Since the introduction of the European Union’s (EU) General Data Protection Regulation (GDPR) in 2018, the privacy rights afforded to individuals have rapidly expanded across the world in general and in the United States in particular. There have been 13 state privacy laws signed since the GDPR took effect and this number is rapidly increasing as more states recognize individuals’ right to exercise greater control over their personal information. While nonprofit organizations (NPOs) are largely exempt from many of the obligations imposed domestically, there are several steps that should be taken to address international responsibilities and the continually changing privacy landscape.
In addition to the list of U.S. legislation depicted below, there are more than 25 data privacy or protection bills in committee across 11 states at press time. This momentum will continue to push the introduction and implementation of privacy laws across the U.S. While these laws are not explicitly regulating the processing of personal data, there are generally recognized responsibilities concerning donor information that NPOs should address. This ambiguity can confuse the appropriate categorization of an NPO. The California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) for example, contains an additional definition of “business” that may impact NPOs that share common branding with a for-profit business or are controlled by a business through director elections, management decisions or voting power. These factors can pose significant risk to NPOs' compliance requirements.
State |
Signed |
Effective |
California |
2018 (Amended 2020) |
Jan. 1, 2020 (Amended 2023) |
Colorado |
2021 |
July 1, 2023 |
Connecticut |
2022 |
July 1, 2023 |
Delaware |
2023 |
Jan. 1, 2025 |
Indiana |
2023 |
Jan. 1, 2026 |
Iowa |
2023 |
Jan. 1, 2025 |
Montana |
2023 |
Oct. 1, 2024 |
New Jersey |
2024 |
Jan. 15, 2025 |
Oregon |
2023 |
July 1, 2024 |
Tennessee |
2023 |
July 1, 2025 |
Texas |
2023 |
July 1, 2024 |
Utah |
2022 |
Dec. 21, 2023 |
Virginia |
2021 |
Jan. 1, 2023 |
*Current as of Jan. 31, 2024
While the individual rights afforded to residents differ by state, the following rights are generally included:
These rights are not only dependent on the state where a data subject resides, but also the sensitivity of the data involved in the processing.
Unlike U.S. state privacy laws, global privacy laws apply to entities that process the personal data of their residents. The EU GDPR, for example, defines applicable entities as either “Controllers” or “Processors.” Controllers are individuals or entities that determine the purposes and means of processing, whereas Processors are individuals or entities that process personal data on behalf of the Controller. NPOs should be aware of the following conditions that would make the EU GDPR applicable to their organization:
Once an NPO is considered a Controller under the GDPR, there are certain obligations that must be met to become compliant and avoid fines by the supervisory authorities of EU countries. One critical obligation is the fulfillment of data subject rights. The fulfillment of these rights begins with the transparent communication of them to the data subject. A response must also be provided to the data subject within a calendar month (30 days). These rights include the following:
These rights can pose a serious challenge to NPOs. One of the most efficient methods of addressing this challenge is through the development and implementation of policies and procedures to efficiently address these obligations. These policies and procedures manage the end-to-end fulfillment of the data subject rights requests from intake and ID verification to the appropriate response and completion of the request. By operationalizing the process of fulfilling any rights requests received, NPOs can reduce the risk of noncompliance which can carry significant financial penalties.
Copyright © 2024 BDO USA, P.C. All rights reserved. www.bdo.com