Does California’s new data privacy law apply to non-profits?
I’ve been doing a little bit of research on the recently passed California Consumer Privacy Act of 2018. I was most interested in learning whether or not it applies to nonprofits. Seems like a good place to start, right?
Analysis of the bill provided by the International Association of Privacy Professionals (IAPP) indicates the law is applicable to for-profits meeting certain criteria but is probably not applicable to non-profits.
As IAPP puts it:
The law defines the term “business” as a for-profit legal entity that collects consumers’ personal information and does business in the state of California. For purposes of our analysis, we assume that this law does not apply to nonprofit entities, although that is not entirely clear from the definition. We also assume, consistent with well-established jurisprudence on long-arm jurisdiction, that “doing business” in California applies to companies that sell goods or services to California residents even if the business is not physically located in the state.
Analysts from Proskauer Rose LLP are more definite that the bill is not applicable to nonprofits, stating:
…not-for-profits, small companies, and/or those that do not traffic in large amounts of personal information, and do not share a brand with an affiliate who is covered by the Act, will not have to comply with the Act.
The law does not apply to any business that doesn’t meet certain thresholds. According to IAPP, a business must meet at least one of the following criteria:
- Have $25 million or more in annual revenue.
- Possess the personal data of more than 50,000 “consumers, households, or devices”.
- Earn more than half of its annual revenue selling consumers’ personal data.
So now that we know to whom the law applies, what does the law actually provide as new rights to California residents? Again, from IAPP:
The new act, which provides California residents with new rights, including a right to transparency about data collection, a right to be forgotten, a right to data portability, and a right to opt out of having their data sold (opt in, for minors), applies to businesses that collect consumers’ personal information, as well as to those that sell consumers’ personal information or disclose it for a “business purpose.”
My interest is now shifting to answering these more long-term questions for our nonprofit clients:
- How this legislation, along with GDPR, shifts the landscape of constituent expectations for how nonprofits will behave—based on their experience with businesses that ARE subject to the law.
- What new technology features will be created in CRM platforms, and other systems managing constituent data, to help organizations more easily be compliant with current and future privacy laws.
Neither Peter Mirus nor Build Consulting are legal experts. Readers should consult their own legal advisors.