The Right to (Data) Privacy: How the Federal and State Legislation Are Addressing Data Privacy Concerns

The right to privacy has been a hotly debated issue for over a century in the United States. As far back as 1890, future Associate Supreme Court Justice Louis Brandeis, along with attorney Samuel D. Warren, wrote that “recent inventions and business methods call attention to the next step which must be taken for the protection of the person… instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life’” .

Brandeis and Warren wrote this article at the dawn of yellow journalism, amidst concerns that newspapers were sensationalizing stories or outright inventing them in order to make a profit sometimes at the expense of an individual’s privacy.

Today, we find ourselves in a new, digital age, and post Facebook-Cambridge Analytica data scandal, there is widespread concern about organizations collecting and profiting off of an individual’s personal information without those individuals’ knowledge or consent. In response, the Federal government and a number of state governments have either begun working on data privacy legislation or have actually implemented data privacy legislation.

That’s why the DMAW, the Nonprofit Alliance, and the DMFA hosted a webinar entitled “Data Legislation: What’s New and What’s Next?” on February 6th.

During this webinar, Shannon McCracken and Mark Micali, both of The Nonprofit Alliance (TNPA), discussed how these recently implemented state laws and proposed federal and state legislation could affect nonprofit organizations, as well as what organizations can do while this issue continues to work its way through federal and state legislatures.

First, Shannon began by sharing an update on the California Consumer Privacy Act of 2018 (CCPA). Although a number of amendments were passed by the California state legislature in October of 2019 in order to clarify certain issues (such as ensuring that the law was HIPAA compliant) Shannon shared that the law itself did not substantively change: if you are an organization based outside of California, but collecting user data from a resident of California, the CCPA applies. The law is concerned with where the consumer is located, not where the organization is based. Additionally, the CCPA still contains an exclusion for nonprofits and associations.

While the CCPA went into effect January 1st, 2020, California will begin to actually enforce the law starting July 1st, 2020. During this waiting period, Shannon said, the California Attorney General is expected to issue guidance on how this law should be applied and what enforcement will look like.

Shannon also shared that California will likely have another ballot initiative on the national ballot in November of 2020. Should it pass, it would state that any amendments to the CCPA can only strengthen the law, not weaken it. It would also define what information is “personal” (such as geolocation and social security numbers), clarify how the existing law should be enforced, and allow for the creation of a data protection agency that would handle some of the enforcement matters.

Of interest to the TNPA is whether religious belief would end up being defined as “personal” on this ballot initiative. An individual’s religious beliefs could of course be used against an individual in a discriminatory way. Yet as fundraisers, we know that a potential donor’s religious beliefs can be a great indicator as to whether they might be interested in your mission. The TNPA is hopeful that religious beliefs might be excluded from the ballot initiative for this reason.

As mentioned above, California was by no means the only state to have passed some form of data privacy legislation in 2018. Vermont enacted their own data privacy legislation in 2018, followed by Illinois, Maine and Nevada in 2019. These state laws ranged from biometrics data protection (Illinois) to data opt out and privacy policy, legislation. In addition to states enacting data privacy legislation, in 2019 alone, 23 states considered data privacy bills of their own.

The TNPA is monitoring as states continue discussing data privacy legislation in 2020. For instance, Florida and Illinois are looking to pass legislation similar to the CCPA, while Nebraska and New Hampshire are looking at possible legislation that might be similar to CCPA and might apply to online and offline data. Additionally, the state of Washington has a bill that had been progressing through the legislative process, but there are now 2 companion bills, which are a sort of hybrid of GDPR and CCPA. Finally, the state legislature of Arizona introduced a resolution urging federal government to enact federal privacy law.

In summation, many states are attempting to work on this issue, but are taking a “slow walk” approach to see how California works through the many issues that have presented themselves. Needless to say, Congress has gotten involved in this issue, too.

Mark shared that currently, a Capitol Hill “Gang of Six” Senators have been working on a bipartisan bill while serving on the Senate Commerce Committee. The disagreement between the three Republican senators (Chairman Roger Wicker (MS), John Thune (SD), and Jerry Moran (KS)) and three Democrat senators (Ranking Member Maria Cantwell (WA), Richard Blumenthal (CT), and Brian Schatz (HI)) centers around two major areas:

1. Does federal legislation preempt state legislation, or will it be that states have to minimally comply with federal and states can build out their own?
2. What will enforcement look like? Will there be a specific body like FTC? Or will there be private right of action, like a class action lawsuit?

Two bills have emerged as these points of disagreements have been discuss: the Wicker bill and the Cantwell bill.

The Wicker bill states that federal legislation that should preempt state laws, no private right of action would be permitted, it would allow state attorney generals to file suit in federal court only, and would empower the FTC to be the regulator (i.e. the bill is more interested in high level enforcement).
The Cantwell bill states that federal legislation should not include federal preemption, would allow for private right of action and would not require suits to be filed to federal court. Additionally, if a state attorney general were to file suit, it would have to go to federal court and FTC would take over (similar to Wicker bill).

Other key senators on this issue include Krysten Sinema (D-AZ), who also serves on the Senate Commerce committee. A senator who strives for bipartisanship, if her state legislature goes on record calling for national privacy law (as referred to earlier), that would encourage her to become an advocate.

On the House side, Congresswoman Suzan DelBene (D-WA) is leading the charge on this issue. A former Microsoft Executive, she knows data privacy issues well! Her bill includes a clear federal preemption, allows state attorney generals to file suit, with FTC notification and empowerment. There is no mention of a private right of action in her bill, which was done, the TNPA believes, with intention. The DelBene bill also includes a small business exemption (for those businesses with fewer than 500 employees), though not a non-profit exemption. Currently, her bill has 33 cosponsors, all Democrats. But the TNPA thinks there might be 6 or 8 or 10 Republican representatives who would consider joining this bill. This is important because if a leading democrat in House is moving the bill, it sends a good message to the Senate.

This huge update aside, many might be wondering, what can I do to press this issue, on a federal, or state issue, or simply, how can I prepare my organization for any new data privacy laws?

For starters, the TNPA is planning for two Capitol Hill days on March 25th and June 10th. More information on these days can be accessed by going to TNPA events section if you would like to participate or learn more!
In the meantime, as the issue of data privacy continues to be debated in state legislatures and in Congress, Shannon shared that now is the time for organizations to ensure that they are acting in good faith and protecting their donor’s privacy by implementing the following best practices:

1. Organizations should clearly disclose what they’re doing with donor data – it should not be buried in a large privacy agreement
2. Organizations should make their contact information clearly available – it should be prominently displayed on all websites and mailings
3. An opt-out button should be prominent or at a minimum there should be an easily accessible form to opt out of data being shared
4. Organizations should conduct an internal audit of where you collect data from your donors (donations, website, events, etc) or whether you sell or provide that data to other organizations.
5. Organizations should develop “talk tracks” around donor communications – if a donor calls with respect to how their data is being used, the organization’s staffer should be able to answer these questions and reassure the donor. The organization should reach a consensus on the donor experience they want to provide!

So though we find ourselves in a new, digital age, with so much information to sort through, and so much uncertainty with regard to what will and won’t be permissible uses of donor data, there are ways organizations can prepare: by staying informed on the progress of certain bills, and by utilizing best practices that respect an individual’s right to data privacy.

Rachel Henzlik is a Direct Response Specialist at AARP Foundation, where she assists with direct mail and online fundraising campaigns.