Nonprofits attuned to growing legal requirements for data privacy and data security best practices are familiar with a kind of alphabet soup of acronyms: WISP, GDPR, PII, PCI DSS, NIST, and others. Beginning in January of 2020, an important new law and corresponding acronym will significantly alter the data privacy landscape in America. The California Consumer Privacy Act (CCPA) provides extensive protections and requirements for entities doing business in California. While the law doesn’t directly target nonprofits, CCPA impacts most nonprofits’ handling of consumer data, donor information, website user identifiers, and other types of personal information.
Accordingly, nonprofits all over the United States, as well as international nonprofits who partner with California entities, should proactively implement key components of data privacy compliance, such as through accurate online disclosures, appropriate user opt-out options, and special care in handling the information of minors. Furthermore, nonprofits should carefully evaluate ways in which certain operations or complex corporate structuring might trigger requirements for particularly strict compliance with CCPA. We also recommend nonprofits seriously assess the new standards for data handling under CCPA (and other data privacy regimes), even if such statutes do not appear to be expressly applicable to nonprofits organizations. Through such proactive steps, nonprofits should be well-positioned to act on emerging opportunities related to the security and processing of personally identifiable data in their operations. There is more to be said about each of the above recommendations, but first a bit of recent historical global context: the European Union’s (EU) predecessor cousin of CCPA: GDPR.
GDPR and the “New Data Privacy”
Beginning on May 25, 2018, the global data landscape forever changed with the European Union’s implementation and initial enforcement efforts of the General Data Protection Regulation (GDPR). GDPR protects individuals or “data subjects” within the European Economic Area. The framework introduces a robust system of disclosure and data handling mechanisms to preserve personal data privacy, regarded by EU leaders as an absolute right of their citizens. Entities from all over the world, including nonprofits, are required to comply with GDPR requirements to the extent they interact online with any companies or persons who are based in the EU.
The term “personal data” under GDPR is very broad. Personal data includes any information relating to an identifiable person who can be directly or indirectly identified particularly by reference to an identifier, such as names, identification numbers, location data, email addresses, IP addresses, device identifiers, or other social identity markers. GDPR fines are onerous: up to € 20 million, or 4% of annual global revenue, whichever is greater!
As discussed in our prior article on GDPR[1], even nonprofits not conducting substantial operations in the EU may be indirectly impacted by it, because GDPR compliance requirements cascade. That is, in many places international law requires that entities seeking to comply with GDPR must ensure that other entities with whom they share data must also be GDPR compliant. Thus, the EU has very quickly dragged much of the global information community into GDPR compliance, including nonprofits. Compliance requirements with GDPR vary, but generally it is required that entities take steps to ensure personal data is processed, stored, and transferred with sufficient protection.
Should nonprofits take seriously requirements stemming from GDPR? Absolutely. Google, Amazon, and many other major companies are already facing European Union sanctions under GDPR. Nonprofits ignoring the requirements of GDPR may be taking on considerable legal risk. Furthermore, GDPR is an important marker in the rapidly accelerating path toward increased data privacy legislation. Nonprofits are well-advised to act in concert with the “new normal” in data privacy law, and be responsive to GDPR, to other privacy-related laws,[2] and now, especially to CCPA.
CCPA: GDPR’s California cousin
Mirroring EU data privacy efforts last year, California quickly followed suit last summer and adopted the California Consumer Privacy Act (CCPA), effective January 1, 2020. Like GDPR did in the European context, the new statute expands California residents’ rights to privacy and control of their personal information. Specifically, CCPA provides California residents—and their households—the following rights:
- to know what personal information is being collected about them,
- to know whether that information is being sold or disclosed and to whom,
- to decline the sale of their personal information,
- to access their personal information, and
- to equality in provider services and pricing even if they exercise these additional privacy rights.
Under CCPA, consumers will enjoy significant control over the ways in which larger for-profit business utilize their data. These expanded rights to data control are largely in line with the GDPR’s objectives. However, the California law differs from its European cousin in several important ways:
- Under CCPA, not only individuals, but also households are considered identifiable entities. GDPR’s focus is on individuals only.
- The scope of CCPA is narrower than that of GDPR, which targets any entity processing the data of individuals in the European Economic Area. CCPA on the other hand, targets larger corporations doing business in that state. Specifically, to be subject to CCPA, the entity must be a business that:
- Has gross revenues in excess of $25 million;
- Annually buys, receives, sells, or shares the personal information of at least 50,000 consumers, households, or devices; or
- Derives at least 50% of its annual revenues from selling consumers’ personal information.
- CCPA provides stronger information protection for minors,
- GDPR provides data subjects with greater control over their personal information including rights to correct and modify data.
- Under both GDPR and CCPA, users hold certain opt-out legal rights, but the legal rights affected are different under each regime. For example, CCPA addresses opt-out rights regarding the sale of personal information, whereas GDPR’s opt-out affects marketing-related rights.
Applicability to Nonprofits?
As discussed above, CCPA is strictly applicable to “businesses,” which are defined generally as operating “for-profit.”[3] At first blush, it would appear that CCPA is not relevant to nonprofit organizations. However, while CCPA does not expressly require nonprofits to comply with its data privacy framework, prudent nonprofits should recognize that the new statute presents opportunities and even obligations for nonprofit entities in the new data privacy world.
