 and takes effect December 31, 2023. The law will grant consumer’s various rights including:

• The right to confirm whether a controller is processing the consumer’s personal data.
• The right to correct inaccurate personal data.
• The right to delete the consumer’s personal data.
• The right to opt-out of the processing of their data for the purposes of targeted advertising or the sale of personal data.

The law does not apply to nonprofit organizations and does not contain a private right of action.

NOW LAW: Virginia SB 1392, known as the Virginia Consumer Data Protection Act, was signed by Governor Ralph Northam on March 2, 2021, and took effect on January 1, 2023.  The CDPA grants consumers the right to confirm, correct, and delete personal data and opt-out of use of data for advertising or sale.  It includes an opt-in consent requirement for sensitive data.  Nonprofits are largely exempt.

States: Donor Privacy and Confidentiality

STATES THAT HAVE PASSED BILLS INTO LAW:

NOW LAW: Georgia SB 534 was signed by Republican Gov. Brian Kemp on May 2, 2022 and took immediate effect. The law prohibits state agencies, absent the showing of compelling interest, to impose any annual filing or reporting requirements on charitable organizations more stringent than specified under existing law. Any additional reporting or filing requirements are required to be narrowly tailored to achieve the compelling state interest. The bill defines charitable organizations as 501(C)3 organizations.

NOW LAW: Indiana HB 1212, sponsored by House Speaker Pro Tempore Mike Karickhoff, R-Kokomo, was signed by Republican Gov. Eric Holcomb and takes effect July 1. The law will prohibit, with certain exceptions, a state or local agency from collecting or disclosing information that identifies an individual or business entity as a member, supporter, volunteer, or donor of financial or nonfinancial support to a nonprofit organization.

NOW LAW: New Hampshire SB 302/Chapter 336 was signed by Republican Gov. Chris Sununu on July 25, 2022 and takes effect January 1. The law will prohibit a public agency from:

• Requiring an individual or entity to provide the public agency with personal information.
• Releasing, publicizing or otherwise publicly disclosing any data that directly or indirectly identifies a person as a member, supporter, volunteer, or donor of financial or nonfinancial support.
• Requiring any current or perspective contractor or grantee to provide the agency with a list of entities exempt from federal income taxation to which it has provided financial or nonfinancial support.

NOW LAW: New York SB 4817A (companion A 1141A) was passed by the Senate on June 9, followed by the Assembly on June 10. It was delivered to Gov. Hochul on November 1 and she signed it into law on November 12, 2022.

This legislation was necessary to undo a rider on 2020 budget legislation inserted by then Gov. Cuomo. That rider would have required all nonprofits registered with the Attorney General under the solicitation law to perform a duplicative (literally) registration with the NY Dept of State. It also would have required confidential donor information (that provided in Form 990 Schedule B) to be provided to the Department but with looser protections than afforded to the same information by the AG’s office (the AG collected Sched B from registrants until dissuaded by the U.S. Supreme Court donor privacy decision in July 2021). 

Strong objections to wasteful duplicate reporting and to the prospective disclosure of private donor information led two New York nonprofits (Nonprofit New York and Lawyer’s Alliance) to lead a grassroots effort, joined by TNPA, to support SB 4817A. That effort was successful.

NOW LAW:  Virginia SB 324/Chapter 19 was signed by Republican Gov. Glenn Youngkin on August 4, 2022 and took effect January 1, 2023. The law will prohibit a state agency from:

• Requiring an individual or entity to provide the public agency with personal donor information.
• Requiring any bidder, offeror, contractor or grantee of the organization to provide the agency with personal donor information.
• Disclosing personal donor information without the express written permission of every individual who is identifiable from the potential release of such information, including identifiable as members, supporters or volunteers, or donors to the agency.

NOW LAW:  Hawaii HB 2416 was signed by Governor David Ige on May 27, 2022, taking effect on January 1, 2023. The law in part requires 501(c)4 organizations operating as a noncandidate committee to disclose the name and address of donors who donate an aggregate of more than $10,000. The bill would prohibit donations from being used for electioneering communications, independent expenditures or contributions without the written consent of the donor.

