Every year, new state privacy laws pass. California did it first (CCPA). Colorado followed (CPA). New York, Virginia, others. Each law is slightly different, with different thresholds and timelines.

This creates a patchwork. If you operate nationally, you might fall under California law, Colorado law, and New York law simultaneously. Each with different requirements.

This lecture provides a practical framework: which laws apply to you, what they require, and what you can do to be compliant across all of them.

The Basic Question: Does This Law Apply to My Nonprofit?

Most state privacy laws exempt nonprofits from some or all requirements. But "nonprofit" exemption varies:

  • CCPA (California): Nonprofits are generally exempt if they are registered 501(c)(3). But if you sell/license donor data, you're not exempt.
  • CPA (Colorado): Nonprofits are exempt if registered and operating as nonprofit.
  • NY SHIELD Act: Applies to all, including nonprofits. No exemption.
  • Virginia Consumer Data Protection Act: Nonprofit exemption if registered.

The practical rule: if you are a registered 501(c)(3) nonprofit that doesn't sell personal information, you're exempt from most state privacy laws (except NY). If you're not registered, or if you sell/license data, you're subject to these laws.

Action: verify your 501(c)(3) status. Confirm with your state attorney general if you fall under their privacy law.

For Nonprofits Subject to Privacy Law

If you're subject to state privacy law (you're in NY, or you're selling data, etc.), here's what you need to do:

California CCPA (if applicable)

Applies if: You collect personal information from California residents and you sell/license it (most nonprofits don't).

Requirements: - Disclose what data you collect and how you use it - Let people request to know what data you have - Let people request deletion - Let people opt out of data sales

Timeline: 45 days to respond to requests.

New York SHIELD Act

Applies if: You do business in New York and collect personal information (yes, this includes nonprofits).

Requirements: - Notify people if their data is breached (without unreasonable delay) - Have reasonable security measures - Have a data breach response plan

Timeline: Notify within 30 days of discovering breach.

Colorado CPA

Applies if: You collect personal information from Colorado residents (likely exempt if nonprofit 501(c)(3)).

Requirements: - Provide privacy policy - Respect user rights to access, delete, correct data

Timeline: 45 days to respond to requests.

One Practical Solution: Do California + NY

If you're compliant with California CCPA (data protection) + New York SHIELD Act (breach notification), you're mostly covered across all states. Here's why:

  • CCPA requires the strictest privacy protections
  • SHIELD Act requires the fastest breach notification
  • Other states usually have similar or less strict requirements

Practically, what this means:

  1. Have a privacy policy that says what data you collect, how you use it, and how long you keep it
  2. Provide a way for people to request access/deletion (email: [email protected])
  3. Respond to requests within 45 days
  4. Have a breach response plan that includes notifying people within 30 days if data is breached
  5. Have reasonable security (see Chapter 5.3 Lecture 1)

These five things cover 95% of what these state laws require.

Practical Implementation

Month 1: Audit your data. What personal information do you collect? What states are your supporters in? Do any state laws apply to you?

Month 2: Write/update your privacy policy. Make it public on your website. Cover: what data you collect, how you use it, how you protect it, how long you keep it, how people request access/deletion.

Month 3: Establish processes for access/deletion requests. Create an email ([email protected]) where people can request. Document a process for responding (pull record, send to requester, delete if requested).

Month 4: Document your breach response plan. (See Chapter 5.3 Lecture 4.)

Month 5+: Ongoing: respond to requests within 45 days, monitor for breaches, update privacy policy if practices change.

Common Pitfalls

Pitfall 1: Assuming nonprofit exemption covers everything. It doesn't cover NY. It doesn't cover data sales. Check your specific situation.

Pitfall 2: Burying the privacy policy so nobody can find it. It should be easy to locate (footer link, clear label). People should be able to read it and understand what you do with their data in 2 minutes.

Pitfall 3: Not responding to access requests. A donor asks what data you have and you ignore them. That violates these laws and it's bad practice. Respond within 45 days.

Pitfall 4: Keeping data longer than you need. If someone hasn't given in 5 years and isn't a prospect, delete them (or truly anonymize). Keeping data "just in case" is extra liability.

Key Takeaway

State privacy law is complex but boils down to: be transparent about what data you collect, protect it, respect people's rights to access/delete, and notify quickly if you get breached. Most nonprofits (especially 501(c)(3)s that don't sell data) are exempt from most laws. But adopting these practices anyway is smart. You're building trust, reducing liability, and doing right by your supporters.

Frequently Asked Questions

Do we need a lawyer to comply with state privacy laws?

For a first draft privacy policy: no, you can write one yourself (template online). For complex situations (you're selling data, you have sensitive data): yes, consult a lawyer. For a nonprofit with standard donor data, doing the basics (privacy policy, access requests, breach notification) is doable in-house.

If we operate in multiple states, do we follow all state laws or the strictest one?

Legally, you follow all applicable laws. But practically, if you follow California + NY (the strictest), you're mostly compliant with others. It's easier than running 10 different compliance programs. So: adopt California-level practices and NY breach notification, and you're covered most places.

What counts as "personal information" for these laws?

Name, address, email, phone, IP address, donation amount, transaction history. Anything that can identify an individual. Fully anonymized data (no way to identify them even with additional data) is not personal information. Pseudonymized data (ID 12345, but you have the mapping) usually counts as personal information.

How do we handle a data access request?

Pull their record from your CRM. Compile everything you have about them (name, address, email, phone, donation history, volunteer history, event attendance). Send via email or secure portal. Remove their name/contact info if you want to mail it. Respond within 45 days. Keep a log of requests (when received, what was sent, when sent).

Are we liable if a vendor gets hacked and donor data is exposed?

Depends on your Data Processing Agreement with them. If they had a reasonable security breach (they did everything right, still got hacked), you're probably okay. If they had negligent security (no encryption, no backups, ignored warnings), you might be liable. Have agreements in place requiring vendors to maintain reasonable security and notify you of breaches.