As companies begin complying with California’s statewide privacy law, some nonprofits are keeping an eye on how the new legislation could change how they use data to raise money and promote their missions online.
The California Consumer Privacy Act, which took effect January 1, establishes new privacy standards for for-profit entities operating in the state. While nonprofits are not covered by the law, the marketing companies that many large groups hire to work on direct-marketing appeals and other communications do have to comply.
California consumers now have a legal right to ask such companies to delete most personal data they hold about them and to forbid companies from transferring their personal data to a third party. Companies that collect such data are required to post a privacy policy or other notice that explains to consumers what information they gather about them, how they get it, and how they will use it. The law bars companies from discriminating against consumers who claim these new rights, such as by refusing them service or charging them different rates from other consumers.
In light of the California law, Feeding America, the national anti-hunger charity, is making changes to its privacy policy and looking into how the direct-marketing agencies it hires may change their work to meet the new standards.
Data privacy is critical to positive donor relations, says Elizabeth Nielsen, senior vice president for digital and direct marketing at Feeding America. And while the nonprofit isn’t subject to the law, Nielsen says her group wants to be ready to meet the kind of requests consumers are entitled to make of businesses under the California law. That means working “to understand the data we have, how it was sourced, and to honor requests for deletion as best as possible,” she says.
Concerns About Costs
Some nonprofits and direct-marketing groups contend that companies that sell third-party data will see increased costs as they comply with the law and that those costs could mean higher fees for clients. The Nonprofit Alliance — whose members include direct-marketing companies and nonprofits — is among the loudest voices expressing this view. Its members include big charities like Special Olympics, the Sierra Club, and the American Heart Association, which hire direct-marketing firms to help them raise money.
“The Nonprofit Alliance members are larger organizations, more likely to be reliant on direct marketing for a substantial part of our unrestricted revenue driving our programs,” says Shannon McCracken, chief executive of the group. The association worries that some of the costs of complying with the California law could transfer to third-party data providers’ nonprofit clients, making those providers’ services unaffordable for its members.
The ANA Nonprofit Federation, has similar concerns. The association, which also counts both nonprofits and for-profits among its members, is concerned that fundraising organizations could have less access to data that helps them identify new prospects. “This jeopardizes the future growth of charities and charitable giving in California,” the association wrote in an online summary of its stance on the law.
Many nonprofits also use personal data for prospect research. Apra, an association of prospect researchers, anticipates that the law will change the strategy and resources nonprofits can use to find new donors because it regulates companies that provide third-party data and analytics technology. “Many California nonprofits are already adhering to [California Consumer Privacy Act] compliance guidelines, assuming that such regulations will apply to nonprofit organizations eventually,” Apra said in a comment.
The California Association of Nonprofits, also known as CalNonprofits, has been monitoring the legislation but has not taken a stance in support or in opposition. “We have heard from some of the direct-marketing consultants that they’re concerned, they’re very worried about this, and they feel it could have a big impact on nonprofits. But we have not heard that concern from our nonprofit members themselves,” says Nancy Berlin, who recently left her role as CalNonprofits’ policy director at the end of the year.
One likely reason the group’s members aren’t concerned about the legislation is that most aren’t big enough to rely on contracts with direct marketers to raise money. “Most small to midsize nonprofits don’t use those kinds of consultants to do that,” Berlin says.
Other States
It seems unlikely that the California Consumer Protection Act will be the last law of its kind. Vermont introduced stricter regulations on data brokers last year, and the Texas legislature considered two similar bills during this year’s legislative session. The California law is a part of this trend of consumers becoming more protective of how their personal information is used and stored online, according Nate Garhart, special counsel at Farella Braun & Martel. “These laws are coming,” he says.
Garhart advises nonprofits to get out ahead of any forthcoming privacy regulations by taking stock of the data they collect and how they use it. If future legislation explicitly applies to nonprofits, they shouldn’t be caught flat-footed “because they unrealistically took the position that all of this would go away,” he says.
Many charities with European donors and supporters have already done such self-assessments to comply with the European Union’s General Data Protection Regulation, often called the GDPR.
Global Brigades USA, an international health-services nonprofit, is one such group. The chief legal officer and director of technology audited the personal information the group collected around the world to determine whether it met “a legitimate business purpose.”
That review changed the way the organization stored data. For example, the audit found that the nonprofit kept dietary information on volunteers that was unnecessary to store after the volunteers finished their program work. “Things like that we would destroy or erase,” says Pallav Vora, chief legal officer.
Global Brigades USA also overhauled its website’s privacy policy to meet the GDPR standards. The whole process took four months, according to Vora.
Global Brigades USA, whose headquarters is in Fresno, Calif., does not expect that it will need to change its data-collection processes because of the state’s new data privacy law. Even so, Vora says, Global Brigades USA is in a good place to keep up with consumers’ changing expectations for data privacy because it already complies with the GDPR. “Laws like the [California Consumer Privacy Act] and the GDPR are becoming the rule rather than the exception,” he says.
Most nonprofit observers seem to agree with Vora’s assessment.
Still, the debate over how nonprofits should handle privacy demands will be sure to last well into the early part of the new decade. “We are saying, ‘Yes, privacy regulation, but let’s do it reasonably,’” says McCracken of the Nonprofit Alliance. Rather than a patchwork of differing state laws, the group wants “a single, uniform standard” with regulations to handle “sensitive personal data,” like the sale of a child’s personal information, and “nonsensitive data,” such as information about a person’s religious beliefs that a religious nonprofit may use in good faith to reach new supporters, McCracken wrote in an email.
Berlin at CalNonprofits stresses how the California privacy law reflects a changing society. “Donor privacy and consumer privacy is an important social issue,” she says. As nonprofits evaluate the law, Berlin says, they should consider their own role in meeting evolving societal expectations about privacy. “You don’t want to be on the wrong side of history on some of this stuff.”