For nonprofits carrying out online activities, data privacy legal compliance looms as a complex and rapidly evolving challenge—one that now extends beyond traditional fundraising practices to include donor data management, employee records, and online engagement tools. Several new state data privacy laws take effect this year that impact nonprofits. As more states adopt comprehensive privacy frameworks, nonprofit leaders need to know how these laws apply and what practical steps will help keep their organizations legally compliant.
Overview
Unlike international privacy law, which is shaped by comprehensive national frameworks, such as the EU’s General Data Protection Regulation (GDPR), US regulation of data privacy has historically been accomplished through a patchwork of case-specific federal statutes and individual state statutes.
Since publication of our law firm’s comprehensive article on this topic in August 2023, state-level data privacy laws have continued to evolve rapidly. Recently, seven states have adopted comprehensive data privacy laws (Rhode Island, Kentucky, Maryland, Minnesota, Nebraska, New Hampshire, and New Jersey), making a total of eighteen states that have done so in the past four years. Of these eighteen states, Colorado, Delaware, Maryland, Minnesota, New Jersey, and Oregon offer virtually no nonprofit exemptions under their respective statutes, and other state exemptions may be less inclusive than expected.
The new laws potentially impact nonprofit website operations and nonprofits’ handling of wide-ranging personally identifiable information (PII) including donor information, program participants, charitable beneficiaries, employee information, contact information, and other online outreach information. Part I of this article summarizes the various factors affecting the applicability of state data privacy laws to nonprofits generally. Part II analyzes the seven newest state statutes and notable aspects of each. Part III provides practical insights and related guidance for legal compliance, risk management, and protection against reputational harm.
Part I. Applicability to Nonprofits
Determining whether a state data privacy law applies to a nonprofit organization is often the first—and sometimes most confusing—step in the compliance process. While many state data privacy statutes provide exemptions for nonprofits, some provide no exemption at all or else an exemption so narrow that most nonprofits will still be subject to the statute. Colorado, Oregon, and New Jersey provide no exemption from their data privacy laws for nonprofits, and the exemptions provided by Delaware and by Minnesota are quite narrow. In states that do provide exemptions for nonprofits, there are additional factors impacting applicability as discussed below.
1. Definition of “Nonprofit”
Specific for each applicable state law, the legal definition of “nonprofit” should be evaluated. Notably, states may define “nonprofit” with reference to the entity’s federal tax exemption under certain subsections of 501(c) of the Internal Revenue Code (IRC), rather than relying on the entity’s state classification as a nonprofit corporation. For example, social welfare organizations described under IRC Section 501(c)(4) are not considered “nonprofit” for the purposes of statutory exemption under New Hampshire’s statute, nor under Nebraska’s statute unless they are established specifically to detect or prevent insurance-related crime or fraud. To determine the applicability of specific state data privacy laws and any exemptions, nonprofits must first determine whether a state defines their specific entity as “nonprofit.”
2. State of Formation
Some state’s nonprofit exemptions arise from an entity’s jurisdiction of formation – that is, formation under that state’s nonprofit corporation statute (sometimes in conjunction with tax exemption classification). Therefore, an otherwise available exemption may not be applicable to an entity in one state if it was formed under the law of a different state.
For example, in Nebraska, an entity qualifies for the “nonprofit” exemption if it is formed under Nebraska’s Nonprofit Corporation Act or if it is exempt under IRC section 501(c)(3), 501(c)(6), 501(c)(12), or 501(c)(4) in certain circumstances (as mentioned above). Therefore, a section 501(c)(7) social club formed in another state would not be exempt from Nebraska’s data privacy requirements, while a 501(c)(7) formed in Nebraska would be.
Given the foregoing, if an Oklahoma nonprofit social club described under IRC section 501(c)(7) handled the personal information of Nebraska residents inconsistently with the Nebraska data privacy statute, it could be subject to the Nebraska attorney general’s intervention, because it was not formed under the Nebraska nonprofit statute, and because section 501(c)(7) is not one of the enumerated federal tax classifications Nebraska designates as “nonprofit” for purposes of the statute.
