skip to Main Content

Data Privacy

Breaking News: On July 20, the House Energy & Commerce Committee reported out for consideration on the House floor H.R. 8152 the American Data Privacy and Protection Act. We certainly need national privacy legislation with one clear national standard, however, H.R. 8152 includes fifteen “carveouts” which would allow current state privacy-related statutes to stay in force. The bill also allows for a Private Right of Action, which could lead to frivolous class action lawsuits.  It is unclear when the bill will be taken up on the House floor.

Additionally, given the complicated nature of a comprehensive national privacy bill, along with the limited number of legislative days left in this election year, it appears that the Senate is, at least at this point, unlikely to take up this measure this year.

PRIVACY: What is the issue?

As Americans are sharing more personal data and as the internet has enabled companies to collect more personal data, it is important to ensure that nonprofit organizations are ethical custodians of the data with which they are entrusted, and also have access to the information to enable them to further their missions. 

Why do nonprofits care?

  • Donor trust is foundational to nonprofits’ ability to raise funds and provide services. 
  • Organizations use consumer data and third-party data providers to ensure our programmatic and fundraising marketing messages are delivered to those most likely to benefit – and, likewise, not to those who will not. 
  • At times we also use consumer data, including aggregated depersonalized data, to assess need, measure effectiveness, and better direct resources to the people and places that need it the most. 
  • Nonprofits rely on commercial data companies to maintain data in secure environments at a level that many nonprofits could not afford to maintain on their own, certainly not without significantly reducing the funds available to spend on direct mission-focused work.

What is the Ideal Policy?

TNPA calls upon Congress to enact a national privacy statute for the proper handling of data, to both protect consumers and allow for the legitimate use of data:

  • Federal legislation to create a single, clear, uniform set of national standards and guidelines.
  • Include a clear preemption of any current or future state privacy statutes to create national consistency of laws.
  • Require litigation of federal privacy legislation be filed in only federal court (and not state courts), which would create greater national uniformity of enforcement. 
  • No Private Right of Action, which could result in a proliferation of class action lawsuits, many of which would be frivolous.

For an in-depth discussion of these points and policy proposals, read  TNPA’s Discussion Points in Preparation for Drafting Federal Legislation Called The Individual Privacy Act.


What is the Current Situation?

U.S. Federal Law: 

Over the years a number of federal laws have been passed dealing with portions of the handling of data, however there is no broad-based federal statute to address the overall question of how data should be handled to better protect the privacy of consumers, while setting out clear guidelines for the proper use of data by businesses.

(See below for individual states)

What to Keep an Eye On?

In the U.S. House of Representatives

The Information Transparency & Personal Control Act (H.R. 1816), introduced by Representative Suzan DelBene (D-WA) and includes several key elements:

  • Clear federal preemption of state laws
  • Requires any litigation to go to federal court, NOT state courts.  
  • No private right of action
  • TNPA has been working closely with Congresswoman DelBene to broaden the cosponsorship of her bill, which currently has 21 cosponsors.

NOTE: Congresswoman DelBene is a former Microsoft executive, who genuinely knows data issues. In December 2020, she was chosen as the Chair of the House New Democrats Coalition, a group of 95 House Democrats committed to bipartisanship. In this new position, the Congresswoman will have an important platform to promote her legislation.

In the U.S. SENATE

No new privacy legislation has been proposed in the U.S. Senate since 2020. In that year, two Senate privacy bills took dramatically different approaches to seeking a national solution on privacy: 

1. The Consumer Data Privacy & Security Act (S. 3456) introduced by Senator Jerry Moran (R-KS), the Chair of the Senate Commerce Committee Subcommittee with privacy jurisdiction. 

  • Clear federal preemption of current and future state privacy laws (thus one uniform national policy for privacy). 
  • Requires any litigation relative to the legislation must go to federal court, rather than state courts, thus ensuring more uniform national enforcement. 
  • No Private Right of Action, which could result in a proliferation of class action lawsuits, many of which would be frivolous.
  • TNPA has been working closely with Senator Moran to gain support for his legislation.

2. The Consumer Online Privacy Rights Act (S. 2968) introduced by Senator Maria Cantwell (D-WA), the Ranking Democrat on the Senate Commerce Committee

  • NO federal preemption of state privacy laws. Would have the federal legislation serve as a floor for enforcement, allowing the states to individually enact their own state privacy statutes, provided they exceed the level of enforcement in the federal law – in effect, allowing an inconsistent patchwork of state privacy standards. 
  • Would allow litigation of the federal law to be taken to any court in the country, greatly increasing the likelihood of inconsistent enforcement of the law.
  • Allows a Private Right of Action, which could result in a proliferation of class action lawsuits, many of which would be frivolous.

In the States: What to keep an eye on

California State Law:

California Consumer Privacy Act (CCPA) of 2018

  • It does exempt nonprofit organizations from its restrictions.
  • However, the burdens placed on corporate providers of data to nonprofits have stopped many small- to mid-sized data providers from doing business in California, creating obstacles and extra expense for nonprofits communicating with supporters in California. 

California Privacy Rights Act (CPRA) of 2020 

  • Modified the CCPA (above) when approved via ballot initiative Proposition 24 in November 2020.
  • Creation of a new California Privacy Protection Agency. 
  • The key provisions of the CPRA will NOT go into effect until January 1, 2023.

Colorado State Law:

Colorado SB 190 , the Protect Personal Data Privacy Act, was signed into law on July 7, 2021, and will take effect on July 1, 2023. Major provisions include: 

  • Enable a consumer to opt-out of the processing of their personal information. 
  • Confirm whether or not a controller is processing personal data concerning the consumer and to provide access to that information. 
  • The right to correct inaccurate personal information. 
  • The right to have personal information deleted.
  • Controllers would be required to provide a meaningful privacy notice to consumers detailing their various rights
  • Does not contain a private right of action.

Virginia State Law:

Virginia SB 1392, the Virginia Consumer Data Protection Act, was signed into law on March 2, 2021, and will take effect on January 1, 2023.  The CDPA grants consumers the right to confirm, correct, and delete personal data and opt-out of use of data for advertising or sale.  It includes an opt-in consent requirement for sensitive data.  Nonprofits are largely exempt.

Other States

Other states have considered their own new state privacy statutes over the past few years, risking the creation of a “patchwork quilt” of varying, and often conflicting, state privacy laws. 

Click here for more information about privacy legislation being proposed in state legislatures.

Who are key players?


  • Senator Maria Cantwell (D-WA) as Chair of the Commerce Committee. 
  • Senator Roger Wicker (R-MS) as Ranking Republican on the Commerce Committee.
  • Senator Jerry Moran (R-KS) as a senior member of the Commerce Committee.
  • Senator John Thune (R-SD) as the former Chair of the Commerce Committee and Senate Republican Whip.


  • Congresswoman Suzan DelBene (D-WA) as the Chair of the House New Democrats Coalition.
  • Congressman Frank Pallone (D-NJ) as the Chair of the Energy & Commerce Committee.
  • Congresswoman Cathy McMorris Rodgers (R-WA) as the Ranking Republican on the Energy & Commerce Committee.
Back To Top