California’s data privacy law and non-profits
California’s data privacy law–the California Consumer Privacy Act (CCPA)–went into effect in January 2020. Many nonprofits are unsure about what this means for them, and how all of this relates to GDPR and what changes their organizations need to make. Here is some analysis that might help.
Is the California law applicable to non-profits?
Analysis of the bill provided by the International Association of Privacy Professionals (IAPP) indicates the law is applicable to for-profits meeting certain criteria but is probably not applicable to non-profits.
As IAPP puts it:
The law defines the term “business” as a for-profit legal entity that collects consumers’ personal information and does business in the state of California. For purposes of our analysis, we assume that this law does not apply to nonprofit entities, although that is not entirely clear from the definition. We also assume, consistent with well-established jurisprudence on long-arm jurisdiction, that “doing business” in California applies to companies that sell goods or services to California residents even if the business is not physically located in the state.
Analysts from Proskauer Rose LLP are more definite that the bill is not applicable to nonprofits, stating:
…not-for-profits, small companies, and/or those that do not traffic in large amounts of personal information, and do not share a brand with an affiliate who is covered by the Act, will not have to comply with the Act.
Who does the law apply to?
The law does not apply to any business that doesn’t meet certain thresholds. According to IAPP, a business must meet at least one of the following criteria:
- Have $25 million or more in annual revenue.
- Possess the personal data of more than 50,000 “consumers, households, or devices”.
- Earn more than half of its annual revenue selling consumers’ personal data.
So now that we know to whom the law applies, what does the law actually provide as new rights to California residents? Again, from IAPP:
The new act, which provides California residents with new rights, including a right to transparency about data collection, a right to be forgotten, a right to data portability, and a right to opt out of having their data sold (opt in, for minors), applies to businesses that collect consumers’ personal information, as well as to those that sell consumers’ personal information or disclose it for a “business purpose.”
Changing organizational behaviors
The California legislation, along with GDPR, shifts the landscape of constituent expectations for how nonprofits will behave—based on their experience with businesses that ARE subject to the law. To respond to this, many nonprofits have taken care to bolster their transparency regarding the data they collect from and about constituents, as well as how they use that data. This has primarily meant being more clear to website users about cookie utilization, taking greater care in allowing constituents to control how and when they want to be contacted, and updating their privacy policies.
That may seem like nonprofits are callous to proper care of constituent data, and in some rare cases that might be true. But the reality is that the majority of nonprofits lack the knowledge and resources to take data privacy and security steps beyond a certain point. The only thing many nonprofits feel they can do is assume their current system/software providers will shoulder the load of making systems secure and providing the appropriate constituent records management features–and then purchase or increase their cyber insurance.
Neither Peter Mirus nor Build Consulting are legal experts on California’s data privacy law. Readers should consult their own legal advisers.