Data Privacy > The Nonprofit Alliance

Data Privacy

Tuesday, September 4, 2023 | The California data broker legislation (California SB 362) would be harmful to nonprofits who fundraise in California. The legislation would create a “delete my information” provision whereby consumers/donors could request removal from all California-registered data brokers with a single click. Read more below.

California Data Broker Legislation SB 362

Facing a fast-moving threat with this legislation, on August 21, 2023, TNPA sent out an Action Alert to all TNPA members asking those who have relationships with California-based nonprofits to encourage them to contact California Assembly Speaker Robert Rivas to slow down the hurried process of this legislation.

Specifically, we requested that our members contact Speaker Rivas to move in a more deliberative manner to allow consideration of the bill into next year, which would give legislators the opportunity to understand and consider the unintended harm to nonprofits.

Despite the efforts of TNPA and others, on September 1, the legislation was cleared for consideration for passage on the Assembly Floor, and if passed by the Assembly by September 15, it will likely be enacted into law.

We again ask all our members who have relationships with California-based nonprofits to contact California Assembly Speaker Rivas to slow down the hurried process and delay consideration of the bill until 2024 — allowing an opportunity to improve the bill and make it more livable for nonprofits.

Click the button below to download a letter that can be used to contact Speaker Rivas.

Facts About California SB 362

- SB 362 amends California’s existing data broker registration law. It passed the Senate and has raced through the Assembly with only a single further, usually pro forma, stop in the Appropriations Committee. Its final passage could come in days.

- The bill would create an omnibus “delete my information” provision whereby consumers/donors could request removal from all 500 registered data brokers with a click. If your nonprofit uses co-ops or modeled data, your donor programs will be impacted.

- This effective data scrubbing will be magnified by the fact that the bill will permit third parties to make the removal request on a consumer’s behalf — thereby allowing for-profit “privacy services” to recruit.

- The Assembly Speaker, Robert Rivas, has the authority to slow the legislative process — if given reason to do so.

The California Consumer Privacy Act (CCPA) was enacted through a prolonged, deliberative process, including a ballot measure and several subsequent iterations in the legislature. This broker registration legislation, an enforcement companion to the CCPA, requires as much care and attention.

Download Sample Letter

The Patchwork Quilt of State Privacy Laws Continues to Expand

There are now nine states which have enacted state privacy statutes: California, Colorado, Connecticut, Iowa, Texas, Utah, and Virginia, with most recently, Montana and Oregon having enacted legislation. Legislation in Delaware has passed the legislature, and Governor John Carney has said he will shortly sign the measure into law. That would make a total of ten states. Of these ten states, Colorado, Delaware, and Oregon cover nonprofits. With most state legislatures having adjourned for the year, there will likely not be more states added to this list before year-end. However, in New York, privacy legislation, which would cover nonprofits, failed to be enacted by the early June deadline for such legislation. It appears that the effort to pass this legislation will again continue when the legislature reconvenes in January 2024.The best possible outcome to the growing patchwork quilt of state privacy statutes would be for Congress to enact comprehensive, bipartisan national privacy legislation — likely taking several years to pass. Surprisingly, the ever-increasing list of state privacy laws has not seemed to “move the needle” in Congress toward a national privacy bill. TNPA continues working with Republicans and Democrats on Capitol Hill toward the passage of privacy legislation.

In Washington State there have been numerous efforts – so far unsuccessful – to pass privacy legislation. Washington State will remain on the list of states to watch. Importantly, in Oklahoma with the help of determined efforts of TNPA members, legislation to enact the nation’s first-ever opt-in privacy statute was defeated in 2021 and again in 2023.

Read more about state legislation that has been proposed or enacted at the bottom of this page and also on our webpage Legislation in the States.

Data Privacy: Background & Current Situation

PRIVACY: What is the issue?

As Americans are sharing more personal data and as the internet has enabled companies to collect more personal data, it is important to ensure that nonprofit organizations are ethical custodians of the data with which they are entrusted, and also have access to the information to enable them to further their missions.

Why do nonprofits care?

Donor trust is foundational to nonprofits’ ability to raise funds and provide services.
Organizations use consumer data and third-party data providers to ensure our programmatic and fundraising marketing messages are delivered to those most likely to benefit – and, likewise, not to those who will not.
At times we also use consumer data, including aggregated depersonalized data, to assess need, measure effectiveness, and better direct resources to the people and places that need it the most.
Nonprofits rely on commercial data companies to maintain data in secure environments at a level that many nonprofits could not afford to maintain on their own, certainly not without significantly reducing the funds available to spend on direct mission-focused work.

What is the Ideal Policy?

TNPA calls upon Congress to enact a national privacy statute for the proper handling of data, to both protect consumers and allow for the legitimate use of data:

Federal legislation to create a single, clear, uniform set of national standards and guidelines.
Include a clear preemption of any current or future state privacy statutes to create national consistency of laws.
Require litigation of federal privacy legislation be filed in only federal court (and not state courts), which would create greater national uniformity of enforcement.
No Private Right of Action, which could result in a proliferation of class action lawsuits, many of which would be frivolous.

For an in-depth discussion of these points and policy proposals, read TNPA’s Discussion Points in Preparation for Drafting Federal Legislation Called The Individual Privacy Act.

What is the Current Situation?

U.S. Federal Law:

Over the years a number of federal laws have been passed dealing with portions of the handling of data, however there is no broad-based federal statute to address the overall question of how data should be handled to better protect the privacy of consumers, while setting out clear guidelines for the proper use of data by businesses.

