Legislative season continues to wind down. Only California’s legislature remains in session and considering bills of interest to the nonprofit and fundraising community. Five other legislatures are still in session and many legislative committees continue their work even though their parent legislatures have officially adjourned.
Gifts/Value In Kind
California AB 1181 was amended and re-referred to the Senate Appropriations Committee on August 12. However, the bill was then deemed to fit the 28.8 Senate rule which allows bills that do not have implementation costs to the state to skip appropriations hearing and vote. As amended, the bill would require financial records of charitable solicitations to be maintained according to generally accepted accounting principles (GAAP). Despite the GAAP requirement, it would also require a noncash pharmaceutical drug, nonprescription drug, medication, medical device or medical supply contribution received by a charitable organization restricted for use outside the United States to be valued using the fair value or a reasonable estimate of fair value in the end recipient market. The bill would not apply to noncash grants awarded by state, federal or other U.S. agencies that provide valuations for their noncash grants to the charitable organization.
The Nonprofit Alliance met by phone with the California Attorney General’s Office, which sponsored this bill, in addition to submitting letters to each of the three committees to which this bill was assigned at various points on its journey through the Legislature. We are strongly advocating for California to pause implementation long enough to allow FASB to finish its process of reviewing GIK valuation and confirming a single national financial accounting standard rather than a different rule only for the state of California. While the bill was revised to focus solely on pharmaceuticals and medical supplies, this bill if signed into law would set a precedent for California – and any other state – to create its own financial reporting rules that are inconsistent with the IRS Form 990 for anything from GIK to joint cost allocation, at significant cost to individual nonprofits.
The North Dakota Commerce Committee met on August 12 to consider a variety of topics including HB 1485, which requires a study of the protections, enforcement and remedies regarding the disclosure of consumers’ personal data. While minutes from the meeting were not immediate available the committee was scheduled to hear from Parrell Grossman from the attorney general’s office, Rep. Jim Kasper, R-Fargo, as well as representatives from the U.S. Chamber of Commerce, the State Privacy and Security Coalition and Microsoft.
California AB 25 passed the Senate Appropriations Committee on August 12 and is now pending a third reading and final vote in the Senate. The bill would provide an exception to existing California Consumer Privacy Act (CCPA) requirements by allowing a business to require authentication of a consumer in order to verify consumer requests. The bill would also authorize a consumer to bring a private civil action against a business that fails to implement reasonable security procedures if that failure results in unauthorized access and exfiltration, theft or disclosure. It would also exempt information collected by a business as part of a job application or in the course of the individual’s employment from most provisions of the law with the exception of the civil action provisions noted above.
There is a lot packed into this bill; the most interesting and complex is the right for businesses to require authentication of a consumer before responding to a request, for example, to provide data collected and stored about that individual. This is an important improvement to CCPA for both industry and consumers alike to protect individuals’ personal information. However, the responsibility is on the business to not only require sufficient authentication, but also ensure that it is consistently applied. There have been some interesting stories in the media of late about GDPR “compliant” businesses providing personal information without fully confirming that the person requesting was, in fact, that individual – everything from not noticing that the pdf of the required proof of identify was blank, or asking for a password but then providing the information anyway when the imposter consumer claimed they “forgot.” This leads very neatly into the next part of the CCPA amendment bill: the right for consumers to pursue a class action lawsuit for failing to protect their information.
California AB 846 passed the Senate Appropriations Committee on August 12 and is now pending a third reading and final vote in the Senate. The bill would modify the CCPA to specify that it does not prohibit a business from offering a different price, rate, level or quality of goods or services if the offering is in connection with a consumer’s voluntary participation in a loyalty or similar program or the offering is directly tied to the collection, use or sale of the customer’s data. The bill would prohibit a company from offering loyalty or similar programs that are unjust, unreasonable, coercive or usurious in nature. The bill would prohibit a business from selling information collected as part of a loyalty or discount program.
In other words, your frequent flyer miles are safe.
California AB 874 passed the Senate Appropriations Committee on August 12 and is now pending on the Senate consent calendar. The bill would create a public record exemption from the definition of “personal information.”
The fact that this clarification was even needed speaks to the haste with which the CCPA was drafted and passed in 2018.
California AB 1355 passed the Senate Appropriations Committee on August 12 and is now pending on the Senate consent calendar. This bill would clarify that “personal information” does not include deidentified or aggregate consumer information. It would also prohibit from discriminating against a consumer for exercising their rights under CCPA except if the differential treatment is reasonably related to the value provided by the data. A business would also be required to disclose to consumers that they have a right to request specific pieces of information and to request the deletion of the information.
“Deidentifed” is a term that does not have a single agreed-upon definition. The FTC set guidelines around it that CCPA did not directly adopt. Generally speaking, under CCPA data is considered deidentified when the company collecting, storing, and using the data both prohibits and prevents reidentification.
California AB 1564 passed the Senate Appropriations Committee on August 12 and is now pending a third reading and final vote in the Senate. The bill would require businesses to make available to consumers a toll-free telephone number and mailing address, or email address for online only businesses, for submitting requests for information required to be disclosed. Previous versions of the bill required a physical address.
Federal: On July 30, a Senate bill was introduced that would require data brokers to register with the Federal Trade Commission (FTC). Senators Gary Peters (D-MI) and Martha McSally (R-AZ) introduced S.2342, a bill to provide for requirements for data brokers with respect to the acquisition, use and protection of personal information, and to require that data brokers annually register with the FTC. In 2014, the FTC asked Congress to consider legislation to require the creation of a centralized mechanism where data brokers can identify themselves, describe their information collection and practices, as well as provide consumers an ability to opt-out and thus suppress the use of their data.
The Peters/McSally legislation is very topical, given that the Senate – in particular, the so-called “Gang of Six” Senators on the Commerce Committee – has been in the process of drafting national privacy legislation.
Federal: Nonprofits Await IRS Guidance on Donor Disclosure – On July 29, a Federal District Judge ruled that the Trump Administration must resume collecting donor information from nonprofit groups and give the public a chance to weigh in if the Administration tries to again halt this practice. Specifically, US District Judge Brian Morris ruled that last year the IRS did not give proper public notice before it stopped requiring tax-exempt groups to identify on their Form 990 returns donors contributing more than $5,000. The judge noted that the IRS should have given public notice and comment before implementing its policy change. Significantly, the judge emphasized that he was not ruling on the substance of the change, but rather blocked the change until proper procedure was followed.
This aspect of donor privacy is a very politically charged conversation. We’ll leave it at that.