Data Privacy and AI: A Nonprofit Compliance Guide

Privacy regulations are multiplying. GDPR in Europe. CCPA in California. State-specific laws elsewhere. AI tools add complexity: every time you feed data into an AI system, you're making a decision about privacy.

This lecture breaks down compliance in practical terms. You don't need a lawyer to understand your obligations (though having one helps). You need clarity on what data you can use, when, and how.

The Privacy Landscape for Nonprofits

GDPR (European Union)

Applies to: Any nonprofit collecting data on EU residents. If you have any European donors or beneficiaries, GDPR applies to you.

Key rules:

• You need explicit consent before processing personal data
• People have the right to access their data, correct it, and delete it
• You must tell people what you do with their data (transparency)
• Data transfers outside the EU face restrictions
• You're responsible for protecting the data, even if a vendor breaches it

For AI: Processing data through an AI tool counts as "processing personal data." You need people's consent for this. Your privacy policy must disclose it.

CCPA (California)

Applies to: Nonprofits collecting data on California residents. Also applies if you collect data on people who visit your California office or attend events.

Key rules:

• People have the right to know what data you collect, delete it, opt out of sales
• You can't discriminate against people for exercising these rights
• You must have a privacy policy and respond to data requests within 45 days
• Data breaches must be disclosed to affected people

For AI: Using data with an AI tool might constitute a "sale" under CCPA if the tool vendor benefits. You need to disclose this option and let people opt out.

State Privacy Laws (Virginia, Colorado, Utah, Connecticut, etc.)

Most states are adopting laws similar to CCPA. The requirements vary but generally include:

• Right to access and delete data
• Right to opt out of processing
• Transparency about data practices
• Data security obligations

For nonprofits: If your beneficiaries or donors span multiple states, assume the strictest rules apply (usually GDPR-equivalent).

Privacy Best Practices for AI Tools

1. Understand Your Vendor's Terms

Before using any AI tool, read the privacy policy and data processing terms. Key questions:

• Data retention: How long does the vendor keep your data? Can you request deletion?
• Data use: Does the vendor use your data to train their model or improve their service? (You probably don't want this.)
• Data sharing: Does the vendor share your data with third parties?
• Geographic storage: Where is your data stored? Does it leave the jurisdiction of your users?
• Encryption: Is data encrypted in transit and at rest?
• Subpoenas: Will the vendor comply with government data requests? Will they notify you?

Red flags:

• Vendor won't tell you where data is stored
• Vendor uses your data to train their model without explicit permission
• Vendor doesn't offer data deletion
• Vendor stores data indefinitely
• Vendor doesn't encrypt data

2. Categorize Your Data

Not all data has the same sensitivity. Create categories:

Category 1 (Highly Sensitive):

• Health and mental health information
• Beneficiary financial information
• Social security numbers, birth dates, identification numbers
• Substance abuse or criminal history

Category 2 (Sensitive):

• Donor names, addresses, emails, phone numbers
• Beneficiary names and demographics
• Donation amounts and giving history
• Program participation records

Category 3 (Lower Risk):

• Aggregated/anonymized data
• Public information
• General program descriptions

3. Implement Data Minimization

Only send to AI tools the minimum data necessary.

Example: You want to use AI to draft a thank-you letter. You need: donor name, program supported, gift amount. You don't need: address, phone, email, giving history, demographics. Send only the three fields you need.

Another example: You want to use AI to analyze program feedback. Send feedback text only. Don't include beneficiary names, ages, or identifying details.

4. Anonymize and Pseudonymize

Strip personal identifiers from data before sending to AI tools whenever possible.

Anonymization: Remove all identifying information so data cannot be linked back to an individual. If you anonymize correctly, GDPR and CCPA don't apply (it's no longer "personal data").

Pseudonymization: Replace names/identifying info with codes. Someone who knows the mapping can still identify people, but the AI tool can't.

Example: Instead of "John Smith donated $5,000 to youth mentorship," send to AI: "Donor_001 donated $5000 to mentorship." Keep the mapping (John Smith = Donor_001) in a secure location that the AI tool doesn't have access to.

5. Create a Data Processing Agreement (DPA)

If you're sending any sensitive data to a vendor, sign a Data Processing Agreement. This document specifies:

• What data you're sending and why
• What the vendor can do with the data
• How long they keep it
• Your right to audit them
• What happens if there's a breach

Most enterprise AI tools offer DPAs (ChatGPT Business, Claude Pro, etc.). If a vendor won't sign a DPA, don't send them sensitive data.

6. Keep an AI Data Audit Trail

Document:

• What data you send to which tools
• When it was sent
• Why it was necessary
• How long it's stored
• When it's deleted

This matters if regulators ever ask "what happened to John's data?" You can show you handled it responsibly.

Special Considerations: Health and Sensitive Data

If you're a health nonprofit: HIPAA applies. HIPAA-covered entities can't use public AI tools (ChatGPT, Claude) with patient data. Period. You must use HIPAA-compliant tools.

Some HIPAA-compliant options:

• Healthcare-specific AI vendors with Business Associate Agreements (BAAs)
• On-premise AI systems you host yourself
• Enterprise tools with HIPAA compliance certifications

If you serve vulnerable populations (minors, people with cognitive disabilities, etc.): Assume stricter privacy rules apply. Err on the side of caution. If you're unsure whether an AI tool is appropriate, ask your legal counsel or a privacy expert.

Transparency and Consent

Update your privacy policy to disclose AI use. Specifically mention:

• Which data you process with AI tools
• Which tools you use
• Why you use them
• What safeguards you have in place
• People's right to opt out or request deletion

Example language: "We use AI-powered tools to analyze feedback and generate grant proposals. We do not share donor personal information with these tools. All data is encrypted and deleted within 30 days of processing. You can request not to have your data processed by AI tools at any time."

For grant proposals: If a funder requires disclosure of AI use, disclose it. Many funders now ask "did you use AI?" in their applications. Be honest. Most are fine with it as long as you disclose it.

Incident Response: If a Breach Happens

If you discover an AI tool leaked data or you accidentally sent sensitive information to an unsecured tool:

1. Stop immediately: Stop using that tool and assess the damage.
2. Document it: What happened, when, what data was affected.
3. Notify the vendor: Demand they delete the data and explain what happened.
4. Notify affected people: If it's a serious breach (sensitive data leaked), you're likely required by law to notify people.
5. Learn and improve: Update your policies to prevent this happening again.

Practical Compliance Checklist

• ☐ Privacy policy updated to disclose AI use
• ☐ Data categorized by sensitivity
• ☐ Rules in place for what data can go into which tools
• ☐ All vendors handling sensitive data have signed DPAs
• ☐ Enterprise tools used for sensitive data, public tools only for non-sensitive data
• ☐ Data minimization practiced (only send necessary data)
• ☐ Audit trail maintained (who sent what data when)
• ☐ Staff trained on these policies
• ☐ Incident response plan documented
• ☐ Board aware of and has approved this approach