Client Alert: State Privacy Laws and Nonprofit Organizations
Date: August 21, 2023
Each of the frameworks underlying the various U.S. state privacy laws generally share key definitions, business obligations, and core consumer rights governing the collection, use, and transfer of consumer data. However, there are some notable differences in each aspect, including how each law addresses nonprofit and political organizations within its respective framework.
Nonprofit Treatment Under State Privacy Laws
By way of example, the California Consumer Privacy Act (“CCPA”) broadly exempts nonprofit organizations and instead only applies to legal entities that are “organized or operated for the profit or financial benefit of its shareholders or other owners” and otherwise satisfy one or more of the jurisdictional thresholds articulated in the CCPA. However, any entity, including a nonprofit organization, that (i) is otherwise controlled by a covered business under the CCPA, (ii) shares common branding with the covered business, and (iii) with whom the covered business shares consumers' personal information, is subject to the CCPA.
In contrast to California, the Colorado Privacy Act does not include an explicit exception or definition of nonprofit organizations and is thus applicable to any legal entity that offers services in Colorado and meets certain thresholds under the Colorado law.
Many of the state privacy laws look to the Internal Revenue Code to define the types of nonprofit organizations that are exempt under the applicable privacy law. For example, organizations exempt from taxation under Sections 501(c)(3), 501(c)(4), 501(c)(6) or 501(c)(12) of the Internal Revenue Code are used to define, in part, “nonprofit organizations” that are exempt from the Connecticut Personal Data Privacy and Online Monitoring Act. In contrast to Connecticut law, Indiana’s Consumer Data Protection Act does not contain an exception for organizations whose tax exemption status is derived under Section 501(c)(4) of the Internal Revenue Code.
In addition to organizations exempt from taxation under the Internal Revenue Code, various state privacy laws look to their respective state-level nonprofit laws to further define certain exceptions. The Utah Consumer Privacy Act, for example, additionally excludes from its scope domestic nonprofit organizations that are incorporated under Utah’s nonprofit laws. Similarly, the Tennessee Information Protection Act exempts corporations organized under the Tennessee Nonprofit Corporation Act.
Political Organizations Under State Privacy Laws
With the exception of Colorado, each of the current state data privacy laws contains some exceptions for nonprofit organizations. However, political organizations are not generally exempt under the state privacy laws. Currently, only Texas and Virginia contain an express exemption directed to political organizations. Texas and Virginia state privacy laws employ a substantially equivalent definition of a political organization, which is defined as any organization, whether or not incorporated, organized and operated primarily for the purpose of influencing or attempting to influence the selection, nomination, election, or appointment of any individual to any (i) federal, state, or local public office, (ii) office in a political organization, or (iii) the election of a presidential/vice-presidential elector, in each instance whether or not such individual or elector is selected, nominated, elected, or appointed.
Practical Impact on Nonprofits and Political Organizations
Despite the availability of certain exceptions for nonprofit and political organizations under the various state privacy laws, it is reasonable to expect members, donors, and consumers to look for more access, control, and transparency into how their data is being used, regardless of the nature or type of organization that collects, stores, or otherwise processes that data. Even if not specifically covered by an applicable state privacy law, nonprofit and political organizations should anticipate the impact created by the growing patchwork of consumer rights under these laws, and be prepared to respond appropriately, whether that response is required by law or the growing privacy concerns and expectations of valued members, donors, and partners.
In addition, many for-profit, third-party service providers that provide services to nonprofit or political organizations, such as data sources or third-party marketing sources, are less likely to be exempt from an applicable privacy law and therefore may have an obligation to impose certain contractual requirements under the applicable state privacy laws on their clients. As such, nonprofits and political organizations need to understand their obligations in assisting their service providers to meet the requirements of any applicable state law and how to negotiate these points in any vendor or service agreement.
* * *
For more information about the applicability of any state data privacy law to your organization, or for information about compliance with such laws, please contact a member of Whiteford’s Cyber Security, Data Management & Privacy practice group.
The information contained here is not intended to provide legal advice or opinion and should not be acted upon without consulting an attorney. Counsel should not be selected based on advertising materials, and we recommend that you conduct further investigation when seeking legal representation.