On December 20, 2022, the Omnibus Spending Package to fund the federal government through the end of the fiscal year (September 30, 2023) did NOT include the language of H.R. 8152, the American Data Privacy and Protection Act, which was reported out of the House Energy & Commerce Committee earlier in 2022. As proposed in July, 2022 H.R. 8152 included fifteen “carveouts” which would allow current state privacy-related statutes to stay in force. The bill also allowed for a Private Right of Action, which could lead to frivolous class action lawsuits.

Since H.R. 8152 was not included in the “must pass” Omnibus Spending Package, it was thus not enacted into law before Congress officially closed out the 117th Congress at year end. Accordingly, H.R. 8152 “died,” as all legislation which has not passed does at the end of a two-year congressional cycle. With the new 118th Congress having convened in January, Congress starts over with a clean slate.

Far-reaching, highly impactful legislation — which comprehensive national privacy legislation clearly is — often takes several two-year Congresses to gain enactment.

(See below for individual states)

In the States:
What to keep an eye on

California State Law:

California Consumer Privacy Act (CCPA) of 2018

It does exempt nonprofit organizations from its restrictions.
However, the burdens placed on corporate providers of data to nonprofits have stopped many small- to mid-sized data providers from doing business in California, creating obstacles and extra expense for nonprofits communicating with supporters in California.

According to the California Attorney General’s website:

The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law. This law secures new privacy rights for California consumers, including:

The right to know about the personal information a business collects about them and how it is used and shared;
The right to delete personal information collected from them (with some exceptions);
The right to opt-out of the sale of their personal information; and
The right to non-discrimination for exercising their CCPA rights.

Businesses are required to give consumers certain notices explaining their privacy practices. The CCPA applies to many businesses, including data brokers.

California Privacy Rights Act (CPRA) of 2020

Modified the CCPA (above) when approved via ballot initiative Proposition 24 in November 2020.
Creation of a new California Privacy Protection Agency.
The key provisions of the CPRA will NOT go into effect until January 1, 2023.

Colorado State Law:

Colorado SB 190 , the Protect Personal Data Privacy Act, was signed into law on July 7, 2021, and will take effect on July 1, 2023. Major provisions include:

Enable a consumer to opt-out of the processing of their personal information.
Confirm whether or not a controller is processing personal data concerning the consumer and to provide access to that information.
The right to correct inaccurate personal information.
The right to have personal information deleted.
Controllers would be required to provide a meaningful privacy notice to consumers detailing their various rights
Does not contain a private right of action.

Nonprofit organizations are NOT exempted from the requirements of the law.

Notes:

The statute does not prescribe fundraising, but unlike other states, registering to solicit in the state is considered “doing business” in Colorado.
To fall under the jurisdiction of the statute, an organization must have personal data on 100,000 or more Coloradans; or receive revenue or discounts from the sale of data (e.g., list rental and exchange) and have data for 25,000 or more Coloradans.

Connecticut State Law:

Connecticut SB 6/Public Act 22-15, sponsored by Senate President Pro Tempore Martin Looney, D-New Haven, was signed on May 10, 2022, and takes effect July 1, 2023. The law will grant consumers various rights including:

The right to confirm whether or not a controller is processing the consumer’s personal data.
The right to correct inaccuracies in their personal data.
The right to delete personal data provided by or obtained about the consumer.
The right to obtain a copy of the consumer’s personal data processed by the controller.
The right to opt out of the processing of the personal data for the purposes of targeted advertising, the sale of personal data or profiling in furtherance of decisions that produce legal or similarly significant effects.

Controllers will be required to respond to verified consumer requests within 45 days but could request an extension of an additional 45 days. Controllers will also be prohibited from processing the sensitive data of a consumer without their affirmative consent. The law will not apply to nonprofit organizations, does not provide a private right of action and will grant controllers a right to cure at the discretion of the attorney general. The law will also specify that a controller is not required to authenticate an opt-out request but will be able to deny a request if the controller has reasonable and documented belief that the request is fraudulent. Controllers will be required to send notice to the person making the request that they believe the request is fraudulent.

Utah State Law:

Utah SB 227 was signed March 24, 2022, and takes effect December 31, 2023. The law will grant consumer’s various rights including:

The right to confirm whether a controller is processing the consumer’s personal data and to access their data.
The right to correct inaccurate personal data.
The right to delete the consumer’s personal data.
The right to obtain their personal data in an easily portable format.
The right to opt-out of the processing of their data for the purposes of targeted advertising or the sale of personal data.

The law does not apply to nonprofit organizations and does not contain a private right of action.

Virginia State Law:

Virginia SB 1392, the Virginia Consumer Data Protection Act, was signed into law on March 2, 2021, and will take effect on January 1, 2023.  The CDPA grants consumers the right to confirm, correct, and delete personal data and opt-out of use of data for advertising or sale.  It includes an opt-in consent requirement for sensitive data.  Nonprofits are largely exempt.

Other States

Other states have considered their own new state privacy statutes over the past few years, risking the creation of a “patchwork quilt” of varying, and often conflicting, state privacy laws.

Click here for more information about privacy legislation being proposed in state legislatures.

Who are key players?

IN THE U.S. SENATE

Senator Maria Cantwell (D-WA) as Chair of the Commerce Committee.
Senator Ted Cruz (R-TX) as Ranking Republican on the Commerce Committee.
Senator Jerry Moran (R-KS) as a senior member of the Commerce Committee.
Senator John Thune (R-SD) as the former Chair of the Commerce Committee and Senate Republican Whip.

IN THE U.S. HOUSE OF REPRESENTATIVES

Congresswoman Cathy McMorris Rodgers (R-WA) as the Chair of the Energy & Commerce Committee.
Congressman Frank Pallone (D-NJ) as the Ranking Democrat on the Energy & Commerce Committee.

Privacy activity in the States

New laws and bills to watch in state legislatures