How can nonprofit leaders best comply with legal parameters for using artificial intelligence as part of their operations? As the world acclimates to ethical and regulated use of artificial intelligence, decisions may be heavily informed by U.S. and international data privacy requirements and related developments. W&O partner Paul Winters addressed these legal considerations in depth at Batts Morrison Wales & Lee’s 2024 National Nonprofit Conference.
BMWL is a CPA firm exclusively serving nonprofit organizations and their leaders. BMWL’s annual conference provides nonprofit executives with a full day of presentations, packed with relevant, up-to-the-minute information. Each year, the conference positions nonprofit leaders to effectively address tax, financial, and regulatory developments that impact the nonprofit sector.
Nonprofit AI Overview
As Paul explained during his presentation, Legal Considerations for Using AI in the Workplace and a Brief Data Privacy Law Update, using artificial intelligence provides many opportunities as well as challenges. AI is essentially a tool, available to be used for good or for bad, and therefore also with accompanying risk mitigation and other precautionary aspects. AI now plays an increasing role in improving nonprofit efficiency, such as to automate repetitive data entry tasks, donation processing, and email responses, consequently freeing up staff to focus on more strategic program activities. Additionally, AI can enhance a nonprofit’s outreach, such as through analyzing large datasets to identify potential donors and volunteers, predict donation patterns, and personalize communication strategies to increase engagement. Other options and opportunities abound, confined only by nonprofit workers’ strategic insights.
Nonprofits thus need to stay current with technological advancements, particularly to attract funding and increase their visibility. Nonprofits also may use AI to enhance transparency, accountability, and efficiency with their donors. AI is likely good future proofing too: adopting AI and other technologies may prepare nonprofits well for long-term sustainability and growth. The potential good to be accomplished through AI’s usefulness goes on, such as to improve a nonprofit’s mission-driven activities through more personalized services, more effective data-driven decision-making, and scalability.
AI and Data Privacy Legal Issues
Along with all this good news comes legal risks and vulnerabilities, and there are many! Among the areas Paul addressed in his presentation are intellectual property infringement claims, age-related or other employment discrimination issues such as arising from AI screening, and litigation issues arising from faulty AI-related research.
Additionally, a fast-evolving and extensive legal framework applies to AI usage, including the following:
1. The General Data Protection Regulation (GDPR) has strict rules for protecting personal data within the EU, which directly impacts how AI systems handle such data. For example, the data minimization principle requires AI to use only the data necessary for its purpose. The GDPR also requires explicit consent from individuals to process their personal data, including data used by AI systems.
2. The EU Artificial Intelligence Act was adopted March 13, 2024, is effective August 1, 2024, and with enforcement beginning August 2, 2026. The EU AI Act aims to regulate AI technologies to ensure they are safe, ethical, and respect fundamental rights, with varying assignments of “unacceptable,” “high,” “limited,” and “low/minimal” risk and accompanying regulatory requirements.
3. Existing U.S. privacy laws, such as the California Consumer Privacy Act (CCPA), emphasize data minimization, requiring organizations to collect only the data necessary for their purposes. AI systems thus must be designed to minimize data collection and processing. Additional consent requirements and related mechanisms apply, for AI usage and otherwise, which are robust and easily accessible to users.
4. New AI laws such as in Colorado and Utah focus on transparency, accountability, and consumer protection. For example, on March 13, 2024, the Utah Artificial Intelligence Policy Act (UAIPA) became law, effective May 1, 2024. The UAIPA contains a list of required steps, prohibitions, and penalties related to generative AI usage. In Colorado, its SB205 became law - effective February 1, 2026. This legislation focuses on "high-risk AI systems" and mandates developers and deployers to use reasonable care to prevent algorithmic discrimination, with a rebuttable presumption of care if certain criteria are met
Nonprofit AI Best Practices
What are some best practices for nonprofit legal compliance, in connection with using AI? Training staff is a must. Developing clear limitations on AI usage is essential too. Intellectual property compliance must be considered too, particularly to avoid copyright or trademark infringement. Other protocols and safeguards may be important too, especially to provide warranted accountability, to protect confidentiality of sensitive information, and to address related data retention aspects.
These safeguards are critical not only in connection with AI usage, but also more broadly because of the recent surge in U.S. data privacy laws. Nearly 20 state laws now protect consumers' personal information. Notably, no nonprofit exemptions are available under many states (e.g., Oregon, Colorado, Minnesota, Maryland, Delaware, New Jersey), and only limited nonprofit exemptions are available in other states (e.g., Texas, Iowa, Montana, Indiana). Such state data privacy laws are particularly relevant to AI because these technologies often process large amounts of personal data. Several requirements apply to user control over personally identifiable information (PII) and other aspects of PII.
Learning More
To learn more about AI and data privacy, listen to an engaging deeper dive into the content through Paul’s presentation here, provided with permission from BMWL. For nonprofits seeking sample AI Usage Policy language, please contact corporate@wagenmakerlaw.com to request a copy from W&O. Nonprofit leaders are wise to also seek legal guidance for their nonprofit’s desired use of AI, geographical location, and risk profile.
Our law firm is grateful to co-labor with BMWL in advocacy and support of nonprofits across the nation. Those interested to learn more from BMWL may subscribe online for BMWL’s updates, as well as attend its 2025 virtual national conference too.
