Advancing the nonprofit marketing & charitable fundraising community since 1982
Advancing the nonprofit marketing & charitable fundraising community since 1982
Contact Senny Boone, Esq., ANA Nonprofit Federation, at 202.861.2498
The California Consumer Privacy Act of 2018 passed in less than one week and was signed into law by California Governor Jerry Brown on June 28, 2018. It was passed to avoid a sweeping state privacy rights ballot initiative launched by privacy advocate Alastair MacTaggart (see https://www.caprivacy.org/) that, once passed, could not be amended by the state legislature. The ballot initiative proponents agreed to the new law and withdrew their ballot initiative as a result. The new law takes effect on January 1, 2020, there is a “look-back” provision for data source transparency for the preceding 12-month time frame.
Unfortunately, although the new law has laudable goals to provide Californians with enhanced data privacy, the new law adds new burdens to charitable giving as outlined below:
Data for good is at risk: Charities will lose support for Californians’ local missions
Giving is premised on smart, informed data sources. Data for good is foundational to the operations of a legitimate nonprofit organization. For charities that seek new data (individual or households) to be in touch with donors, supporters and new contacts about vitally important missions will find few legitimate data resources. As data sources shrink due to new California state regulatory barriers, nonprofits will need to seek new ways to be in contact with an ever-reducing (attrition rates for current donors) pool of data resources. This jeopardizes the future growth of charities and charitable giving in California.
Key provisions of the new law
The Act gives “consumers” (natural persons who are California residents) four basic rights to their personal information:
The Act applies to:
For-profit businesses (not nonprofit organizations) that collect and control California residents’ personal information, do business in California, and (a) have annual gross revenues in excess of $25 million; or (b) receive or disclose the personal information of 50,000 or more CA residents, devices (mobile data for example) or households on an annual basis; or (c) derive 50 percent or more of their annual revenues from selling California residents personal information. Nonprofit concern: although nonprofits are not included, their agencies and data providers are now subject to restrictions on data that impacts an organization’s ability to raise funds and to deliver on their important missions for Californians. For example, a local homeless shelter that seeks new data sources to obtain new donors to add to its list of potential supporters may no longer have access to the list, leading to less donors and less funds available to help support the homeless.
The type of consumer information/data protected is “personal information.”
Personal information is defined very broadly — “information that identifies, relates to, describes, is capable or being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The Act gives examples such as purchasing data, records of personal property, audio, electronic, visual, thermal, olfactory, or similar information.” Nonprofit concern: As worded, the definition of covered data subjected to new restrictions is incredibly broad since it could be used to describe any information that can link or identify an individual or the household. This definition defines privacy for households in addition to individuals and will impact local Californians since less data will be available for important missions and causes.
There are some very narrow exceptions to this sweeping definition—such as de-identified data (as defined in the Act) or aggregate consumer information (which is also defined in the Act.) Companies under the Act will need to ensure their compliance efforts are broad to include all potential data as a result leading to less data available for charities for missions and fundraising.
Company notice and choice
Most nonprofit organizations look to outside data sources now restricted by the CCPA that can supplement and enhance their existing records in order to update their data or to do new acquisition campaigns for new support or other mission-related involvement. There are many legitimate providers of properly sourced and protected data, but these providers must now take restrictive steps that will curtail data available for use. This stops new data insight and subsequent outreach about important causes.
So, for example, data collected by a company from an individual after an inquiry about cancer may not be used or shared to help the individual learn about helpful resources offered by a cancer organization or ways the data subject can help to raise money to find a cancer cure. Or, data provided about a household with pets may not be provided to organizations to seek support for the humane treatment of animals. Although nonprofit organizations are exempt, they are impacted due to their ongoing need for data to help Californians.
Companies that sell data to third parties need to disclose that practice and must give consumers the ability to opt-out of the sale by supplying a link titled “Do Not Sell My Personal Information” on the business’s home page. This will lead to less data available for charities serving California.
Company transparency about PI held
Consumers have a right to request certain information from businesses, including the source of the information, the type of information it collected about the consumer, and all the third parties with which it shared the data. The consumer should be able to access this full set of information via a toll-free number or a Website. (A no cost resource.) This information must be provided to the consumer within 45 days of the consumer’s request. For nonprofit organizations, this may mean more requests by donors to learn the source and why their name was shared by the nonprofit with others.
The Act is enforced by the California Attorney General, subject to a 30-day cure period. The civil penalty for intentional violations of the Act is up to $7,500 per violation.
For data breach of more sensitive information (sensitive information is more narrowly defined than personal information above) there is a new private right of action that can be brought by a consumer to seek financial damages and this can be between $100 and $750 per CA resident per incident. For companies often the target of hacks, this can be prohibitively expensive due to new consumer lawsuits if they experience a data breach with thousands of customers impacted.
The California law is going into effect on January 1, 2020. Companies subject to the Act or working now to come into compliance, particularly those data source companies that buy, share, sell all types of “personal information” under the Act. This includes a full review of the past 12 months of personal information data sold or disclosed (i.e., a look back of data provided, shared, disclosed…) This is overly broad since there are general data points that cannot be clearly extracted such as a public record resource combined with aggregated data. This provision is duplicative, costly and unnecessary since the company must already provide data sources to the consumer upon request.
The Attorney General Xavier Becerra is holding hearings across California to get input before issuing regulations that will implement the CA law, ANA has provided testimony at these hearings.
New legislation to offer consumers a private right of action to sue data providers is supported by the Attorney General in California. CA SB 561 by State Senator Hannah-Beth Jackson would add new provisions to the CCPA to allow for more lawsuits.
A national federal data privacy standard is needed to ensure there is a uniform standard v. multiple state laws that would be costly and difficult to follow due to the variances in language, leading to less data overall for important nonprofit missions.