States: Charitable Solicitation

PROPOSED LAWS:

California AB 576 has been scheduled for a hearing in the Assembly Privacy and Consumer Protection Committee on May 1 upon the adjournment of that day’s session. The bill would amend the Supervision of Trustees and Fundraisers for Charitable Purposes Act, to additionally authorize charitable fundraising platforms and platform charities to rely on an application programming interface, as specified, to determine good standing. The bill would require the attorney general to establish rules and regulations for the specifications for an application programming interface, as specified.

Connecticut HB 6858 was heard in the Joint General Law Committee February 10. The committee heard from numerous opponents and proponents of various provisions of the bill, including the attorney general’s office who testified in support. No vote was taken. The bill would:

• require that charitable organizations employing a fundraising counsel retain a copy of the contract for not less than seven years
• raise the bond requirement for fundraising counsel having custody or control of funds from $25,000 to $50,000
• reduce the required reporting timeframe for paid solicitors from 90 days to 45 days

Hawaii SB 1048 was considered in conference committee on April 21. The bill is scheduled to be considered again on April 24 at 1:30 PM. During the April 21 meeting the conference committee reached an agreement on the bill which has not yet been made publicly available. The bill would require platform charities to only solicit funds through registered charitable fundraising platforms. Charitable fundraising platforms would be required to maintain a process for complaints about any fundraising activity. The bill would also require a written contract to be filed with the attorney general prior to any fundraising activity, in the case of a charitable fundraising platform or platform charity. However, when a recipient charitable organization has a contractual relationship with the charitable fundraising platform to facilitate the transfer of funds using a third-party disbursement intermediary, a written contract between a platform charity and a recipient charitable organization would not be required to be filed unless ordered by the attorney general.

Illinois SB 1599 was heard in the House State Government and Administration Committee on April 23. The committee took testimony from Forefront and Illinois Coalition Against Sexual Assault, but did not vote on the bill. The bill would amend the Solicitation of Charity Act and the Charitable Trust Act to require the attorney general to accept required reports electronically.

Maryland HB 239 was signed by Democratic Gov. Wes Moore on April 8 and takes effect July 1. The law will permit the secretary of state to suspend or waive late fees assessed to charitable organizations pursuant to a settlement agreement or as part of any regulations adopted regarding organizations that fail to file an annual report. The law will permit the secretary of state to cancel the registration of a charitable organization if the organization failed to submit a statement of intent and final annual report within three years after their due date and the office sends a letter of cancellation to the last known address and email address of the charitable organization. Charitable organizations could request to be reinstated if they:

• Submit any outstanding annual reports, supporting materials and annual fees required.
• Remit any unpaid late fees unless they are suspended.
• Are in good standing with the Department of Taxation.
• Have current 501(c)3 status, if applicable.
• Provide any other information that the secretary of state requires.

A companion bill, SB 184/Chapter 80, was signed by Governor Moore on the same day.

Montana SB 134 was signed by Republican Gov. Greg Gianforte on April 17 and took immediate effect. The Safeguarding Endowment Gifts Act prohibits a charitable organization that accepts a contribution pursuant to a written donor-imposed restriction from violating the terms of that restriction. If a charitable organization violates the terms of a donor-imposed restriction, the law grants the donor or their legal representative a private right of action. The law is retroactively applied to any endowment agreement entered into after January 1, 1975.

New Mexico SB 259, sponsored by Sen. Kathy Duhigg, D-Albuquerque, passed the Senate Tax, Business and Transportation Committee with an amendment on February 25. The bill would expand the Charitable Solicitation Act to regulate third party solicitors, defined in the bill as a person that contracts with a charitable organization to facilitate the sale of nonperishable goods as a fundraising mechanism. The bill would require third party solicitors or professional fundraisers to file with the attorney general a copy of the intended written contract with the charitable organization on whose behalf they intend to set up collection receptables or a charitable store. Contracts between a third-party solicitor and a charitable organization would be required to include a number of disclosures.  The solicitor would also be required to file a detailed financial report to both the charity and the AG within 90 days of the close of the campaign.

