If you’re a U.S.-based nonprofit, you have likely heard of the California Consumer Privacy Act (CCPA). Maybe you’ve even kept tabs on the latest changes to the CCPA.
However, according to a recent poll conducted by the Direct Marketing Fundraisers Association (DMFA) and The Nonprofit Alliance (TNPA), less than 1% of the 350 surveyed answered that they were an expert in the new data privacy law. In fact, 20% said they had made no changes to their data compliance in preparation for the law, which went into effect Jan. 1, 2020.
The CCPA is the United States’ first big push for data privacy. Like data privacy laws in Canada (CASL) and Europe (GDPR), the CCPA’s goal is to inform users at the point of data collection about what is being collected and why it is necessary in the marketplace.
Unlike CASL and GDPR, the CCPA is not a national law. It only applies to California – however, its effects will be felt by many outside the Golden State.
It is also important to note that the CCPA does not ban or prohibit the collection, use or sale of consumer data. The law requires organizations to inform consumers about how their data is used and to provide a way to “opt out” of data collection.
You may have heard that nonprofits are exempt from the CCPA, but that doesn’t mean your organization can simply ignore this law. That’s why we talked to an expert in nonprofit data privacy — Shannon McCracken, the CEO of TNPA — to get into the key details on this hot topic.
Let’s dive in.
1. There is a change in expectation from consumers.
Expect that consumers and donors will be looking for more access, control and transparency into how their data is being used -- by everyone. So, the California law may not specifically cover nonprofits, but we must anticipate that consumers will have more questions and expectations and be prepared to respond appropriately.
2. Although nonprofits are exempt, our consumer data sources and third-party direct marketing sources are not exempt.
Just because they are serving nonprofit clients doesn’t give them a free pass. Nonprofits should anticipate potential additional costs to cover compliance requirements by our partners/vendors, additional time constrictions, and changes in the way the data is being managed. Some data sources may shrink or change.
CCPA is “opt out” whereas General Data Protection Regulation (GDPR) and the Canadian Anti-Spam Law (CASL) are both “opt in.” GDPR and CASL focus solely on electronic messages, whereas CCPA is focused on the entirety of collecting, consuming and using data.
There are similar laws popping up in other states. That’s something to keep an eye on. Maine, Illinois, and Nevada passed new laws in 2019, and 21 others had privacy related bills that didn’t pass and will likely resurface in 2020.
California’s model will become a blueprint for other states, but it doesn’t mean that other states are going to pick it up identically. Tightening up all your best practices will make compliance with future iterations of privacy laws easier.
Six amendments made it through the California Legislature and were signed into law by the Governor. You can read about those updates here.
A new ballot initiative called the California Privacy Rights Act (CPRA) aims to build on top of the CCPA and has gathered enough signatures to appear on the fall 2020 ballot. The CCPA law that went into effect on Jan. 1 is by no means “final.” More like “final for now,” with much more debate to come.
For CCPA specifically, nonprofits are exempt. Therefore, the responsibility is on businesses that are covered by the law, including all vendors, providers and agencies. Going forward, we can expect greater clarity on the party with the consumer relationship having direct or indirect responsibility for managing consumer requests, and much of that will need to be explicitly spelled out in partner/vendor service agreements.
If you are wanting more information on how to prepare for the upcoming privacy changes, check out our CCPA to-do list:
Check out these related pieces:
Note: The above content is informative in nature and is not intended as legal advice. As a company that provides professional fundraising consulting services, we retain counsel to ensure compliance with fundraising laws in each applicable state. Questions related to the California Consumer Privacy Act of 2019 (CCPA) for U.S.-based nonprofits should be directed to counsel that is competent to address such matters.