3. Revenue Thresholds
Additionally, while certain of the new state laws do not provide blanket exemptions for nonprofits, nonprofits may still avoid the reach of these laws due to statutory processing and gross revenue thresholds. In most of the new statutes, applicability is limited to organizations that process data from a certain number of consumers or earn a certain percentage of their gross revenue from the sale of personal data. If an organization conducting business in the state or targeting products or services to residents of the state exceeds these thresholds for the relevant state, then that state’s statute would apply.
Applicability thresholds differ from state to state. For example, the Nebraska statute applies to any person or entity that processes or engages in the sale of personal data. The Maryland and New Hampshire statutes require the control or processing of at least 35,000 consumers’ personal data, and the New Jersey, Minnesota, and Kentucky statutes require the control or processing of 100,000 consumers’ personal data.[1] In view of these and the foregoing factors affecting applicability, exemption should be assessed on a state-by-state basis in view of the organization’s tax classification, state of formation, and expected operations.
Part II. New State Statutes
This section describes the seven newest state statutes and notable aspects of each law. These laws can be distinguished according to the exemptions they provide (or don’t provide) for nonprofits.
New States Offering No Exemption for Nonprofits:
New Jersey
New Jersey’s Senate Bill 332 (SB 332), effective January 15, 2025, establishes broad data privacy requirements with no exemption for nonprofits. It places a strong emphasis on consumer rights, empowering consumers to obtain disclosures related to their personal information, to request data deletion, and to exercise their right to opt out of targeted advertising and data sales. Controllers[2] (including many nonprofits receiving user data on their websites and donor portals) are bound to honor these rights and are barred from discriminating against consumers that exercise them. Controllers that possess deidentified data bear must ensure that it cannot be linked to individuals and must refrain from reidentifying the data. They must also require third-party data recipients to adhere to the statute’s guidelines through contractual agreements.
When controllers’ activities might pose heightened risks to consumers – such as through profiling or targeted advertising – they are mandated to undergo data protection assessments. These assessments must be made available to the New Jersey Division of Consumer Affairs upon request and must be treated as confidential. As chief enforcement officer, the New Jersey attorney general holds sweeping powers under SB 332 to ensure compliance with its provisions. However, the statute does not establish a private right of action, so individual consumers cannot bring lawsuits based on violations.
New States Offering Exemption for Nonprofits Based on Specific Mission:
Minnesota
The Minnesota Consumer Data Privacy Act (MCDPA), effective July 31, 2025, provides nonprofit exemption only for nonprofits that detect and prevent insurance fraud. MCDPA protects consumers’ data rights, including the right to access, delete, and opt-out of targeted advertising or the sale of personal data. Furthermore, consumers have the right to receive a portable version of their data and question the results of an action if their data was profiled in furtherance of a decision that produces legal effects. MCDPA also provides the consumer with the right to question the result of such profiling, to be informed of the reason why the profiling resulted in that decision and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision.
Controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed. They must also establish and implement security practices, obtain consumer consent for processing sensitive data, and act transparently by providing consumers with a privacy notice. Furthermore, controllers may not discriminate against consumers for exercising their rights. The law provides for enforcement through the Minnesota attorney general but does not establish a private right of action.
Maryland
The Maryland Online Data Privacy Act (MODPA), effective October 1, 2025, exempts only nonprofits that process or share personal data solely for the purpose of assisting either (1) law enforcement agencies investigating criminal or fraudulent acts relating to insurance, or (2) first responders responding to catastrophic events. MODPA protects consumers’ data rights, including the right to access, delete, and port data, as well as the right to opt out of data sales and data processing for targeted advertisements.
Controllers must limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer. Controllers must also establish and implement security practices, obtain consumer consent for certain processing activities, provide an effective mechanism to revoke that consent, and act transparently. Furthermore, controllers may not discriminate against consumers for exercising their rights. MODPA empowers the Maryland Division of Consumer Protection to provide controllers with notice and an opportunity to cure violations, and to impose penalties for violations.