Oklahoma SB 844 passed the Senate Retirement and Government Resources Committee with amendments on March 4 and is now pending on Senate floor.  The bill, the Safeguarding Endowment Gifts Act, would prohibit a charitable organization that accepts a contribution pursuant to a written donor-imposed restriction from violating the terms of that restriction. If a charitable organization violates the terms of restriction, the bill would grant the donor or their legal representative a private right of action. The amendment struck the title of the bill, allowing the chamber of origin to consider the bill again, regardless of the form it passes the second chamber in.

Pennsylvania HB 212, sponsored by Rep. Lisa Borowski, was introduced and referred to House State Government Committee on January 17, 2025. The bill would exclude in-kind contributions from the state’s gross annual contribution reporting requirement.  Its purpose is to relieve organizations having limited cash resources from audit requirements based upon gross contribution amounts.

Rhode Island SB 783 has been scheduled for a hearing in the Senate Finance Committee on April 24 at 4:00 PM. The bill would raise the threshold that would permit organizations to meet required reporting and records requirements by providing either an IRS Form 900 or other approved financial statements to $1 million.

Tennessee HB 391 has been scheduled for hearing in the House State and Local Government Committee on March 12 at 1:30 PM. The bill would revise provisions of existing law by requiring the filing of solicitation materials with the secretary of states to be completed within 90 days after a solicitation campaign has been completed or within 90 days after the end of the fiscal year for a campaign that lasts more than one year.  The bill removes requirements which could have been read to give the Sec of State approval authority over proposed scripts for oral solicitations. A companion bill, SB 453, passed the Senate Commerce and Labor Committee on February 25 and is now pending scheduling for a Senate floor vote.

Tennessee SB 453 was delivered to Republican Gov. Bill Lee on April 21, who will have until May 2 to sign or veto the bill or it becomes law. The bill would revise provisions of existing law by requiring the filing of solicitation materials with the secretary of state to be completed within 90 days after a solicitation campaign has been completed or within 90 days after the end of the fiscal year for a campaign that lasts more than one year. The bill would also provide that the text of any solicitation scripts or pitches made to the public orally are no longer required to be utilized in the campaign.

Tennessee SB 454 was signed by Republican Gov. Bill Lee on April 11 and took immediate effect. The law clarifies that a professional solicitor includes servants or employees specially employed by or for a charitable organization who are engaged in the solicitation of contributions.

West Virginia HB 2710, sponsored by House Judiciary Committee Chair JB Akers, R-Charleston, passed that committee with a substitute on March 5. The bill would require thrift operators who purchase consumer goods that have been donated for resale to disclose to the consumer whether their donations are benefiting charitable organization or a for-profit business. The substitute was technical in nature.

STATES THAT HAVE PASSED BILLS INTO LAW:

NOW LAW: California AB 488 Governor Gavin Newsom signed the bill into law on October 7, 2021. The law took effect January 1, 2023.

TNPA participated in a multi-year stakeholder process for this legislation which resulted in many necessary changes to the original draft created by the Attorney General’s office. Nevertheless, significant issues remain to be resolved through the means of rulemaking during the course of the coming year.  The Attorney General conducts the rulemaking.  The bill’s stakeholders, including TNPA, will undoubtedly participate in the process.

The bill establishes new requirements for online fundraising by third parties. However, the legislation is NOT applicable to a charity’s own website and online fundraising. Entities defined in the legislation as a “fundraising platform” or “platform charity” would be required to register with the AG and to submit annual reports. The legislation requires a number of compelled disclosures designed to give prospective donors adequate information (such as fees to be deducted from the intended gift, how long it may take for the beneficiary nonprofit to receive its gift, etc.). 

The new California categories of solicitation law oversight are unique and will surely draw the attention of charity officials in other states. It is likely other states will let the California experiment play out rather than rush to emulate.  Nonprofits currently receiving significant funds from the newly regulated platforms will also be watching.  It is not a forgone conclusion the legislation and forthcoming regulations will strike the right balance between protecting donors and allowing support dollars to flow to nonprofit missions.

