Privacy Compliance for US Nonprofits re: Europe’s GDPR and California’s CCPA
Nonprofit organizations in the United States collecting personal data on donors, prospective donors, employees, website visitors and others need to be closely following the new privacy laws in order to ensure that they do not run afoul of regulators. With the EU GDPR in effect since May 2018, the California Consumer Privacy Act (CCPA) scheduled to take effect in 2020 and the prospect of a new federal privacy law coming out of Congress in the next few years, nonprofits need to have an understanding of their data collection, usage and sharing to establish legal compliance and offer transparency to people giving them their personal information.
General Data Protection Regulation (GDPR)
The European Union’s new privacy law, GDPR, applies to nonprofit organizations in the same fashion as it applies to businesses. If a nonprofit in the United States is collecting information on residents of the European Union (whether as donors, employees or website visitors), then it needs to make an effort towards GDPR compliance. The one area where GDPR will not apply to the same extent as a large corporations is the Records of Processing Activity required by Article 30, which provide an exclusion for organizations employing fewer than 250 persons that are not carrying out high risk activities (as specified in the exemption).
Otherwise, nonprofit organizations are required to take the same steps as a corporation to establish a lawful basis for processing, provide adequate transparency to data subjects, offer the data subject access rights, and the other components of GDPR.
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act will usually not apply to nonprofit organizations. The new California privacy law applies to a “business” which is defined, in relevant part, as a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entitity that is organized or operated for the profit or financial benefit of its shareholders or other owners. Nonprofits will not fall into this definition as a result of their lack of a profit motive.
However, a business that controls a nonprofit may create a situation where the nonprofit organization is required to comply with the CCPA. The CCPA also considers a business “[a]ny entity that controls or is controlled by a business … and that shares common branding with the business.” Control is broadly defined as control over the election of a majority of the directors or individuals exercising similar function. Common branding means a shared name, servicemark or trademark. So if a business controls a nonprofit organization and the business itself is required to comply with the CCPA, then the nonprofit would also need to comply.
Why would the law apply to a nonprofit in this fashion? Most likely, to eliminate any incentive for businesses to use a nonprofit organization to collect and process data on its behalf and expect that their company would not need to comply with the CCPA. In other words, by including nonprofits controlled by a business organization, it can avoid attempts to avoid compliance obligations.
Update: An association of nonprofits has asked the California legislature to amend the CCPA to make clear that the law does not apply to nonprofits. This would imply that they received legal advice that it may apply to their members, or was unclear! Stay tuned for additional information.
GET OUR FREE WHITE PAPER ON THE NEW CALIFORNIA LAW:
Contact Clarip for CCPA and GDPR Software
The Clarip privacy management software is ready to help improve your organization’s privacy practices. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo with a member of the Clarip team.
If your immediate need is California Consumer Privacy Act compliance, take a look at our CCPA software. From consent management to powerful DSAR Software, Clarip offers enterprise privacy management at an affordable price.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.