- Contracts. Like the cascading effect of GDPR, it is likely that entities complying with CCPA will also require contracting entities to comply, even nonprofits. In such cases, the agreement between the entities will likely require the nonprofit to abide by the for-profit’s CCPA-compliant data collection and retention policies in order to enable the for-profit entity to abide by the regulation’s requirements. The for-profit may even request that data be provided in particular ways that fit within its own data structures.
- Subsidiaries. A nonprofit may control a for-profit subsidiary which is subject to the CCPA. In this scenario, the nonprofit or the subsidiary itself will need to develop and implement CCPA-compliant policies and protocols for the data collected by and for the for-profit subsidiary. Nonprofits that obtain data from such subsidiaries must be especially vigilant to ensure that their data use and retention protocols can allow the subsidiary to remain CCPA-compliant, especially with respect to its obligations to safeguard consumer data from third-parties.
- Joint Ventures. A nonprofit may enter into a joint venture with a for-profit entity which is subject to the CCPA. In this scenario, both the nonprofit and the for-profit entity will likely need to agree on how data will be collected, stored, used, retained, or deleted. Then as revenue is generated by their efforts, the nonprofit will bear some responsibility to ensure that CCPA-compliant data privacy protocols are developed and respected during the course of the collaboration, all the while honoring its commitments as a nonprofit to its charitable or other exempt purposes.
- Best Practices. In less than a year, the provisions of GDPR have established a new privacy security standard for data-processing entities -- nonprofit and for-profit alike. Businesses cannot afford not to be in compliance, since such failure to comply with GDPR limits access to clients, resources, partners, business opportunities, and the revenues generated therefrom. Similarly, CCPA, because of the statute’s sweeping nature and California’s economic prominence, stands to become the benchmark for operational data privacy protocols, whether in the nonprofit or the for-profit sector. Nonprofits will find it increasingly desirable to brandish their CCPA compliance in order to maximize their opportunities in furtherance of their charitable purposes. Nonprofits adopting a proactive posture toward CCPA compliance position themselves well for such opportunities.
- Substantial commercial activities. Certain types of nonprofits, such as mutual benefit corporations -- nonprofits that exist for the benefit of the corporations’ members -- might be subject to CCPA’s requirements. Such corporations sometimes conduct large-scale revenue-generating activities of a commercial nature. Members of the mutual benefit corporations may have legal rights to the assets that are for the “financial benefit of its … other owners” and so trigger compliance under CCPA. For example, nonprofits holding municipal licenses to operate cannabis-oriented businesses in California could meet the private financial benefit requirement and generate sufficient revenues to qualify as “businesses” under the new law.
Recommended Nonprofit Actions
As discussed above, the data privacy trend is clear. GDPR, CCPA, and similar laws are likely to become the standard for “best practices in handling personal data – both in for-profit and nonprofit contexts. The new data privacy milieu will enshrine greater consumer data privacy regulations, with nonprofits being increasingly affected. Indeed, under CCPA nonprofits would do well to evaluate and modify their data handling practices in a few specific areas:
- Disclosures. Nonprofits need to develop accurate online disclosures of specific ways in which they use personal data, and the legitimate business reasons for the use of such personal information. Online privacy policies should be regularly updated to accurately reflect organizational handling of personal information.
- Opt-Out. As discussed above, GDPR and CCPA differ on the legal rights implicated in opt-out provisions. Nonprofits should assess the degree to which their operations affect EU and California citizens in order to implement appropriate opt-out opportunities for users.
- Children. Both CCPA and GDPR provide for special notice and handling requirements of children, with differing requirements at age 13 and ager 16 thresholds. Nonprofits are generally well-advised to exercise special care in handling the information of children, but especially under these new laws.
- Self-Assessment. While nonprofits are not strictly subject to CCPA, as discussed above, there are numerous legal contexts which could implicate legal requirements for nonprofits. Nonprofits should, in concert with qualified counsel, assess the degree to which their structures and activities may trigger CCPA and GDPR legal compliance obligations.
In addition to the above specific recommendations, nonprofits are well-advised to review their overall approach to the receipt, storage, processing and transmission of data. In view of emergent data privacy momentum, nonprofits should address increased compliance obligations through Written Information Security Program (“WISPs”)[4] and related strategies.
- Data Control. Update and reorient data collection, retention, and deletion policies and protocols towards protection of consumer/donor/use data and empowering them to control its use.
- Data Protection Assessment. Assess how digital information is collected and stored, and ensure that all related and requested records could easily be located, transferred, or deleted when necessary.
- Prioritize Data Protection. Start viewing data privacy regulations and cybersecurity best practices as aspects of the operational landscape, to the same degree as corporate and tax laws and physical building and personnel security requirements.
These recommendations are consistent with well-structured data collection, data retention, and privacy policies, and should be accompanied by the appropriate policies and procedures. Cybersecurity and other considerations like data storage and communication encryption, data portability, and data breach responsiveness should be proactively addressed, in anticipation of greater scrutiny and legislative regulation over consumer data. Adopting such “best practices” approaches should help organizations exercise effective protection of sensitive data, wise stewardship, and avoidance of costly penalties.
[1] For more information, please see here.
[2] E.g., Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN SPAM, which governs the use of commercial email, and provides rules for commercial messages); Health Insurance Portability and Accountability Act (HIPAA, which provides for heightened security and data handling protocols related to medical information); and Children’s Online Privacy Protection Act (COPPA, which addresses protection of children's internet privacy).
[3] The statute specifically provides, in pertinent part, that a business is a “sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners…” Cal. Civ. Code § 1798.140 (West).