In 2023, eight more states passed comprehensive data privacy legislation, adding to the six that had passed broadly applicable privacy laws in years prior. In addition, several issue-specific laws regulating health data, data associated with minors, and data brokers have passed state legislatures this year. While many state privacy laws contain certain exemptions for nonprofit organizations, each exemption is different and may not extend to all nonprofit organizations or other entities working with nonprofits. In addition, some new state privacy laws do not provide any exemptions for nonprofits. Nonprofits must pay close attention to state data privacy requirements and have a clear understanding of which laws apply to their operations.

Applicability to Nonprofits

Each state privacy law's approach to nonprofit applicability is different. For example, Colorado privacy law applies to nonprofits that conduct business in the state, or deliver commercial products or services targeted to state residents, and meet certain data processing or revenue thresholds. California maintains that only for-profit entities can be regulated "businesses" under the law, but nonprofits may be other defined entities, such as "service providers," "contractors," or "third parties" that are subject to certain requirements. Privacy laws in Delaware and Oregon exempt only nonprofits with specific missions. Delaware exempts only those nonprofits that are dedicated exclusively to preventing and addressing insurance crime and nonprofits that provide services to victims of or witnesses to certain crimes or violence. Oregon exempts only those nonprofits that are established to detect and prevent insurance fraud, and the law also exempts the noncommercial activity of nonprofits that provide programming to radio or television networks. Nevada privacy law makes no explicit statement regarding nonprofit applicability, while laws in Connecticut, Florida, Indiana, Iowa, Montana, Tennessee, Texas, Utah, and Virginia provide exemptions for "nonprofit organizations" or "nonprofit corporations," as defined in the applicable state law. Each law's definition of those terms is different, however, so not all nonprofits will be exempt from privacy laws in those states.

Impacts to Nonprofits

Nonprofits that fall within scope of state privacy laws must meet requirements related to consumer data rights and data governance, such as privacy impact assessments, consumer notices, and contracting. Consumer rights to access and correct personal data may require nonprofits to build new processes to facilitate compliance, and other rights available to consumers could impact nonprofits' ability to get the word out about their goals and purposes. Nonprofits that must effectuate consumer requests to delete personal data, for example, could lose access to data they rely on to advance their missions, and nonprofits that must honor consumer requests to opt out of targeted advertising or sales could be limited in their ability to onboard data to advertising platforms to reach potential donors and volunteers. Nonprofits that do not meet applicable privacy requirements may be subject to enforcement from state attorneys general.

How Nonprofits Should Respond

Nonprofits should start by determining which state privacy laws apply to them. Then, nonprofits should assess the impacts of those specific state privacy laws and start on the path to compliance. Such activities may include creating processes to field and respond to consumer privacy rights requests, updating privacy policies and other consumer- and member-facing notices, and creating internal documentation to evaluate and assess certain processing activities.