NOW LAW: Colorado SB 129 was signed by Democratic Gov. Jared Polis on May 24, 2024 and took effect September 23, 2024. This donor privacy law will prohibit a public agency from requiring any person to provide the public agency with data that identifies a member of a nonprofit entity or compelling the disclosure of member-specific data and would provide for penalties for violations.

NOW LAW: Colorado SB 16 was signed by Democratic Gov. Jared Polis on June 7, 2024 and took effect on August 8, 2024. The law will authorize a taxpayer to make a charitable contribution to a charitable recipient organization through a qualified intermediary that forwards the contribution to the charitable recipient organization, rather than making the contribution directly to the charitable recipient organization, without losing the right to claim a state income tax credit.

NOW LAW: Georgia SB 433/Act 423 was signed by Republican Gov. Brian Kemp on April 22, 2024 and took effect July 1, 2024. The law will prohibit a charitable organization that accepts a contribution pursuant to a written donor-imposed restriction from violating the terms of that restriction. If a charitable organization violates the terms of a donor-imposed restriction, the law will grant the donor or their legal representative a private right of action.

NOW LAW: Georgia SB 412/Act 612 was signed by Republican Gov. Brian Kemp and took immediate effect (May 2024). The law permits the secretary of state, at their discretion, to suspend or revoke the registration of a charitable organization, paid solicitor or solicitor agent for violations of existing law. The law also raises the maximum penalties for violations to $10,000 for a single violation and $100,000 for multiple violations.

NOW LAW: Hawaii SB 2693/Act 211 was signed by Democratic Gov. Josh Green on July 5, 2024 and took immediate effect. The law establishes the offense of charitable fraud during a state of emergency. The offense would range from a misdemeanor if the value of the contributions received is less than $750 up to a class B felony for contributions received over $20,000.

NOW LAW: Hawaii SB 2983/Act 205 was signed by Democratic Gov. Josh Green on July 5, 2024 and takes effect January 1, 2026. The law will require charitable fundraising platforms to register with the attorney general before soliciting, permitting, or otherwise enabling solicitations for charitable purposes. Fundraising platforms and platform charities will be required to make various disclosures before a person can complete a donation or select or change a recipient charitable organization, including the maximum length of time it takes charitable organizations to receive the funds and the fees to be deducted. Fundraising platforms and platform charities will also be required to make periodic reports to the department on a provided form that will enable the department to ascertain whether charitable funds have been properly solicited, received, held, controlled or distributed.

NOW LAW: Illinois HB 1197/Public Acts 121 was signed by Democratic Gov. J.B. Pritzker on June 30, 2023 and takes effect January 1, 2023. The bill would provide that every charitable organization that receives contributions in excess of $750,000, rather than the $300,000 specified under existing law, would be required to file a written report with the attorney general with specified information. The bill would also require organizations that receive contributions in excess of $25,000 but less than $750,000 to file a simplified report with the attorney general.

NOW LAW: Indiana SB 302/Public Law 40, sponsored by Senate Judiciary Committee Chair Liz Brown, R-Fort Wayne, was signed by Republican Gov. Eric Holcomb on April 20, 2023 and takes effect July 1, 2023. The law will prohibit state agencies or officials from imposing filing or reporting requirements on charitable organizations that are more stringent or burdensome than those imposed by or authorized under state or federal law.

NOW LAW: Kentucky SB 70 was signed by Democratic Gov. Andy Beshear on April 9, 2024 and took effect July 14, 2024. The law will prohibit a charitable organization that accepts a contribution pursuant to a written donor-imposed restriction from violating the terms of that restriction. If a charitable organization violates the terms of a donor-imposed restriction, the law will grant the donor or their legal representative a private right of action.

