State-by-State Nonprofits Are No Longer Exempt
My nonprofit friends: Montana just officially removed exemptions for nonprofits from its data privacy law. Connecticut did the same.
They join Colorado, Delaware, New Jersey, and Oregon in this practice of holding nonprofits to account.
If you're surprised that Montana took this approach, the stats suggest that 56% of registered voters in the US say they support federal data privacy legislation. We're likely to see more of this, given the bipartisan support for privacy.
This removal of exemptions points to a shift in how regulators view data responsibility – and that your tax status doesn’t change the fact that if your organization is entrusted to care for sensitive, personal information from thousands of people, you should be regulated as such.
What You Should Know
Nonprofits of large scale will now be required to follow the same set of standards as other business entities in these states. That means:
- Publishing a clear privacy policy
- Honoring key consumer rights, including: the right to access, right to delete, right to correct, right to data portability, and right to opt out of targeted advertising, sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects
- Following the tenets of data minimization and purpose limitation
Implementing reasonable administrative, technical, and physical safeguards to protect personal data - Implementing data processing agreements (DPAs) to define roles, responsibilities, and data protection measures among third-party partners
- Conducting Data Protection and Impact Assessments (DPIAs) in advance of large-scale advertising or data-sharing activities
- Obtaining explicit opt-in consent before processing sensitive data
These states won't be the last to un-exempt nonprofits as we collectively come to the same truth, which is that if thousands of people trust you with their data, you are, in very real terms, a data company.
And that trust comes with growing legal and ethical expectations.
This doesn't have to be a cause for panic or for us to use our limited resources to call for renewed exemptions – it can instead be an opportunity to lead with transparency and integrity.
-----
If you need support in understanding how your operational framework needs to adjust with these and other legislative updates, shoot me a note. I track data privacy changes like these each month (it's a thrill, I know).