New States Offering Exemption for Certain Nonprofits Described Under Section 501(c):
New Hampshire
New Hampshire’s Senate Bill 255 (SB 255), effective January 1, 2025, limits the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer. Nonprofits with federal tax exemption under IRC sections 501(c)(3), 501(c)(4), 501(c)(6) or 501(c)(12) are exempt under SB 255. Under New Hampshire’s law, agricultural associations, labor unions, social clubs, lodge societies, and numerous nonprofits described under different sub-sections of IRC 501(c) are not exempt. The statute provides consumers with the same rights to access, delete, and opt out as do other states.
Notably, it requires controllers in possession of de-identified data to take reasonable measures preventing association of this data with individuals, to commit to maintaining and using de-identified data without attempting to re-identify, and to contractually mandate statutory compliance for recipients of de-identified data. The New Hampshire attorney general has exclusive authority to enforce SB 255. If a cure is possible, the attorney general must issue a notice of violation to the controller. If the controller fails to cure the violation within sixty days of receipt of the notice of violation, the attorney general may bring an enforcement action.
Rhode Island
The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA), effective January 1, 2026, limits exemption to those nonprofits described under IRC sections 501(c)(3), 501(c)(4), 501(c)(6), or 501(c)(12) – similar to New Hampshire. RIDTPPA establishes guidelines on customer data protection, outlines controller responsibilities, specifies customer rights (including the ability to access, correct, delete, and opt out), and sets requirements for data processing and data protection assessments. The statute does not provide for a private right of action, but it does grant the Rhode Island attorney general enforcement authority.
Kentucky
The Kentucky Consumer Data Protection Act (KCDPA), effective January 1, 2026, effectively limits exemption to those nonprofits described under IRC section 501(c)(3), defining a nonprofit organization as any incorporated or unincorporated entity that (1) operates for religious, charitable, or educational purposes and (2) does not provide net earnings to – or operate in any manner that inures to the benefit of – any officer, employee, or shareholder of the entity. Most nonprofits that comply with section 501(c)(3) requirements should be exempt under KCDPA, regardless of their state of formation.
KCDPA’s requirements focus on consumer rights, allowing consumers to access, correct, and delete personal data, and to opt out of certain data processing activities. Additionally, the statute requires data controllers to conduct and document data protection assessments as may be requested by the Kentucky attorney general for review. The attorney general has exclusive authority to enforce violations of KCDPA and can seek damages for up to $7,500 for continuous violations, following a cure period or breach of an express written statement from the attorney general.
New State Offering Exemption for All Domestic Nonprofits and Certain Nonprofits Described Under Section 501(c):
Nebraska
The Nebraska Data Privacy Act (NDPA), effective July 31, 2025, exempts any nonprofit corporation formed in Nebraska, any subsidiary or affiliate of a cooperative corporation formed in Nebraska, any organization exempt from taxation under IRC section 501(c)(3), 501(c)(6), or 501(c)(12), and any organization exempt under IRC section 501(c)(4) that is established to detect or prevent insurance-related crime or fraud. Most social welfare organizations under 501(c)(4) – including many lobbying organizations will be subject to the NDPA. The statute protects consumers’ data rights, including the right to access, correct, delete, and opt-out of data sales and targeted advertising.
Controllers must respect data use limits, implement data security practices, obtain explicit consent from consumers, and conduct data protection assessments. Furthermore, controllers may not discriminate against consumers for exercising rights enumerated under NDPA. The statute grants the Nebraska attorney general enforcement power to seek temporary restraining orders or injunctive relief to prohibit deceptive trade practices, and it establishes civil penalties (not to exceed $7,500 for each violation) following a cure period or breach of a written statement provided by the Nebraska attorney general. NDPA does not establish a private right of action.
