The California Consumer Privacy Act (“CCPA”) went into effect on January 1, 2020, and while this new law does not specifically target nonprofits, it is likely to impact every consumer-facing entity that handles consumer data like donor information, secure log-ins, and other kinds of personal information.
Consumer Rights Under CCPA
The CCPA provides California residents with expanded control of their personal information and privacy rights. It applies not only to individuals but also to households. Specifically, this law gives Californians the right to:
- Know what kind of personal information is being collected about them.
- Know whether their information is being sold or disclosed and to whom.
- Request the deletion of their personal information by the entity that collected it.
- Decline the sale of their personal information to third parties.
- Have access to their own personal information.
- Equality in pricing and services when exercising a privacy right under CCPA.
The CCPA applies to businesses for which one or more of the following are true:
- Has gross annual revenues of more than $25 million.
- Buys, sells, receives, or shares the personal information of at least 50,000 consumers, households, or devices annually.
- Gets 50% or more of its annual revenue from selling consumers’ personal information.
CCPA Applicability to Nonprofits
Since the CCPA is strictly applicable to businesses that are defined as for-profit entities, nonprofits may believe this new data privacy law does not apply to their operations. However, while the CCPA does not expressly require compliance by nonprofits, it would be prudent for nonprofits to recognize that there may be some obligations when it comes to data privacy:
If a nonprofit has a for-profit subsidiary. Any for-profit subsidiary that is controlled by a nonprofit and meets the applicability standards for CCPA regulation will need to develop policies and procedures for data collection that ensures the for-profit subsidiary remains CCPA-compliant.
If a nonprofit has contractual relationships with for-profit entities. It is likely that businesses complying with CCPA will also require compliance by contracting entities, including nonprofits. This may require some nonprofits to comply with a business’s data collection and privacy policies or other standards the business implements to comply.
If a nonprofit engages in commercial activity. Not every nonprofit is a charity, and certain types of nonprofits may be subject to CCPA requirements. For example, a nonprofit mutual benefit corporation, which operates for the benefit of its members, could be subject to CCPA if its revenue-generating activities are significant enough to trigger CCPA compliance. In addition, nonprofits with a license to operate a cannabis business in California could generate sufficient revenues to qualify as a business under CCPA.
If a nonprofit enters into a joint venture. A joint venture between a nonprofit and a for-profit entity subject to CCPA could trigger the need for both organizations to develop and implement policies and procedures to comply with data privacy requirements.
Preparing Nonprofits for the Future of Data Privacy
Data privacy laws are becoming more prevalent and CCPA has set a new standard for handling the personal data of consumers. It is likely that this trend will continue, and nonprofits that take a proactive approach to implementing best practices in data privacy will position themselves well for the future.
Nonprofits should evaluate their current data handling procedures, with an emphasis on:
Disclosures — nonprofit websites should have updated online privacy policies that include disclosures on the specific ways they handle personal information.
Children — the CCPA requires that children under the age of 13 must have a parent or guardian consent to the sale of personal information, and children under the age of 16 must be provided with an opt-in option to consent. Nonprofits should always exercise special care in handling the information of children.
Data control — nonprofits should orient their data collection and retention policies toward protection of consumer privacy, empowering consumers as much as possible to control the use of their data.
Data protection — nonprofits should conduct an assessment of how they are gathering and storing consumer information to ensure that these records can be easily located, transferred or deleted if necessary.
The Church Law Center of California advises churches and other nonprofits on how to protect themselves from risk while furthering their mission. Call us today at (949) 689-0437 or reach out to us through our contact page.