NOW LAW:  Louisiana SB 179/Act 262 was signed by Democratic Gov. John Bel Edwards on June 3, 2022 and took immediate effect. The law prohibits state agencies from imposing any annual filing or reporting requirements on charitable organizations more stringent than specified under existing law. The legislature can review any requirements that are more restrictive. The law defines charitable organizations as a person who holds himself out to be benevolent, civic, recreational, educational, voluntary, health, law enforcement, social service, philanthropic, fraternal, humane, patriotic, religious or eleemosynary organization.

NOW LAW: Mississippi SB 2545 was signed Republican Gov. Tate Reeves on April 15, 2024 and takes effect July 1. The law will define monetary donations to mean cash or cash equivalents. It also raised the audit threshold from $500,000 to $750,000.

NOW LAW: Missouri HB 2400 was signed by Gov. Mike Parsons on June 30, 2022, and took effect August 28, 2022. The law prohibits state agencies or state officials from imposing any annual filing or reporting requirements on charitable organizations that are more stringent than specified under existing law.

NOW LAW: New Hampshire SB 375/Chapter 173 was signed by Republican Gov. Chris Sununu on June 7, 2022 and takes effect August 6. The law will prohibit the state from imposing any annual filing or reporting requirement on a charitable organization that is more stringent than already required under existing law. The law will also raise the compulsory audit threshold for annual reporting by nonprofits from $1 million to $2 million.

NOW LAW: North Carolina SB 429/Session Law 119 was signed into law by Democratic Gov. Roy Cooper on September 14, 2023. The law took immediate effect with certain provisions taking effect October 1. The law will increase the qualifying income threshold for exemption from charitable solicitation requirements to $50,000 from $25,000. The law will also specify that licensure applications are considered filed as of the date they are postmarked or electronically submitted.

NOW LAW: South Dakota HB 1116 passed the Senate on February 21, 2024 and was signed by Republican Gov. Kristi Noem on February 28. The law takes effect July 1. The law will make fraudulent solicitation of charitable contributions a deceptive act or practice.

NOW LAW: Tennesse SB 1935/Chapter 773 was signed by Republican Gov. Bill Lee on April 8, 2022 and took immediate effect. The law removes requirements that financial statements, annual event applications, charitable solicitation applications and athlete agent registrations filed with the secretary of state be sworn under penalty of perjury.

NOW LAW: Tennessee HB 1707 was signed by Republican Gov. Bill Lee on March 7, 2024 and takes effect July 1. The law will amend various provisions regarding charitable solicitations in the state including, in part, adding to the definition of a charitable organization by including a person that is determined by the Internal Revenue Service to be a tax-exempt organization pursuant to the Internal Revenue Code. The law will also:

• Authorize the secretary of state, by order, letter, or other appropriate means, to enjoin the charitable organization, professional fundraiser, or other person from continuing an act or violation, or committing other acts in furtherance of it, during the course of an investigation.
• Require renewal registrations to be accompanied by a copy of forms required to be filed with the U.S. Internal Revenue Service, and any other information the secretary deems appropriate to substantiate how funds were raised and spent by the organization. At least two authorized officers of the organization, one of whom must be the chief fiscal officer, must certify that the information provided under this law is true and correct to the best of their knowledge.
• Prohibit a person from making any representation that such person is soliciting contributions for or on behalf of a charitable organization or from using or displaying any emblem, device or printed matter belonging to or associated with a charitable organization for the purpose of soliciting or inducing contributions from the public without first being authorized to do so by the charitable organization.

NOW LAW: Utah HB 43 was signed by Republican Gov. Spencer Cox on March 13, 2024 and took effect May 1, 2024. The law removes a requirement that charitable organizations register with the Division of Consumer Protection. The law will also prohibit deceptive acts related to charitable solicitations, including falsely indicating that the supplier is affiliated with the charitable organization.

NOW LAW: Virginia HB 1748/Chapter 289 was signed by Republican Gov. Glenn Youngkin on March 23, 2023 and took effect July 1, 2023. The law will expand the definition of solicitation to include requests made via email. It will also require any contract between a professional solicitor and charitable or civic organization to specify the percentage of gross contributions that the civic organization will receive or the terms upon which a determination can be made. The contract will also be required to specify that at least every 90 days the professional solicitor would be required to provide the charitable or civic organization with access to and use of all information in the professional solicitor’s possession concerning contributors.

