State Privacy Law Compliance for Nonprofits: A Practical Matrix

State privacy laws are creating a patchwork of compliance requirements for nonprofits. California's CCPA led the charge, and now multiple states have passed privacy laws with similar but not identical requirements. Virginia, Colorado, Connecticut, Utah, and Montana have all passed comprehensive privacy laws. Illinois has data protection laws specifically for biometric data. Texas and others have retail privacy laws. For nonprofits collecting information from people in multiple states, understanding which laws apply and what they require is essential. This article provides an overview and practical guidance for nonprofits navigating this landscape.

The good news is that the core requirements across state laws are similar: transparency about data collection, user rights to access and delete their data, security requirements, and breach notification. Compliance is less about different approaches per state and more about implementing solid data protection practices. This article addresses the core requirements and how nonprofits can comply efficiently with multiple state laws.

Understanding Applicability: Which Laws Apply to Your Nonprofit

State privacy laws apply based on where people whose data you process live. If you collect information from California residents, CCPA applies. If you collect from Virginia residents, Virginia CDPA applies. If you operate nationally and collect from multiple states, multiple laws might apply. The good news: if you implement best practices that satisfy the strictest laws, you're likely compliant with others.

Generally, privacy laws apply if you collect personal information and you either: serve people in that state or target people in that state for services. Most nonprofits that operate in a state or serve residents of a state are subject to that state's privacy laws. If your nonprofit is based in California but serves nationally, California law applies to all your data. If you operate in multiple states, multiple laws apply.

Some laws have exemptions for nonprofit organizations or small organizations. For example, some laws don't apply to nonprofits or apply only to nonprofits above a certain size. Check whether your nonprofit qualifies for exemptions. However, don't assume exemptions apply—read the specific law. When in doubt, consult a lawyer familiar with privacy law.

Core Privacy Law Requirements: Consistent Across States

While state privacy laws differ in specifics, the core requirements are consistent. People whose data you collect have the right to know what information you collect and how you use it, the right to access their data, the right to delete their data (with some exceptions), and the right to opt out of certain uses. Your organization must protect data security, notify people of breaches, and in some cases honor "do not sell" requests.

Transparency and disclosure: You must tell people what information you collect, how you use it, and who you might share it with. This typically means publishing a privacy policy that clearly explains your practices. You must obtain consent before collecting sensitive information (like health or financial data). Make your privacy policy accessible and understandable.

Right to access: People have the right to request and receive a copy of the information you hold about them. You should be able to provide this within a reasonable timeframe (typically 30-45 days). Have a process for data access requests. This should be reasonably easy for people to do—don't create barriers that prevent people from accessing their data.

Right to delete: People have the right to request deletion of their information in many circumstances. You must delete it or explain why you can't (for example, legal hold or essential business purposes). Don't deny deletion requests without legitimate reason. Implement the process to honor these requests.

Data security: You must implement reasonable security measures to protect personal information. This includes access controls, encryption, regular updates, and incident response planning. You don't need perfect security, but you need "reasonable" security appropriate to the sensitivity of data and your organization's size.

Breach notification: When you discover a breach of personal information, you must notify affected individuals without unnecessary delay (typically within 30-60 days). Notify state authorities if required. Breach notification laws have specific requirements about what to include in notification—consult a lawyer about your specific obligations.

Implementing Compliance: Practical Steps

Compliance with state privacy laws doesn't require completely overhauling your systems. It requires processes and practices that good organizations should have anyway. Start with an audit: what personal information do you collect, where do you store it, who has access, and how long do you keep it? Understanding your current state is the foundation for compliance.

Next, create or update your privacy policy. It should address what information you collect, why, how you use it, who you share it with, how people can access or delete their information, how you protect it, and what rights they have. Make it clear and specific. Avoid vague language. Publish it on your website and give it to people when you collect their information.

Implement processes for data access and deletion requests. Create a simple web form where people can request their data or ask for deletion. You should have a person or process to handle these requests within the timeline required by law. Document that you received the request, what action you took, and when. This documentation is important if you're ever audited or investigated.

Implement data retention policies. How long do you keep donor information? Program participant information? Vendor information? Set reasonable retention periods and delete information when it's no longer needed. This reduces your liability (less data means less risk) and demonstrates responsible data stewardship. Document your policies so staff understand them.

Ensure your vendor contracts include data protection requirements. If third parties process your data, they're subject to privacy laws too. Your contracts should require vendors to comply with applicable laws, protect data security, limit use to specified purposes, and notify you of breaches. Have lawyers review contracts before signing.

State-Specific Considerations: Key Differences

While core requirements are similar, some states have specific requirements worth noting. California's CCPA includes a right to know and a right to delete but exempts nonprofits in some respects. Virginia's CDPA and Colorado's CPA are broader. Connecticut's CTDPA and Utah's UCPA follow similar patterns. Illinois' biometric privacy law is specific to biometric data. Texas' HB 4 focuses on retail data.

The practical reality: if you implement best practices addressing the strictest laws (California CCPA, Virginia CDPA, Colorado CPA), you'll likely be compliant with others. Focus on core practices: transparency, data access and deletion processes, security, breach notification, and data retention. These practices satisfy most state requirements.

Keep current with new laws. State privacy laws are evolving rapidly. New laws are being passed regularly. Subscribe to updates from privacy organizations or consult periodically with a privacy lawyer to understand new requirements affecting your nonprofit.