Part III. Achieving Data Privacy Compliance
In light of these new state data privacy laws, and with more US data privacy regulation likely on the way, nonprofit leaders should prioritize data privacy compliance to avoid potential liability or reputational harm. The following steps outline how nonprofits may benefit in achieving and maintaining compliance, including related questions to ask about each step.
1. Legal Evaluation – “Are we subject to certain state laws and, if so, what are our obligations?”
Work with qualified counsel to understand each law’s requirements and applicability to their nonprofit’s specific corporate structure and operations. This initial evaluation should equip nonprofit leaders to develop a list of obligations that significantly informs the organization’s compliance efforts.
2. Initial Audit – “What personal information do we collect and why?”
Conduct an initial data audit to determine the specific types of personal information the nonprofit collects and processes. An audit will include descriptions of data types, including demographic, behavioral, and other relevant categories. The organization should understand the purpose for data collection – e.g., for donor management, event registrations, volunteer coordination, or other organizational functions. Nonprofits should identify and document all entities or partners with whom they share this data, whether third-party vendors, affiliate organizations, or service providers.
3. Policy Development – “What are our data handling procedures and how do we disclose them?”
Review and, if necessary, revise privacy policies to ensure that they remain current and accurately represent the nonprofit’s data collection and processing practices. Privacy policies should be clear and understandable. They should provide information concerning the ways in which the organization manages, stores, and shares personal information. Furthermore, nonprofits should ensure that the practices described in the policies are consistently upheld throughout their operations. Practices must match disclosures. Regular assessments and updates to privacy policies are essential, particularly to stay compliant with evolving regulatory requirements and the dynamic nature of data-driven activities.
4. Security Evaluation – “Is the data safe from attack, compromise, or loss?”
Undertake a comprehensive evaluation of data storage and management systems to ascertain security strengths and vulnerabilities. Correspondingly, nonprofits should promptly rectify any identified weaknesses. It is also prudent for nonprofit leaders to stay updated with industry best practices in data security.
5. Data Breach Preparation – “Are we ready when things go wrong?”
Be prepared. All fifty states have now implemented data breach response requirements, so the onus on nonprofits to prepare for such breaches has never been greater. Nonprofits should establish well-defined breach response protocols that delineate clear roles and responsibilities for team members in the event of a breach. This includes identifying key personnel who will take the lead in coordinating the response, communicating with affected parties, and liaising with relevant authorities.
It is equally important to ensure that these protocols are regularly reviewed and updated to accommodate any changes in state requirements or best practices. Nonprofit leaders should also consider conducting periodic breach simulation exercises to test and refine their response mechanisms. Being proactive in this manner not only mitigates risks but also demonstrates a nonprofit’s commitment to safeguarding its stakeholders’ data and trust.
6. Staff Training – “How do we equip our team?”
Implement regular training sessions that orient volunteers and staff to these laws, discuss their relevance to the organization, and warn of the potential repercussions of noncompliance. These proactive measures are particularly important in light of the rapid changes in data privacy compliance. Such training sessions should also offer practical guidance on how to handle personal information responsibly and how to recognize potential threats or breaches. To keep up with changes in applicable law, it is advisable to provide regular refresher courses and continuing education opportunities.
7. Regular Audits – “Are we staying current?”
Plan for regular audits of organizational data handling and storage practices. Such audits should help nonprofits evaluate the effectiveness of current protocols and identify potential areas of vulnerability or noncompliance. Where possible, nonprofits should engage qualified professionals specializing in data privacy regulations for these assessments.
Concluding Remarks
Although complex at times, nonprofit data privacy legal compliance is best addressed proactively and thoroughly. By means of properly handling data, disclosing information to stakeholders, and keeping abreast with evolving legal obligations, nonprofit leaders can help an organization mitigate risk while protecting donors, employees, and other stakeholders.
[1] Note that these numbers drop considerably if a controller derives a percentage of its gross revenue from the sale of personal data.
[2] “Controller” under SB 332 means an individual or legal entity that, alone or jointly with others, determines the purpose and means of processing personal data.