NOW LAW: Virginia HB 464 was signed by Gov. Youngkin on April 2, 2024 and took effect July 1, 2024. The law raises the audit threshold from $1 million to $1.5 million.

NOW LAW: Wisconsin AB 912/Act 151 was signed by Democratic Gov. Tony Evers on March 21, 2024 and took immediate effect. The law raises the audit threshold from $500,000 to $1 million.

States: Nonprofit Governance

NOW LAW: Illinois SB 2930/Public Act 635 was signed by Democratic Gov. J. B. Pritzker on July 1, 2024, and effective as of January 1, 2025. The law will, in part, provide that a nonprofit, within 30 days after filing its annual AG990-IL Charitable Organization Annual Report, that reports grants of $1 million or more to other charitable organizations would need to post on its website, if applicable, the aggregated demographic information of the corporation’s directors and officers, including race, ethnicity, gender, disability status, veteran status, sexual orientation, and gender identity.

N.B. A suit challenging the law’s constitutionality was filed by American Alliance for Equal Rights on January 21, 2025. More information on the suit, as well as a link to the complaint, can be found in the NonProfit Times, here.

States: Salary Disclosure

Read more about this issue

PROPOSED LAWS:

Alaska HB 156, has been scheduled for a hearing in the House Labor and Commerce Committee on May 2 at 3:15 PM. The bill would increase employer transparency regarding employee compensation. It would::

• Require employers to include salary or wage ranges in job advertisements.
• Allow employees and job applicants to discuss their own compensation and inquire about others’ compensation without facing employer retaliation.
• Prohibit employers from asking applicants about their previous compensation or prevent employees from assisting others in exercising these rights.
• Require employers to display a summary of these rights in a conspicuous location within the workplace.

A sponsor analysis of the bill is available here.

Connecticut SB 1036, sponsored by Sen. Mae Flexer, was referred to the Joint Labor & Public Employees Committee on January 22. The bill would establish disclosures to ensure pay transparency and eliminate wage disparities. It would require employers to:

• Disclose pay and other information in all job postings and notices, both internal and external.
• Disclose all available job postings to all employees and disclose who was selected for such positions.
• Disclose how to advance through career progressions available to eligible employees.
• Preserve records of job descriptions.

Maine LD 54/HP 18,  sponsored by Joint Labor Committee Chair Rep. Amy Roeder and introduced January 6, 2025.  Referred to the Joint Labor Committee on January 6.  The bill would require an employer with 10 or more employees:

• To list the pay range for job postings.
• Upon employee request, to disclose the pay range for the employee’s position.
• To maintain a record of each position held by an employee and the employee’s pay history during employment and for three years after.

Maine LD 941 (HB 941) sponsored by Rep. Marshall Archer, D-Saco, was referred to the Joint Labor Committee on March 5. Representative Archer is a member of the committee. The bill would require an employer that employs 10 or more employees to include a wage range in any job posting for a position of employment in the state. An employer acting in good faith could pay an employee a wage different than the wage range based upon factors such as market conditions or the experience or education of the employee.

New York SB 5990 sponsored by Senate Labor Committee Chair Jessica Ramos, D-Jackson Heights, was referred to that committee on March 4. The bill would require employers to provide disclosures regarding employee compensation and benefits, including any non-salary or non-wage compensation and benefits. Companion bill AB 5906 was introduced on February 25 and referred to the Assembly Labor Committee; it is sponsored by Asm. Alex Bores, D-Upper East Side, who is a member of the committee.

Virginia SB 1132 was vetoed by Republican Gov. Glenn Youngkin on March 24; the legislature could override the veto with a two-thirds vote of members present. The bill would have established protections for prospective employees. The bill would have prohibited a prospective employer from:

• Seeking the wage or salary history of a prospective employee.
• Relying on the wage or salary history of a prospective employee in determining the wages or salary the prospective employee is to be paid.
• Relying on the wage or salary history of a prospective employee in considering the prospective employee for employment.
• Refusing to interview, hire, employ or promote an employee or prospective employee or otherwise retaliating against a prospective employee for not providing wage or salary history.
• Failing or refusing to disclose the wage, salary, or wage or salary range in each public and internal posting for each job, promotion, transfer, or other employment opportunity.

The bill would have also established a cause of action for an aggrieved prospective employee or employee.

Washington SB 5408 is now pending delivery to Democratic Gov. Bob Ferguson after the Senate concurred with House amendments on April 22. The bill would allow any individual to provide written notice to an employer alleging that the job posting does not comply with disclosure of wage scale or salary range requirements. If an employer corrects the posting within 14 calendar days of receiving the written notice, no penalties, damages or other relief would be assessed.

STATES THAT HAVE PASSED BILLS INTO LAW:

NOW LAW: California SB 1162 /Chapter 559 was signed by Democratic Gov. Gavin Newsom on September 27, 2022, and took effect January 1, 2023. The law expands state pay data reporting requirements to cover contracted employees. The law requires a private employer having 100 or more employees to submit a pay data report to the Civil Rights Department. This law revises the timeframe in which a private employer is required to submit this information to require that it’s provisioned on or before the second Wednesday of May. This law requires the pay data report to include the median and mean hourly rate for each combination of race, ethnicity and sex within each job category. It also requires an employer, upon request, to provide an employee with the pay scale for the position in which the employee is currently employed. The law requires an employer with 15 or more employees to include the pay scale for a position in any job posting. The law requires an employer to maintain records of a job title and wage rate history for each employee for a specified timeframe, to be open to inspection by the labor commissioner

NOW LAW: Maryland HB 649/Chapter 271 alters the requirement that an employer disclose wage information to an applicant for employment. An employer will be required to disclose wage information in postings and to employees, as specified. A wage range disclosed by an employer will have to be set in good faith. The law also prohibits an employer from taking retaliatory action against employees and requires keeping a record of compliance for at least three years. The law was signed by Democratic Gov. Wes Moore on April 25, 2024 and took effect on October 1, 2024. 

NOW LAW: Massachusetts HB 4890/Chapter 141 was signed by Democratic Gov. Maura Healey on July 31, 2024 and takes effect October 29, 2025. The law requires:

• Annually, by February 1, a covered employer, subject to EEO-1 data report filing requirements, to submit to the state secretary a copy of its EEO-1 data report for the prior year.
• In each odd-numbered year, not later than February 1, a covered employer, subject to federal EEO-3 data report or EEO-5 data report filing requirements, to submit to the state secretary a copy of its EEO-3 data report or EEO-5 data report, as applicable, covering the most recent filing period.
• In each even-numbered year, not later than February 1, a covered employer, subject to federal EEO-4 data report filing requirements, to submit to the state secretary a copy of its EEO-4 data report covering the most recent filing period.

Employers will also be required to:

• Disclose the pay range for a particular and specific employment position in posting it.
• Provide the pay range for a particular and specific employment position to an employee who is offered a promotion, or transfer, to a new position with different job responsibilities.
• Provide the pay range for a particular and specific employment position to an employee holding such position, or to an applicant for such position, upon request.

NOW LAW: Minnesota SF 3852/Chapter 110 is an omnibus labor policy act. Its provisions include requiring salary ranges be included in job postings. The act was signed into law by Gov. Tim Walz on May 17, 2024, and the relveant provisions are effective as of July 1, 2024, and Janury 1, 2025.

NOW LAW: New York SB 1326/Chapter 94 was signed by Gov. Kathy Hochul on March 3, 2023 and has effect from September 17, 2022 at the same time as SB 9427 from last session. The law specifies that existing laws on salary disclosure exclude remote work opportunities performed entirely out of state.

NOW LAW: Vermont HB 704 requires that job advertisements include the compensation or compensation range and job description for the advertised position. The act also prohibits employers from taking adverse action against current or prospective employees pursuant to the rights provided in the bill. The act was signed into law by Republican Gov. Phil Scott on June 4, 2024 and will take effect on July 1, 2025.