Advancing the nonprofit marketing & charitable fundraising community since 1982

California Consumer Privacy Act 2018 (CCPA)

California Consumer Privacy Act 2018 – Impact on Fundraising and Mission

Contact Senny Boone, Esq., ANA Nonprofit Federation, at 202.861.2498


The California Consumer Privacy Act of 2018 passed in less than one week and was signed into law by California Governor Jerry Brown on June 28, 2018. It was passed to avoid a sweeping state privacy rights ballot initiative launched by privacy advocate Alastair MacTaggart (see that, once passed, could not be amended by the state legislature. The ballot initiative proponents agreed to the new law and withdrew their ballot initiative as a result. The new law takes effect on January 1, 2020, there is a “look-back” provision for data source transparency for the preceding 12-month time frame.

Unfortunately, although the new law has laudable goals to provide Californians with enhanced data privacy, the new law adds new burdens to charitable giving as outlined below:

Data for good is at risk: Charities will lose support for Californians’ local missions
Giving is premised on smart, informed data sources. Data for good is foundational to the operations of a legitimate nonprofit organization. For charities that seek new data (individual or households) to be in touch with donors, supporters and new contacts about vitally important missions will find few legitimate data resources. As data sources shrink due to new California state regulatory barriers, nonprofits will need to seek new ways to be in contact with an ever-reducing (attrition rates for current donors) pool of data resources. This jeopardizes the future growth of charities and charitable giving in California.

Key provisions of the new law
The Act gives “consumers” (natural persons who are California residents) four basic rights to their personal information:

  1. The right to know (through a privacy policy and upon request) what information a business has collected about them, where it was sourced from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold. Nonprofit concern: what if the source is an organization? Does the organization face a new obligation to remove the data from its own database?
  2. An opt-out right – the consumer may choose to opt-out of the sale of their information to third parties; consumers under the age of 16 must first opt-in (parental consent.) Nonprofit concern: less consumer information available to outreach to donors.
  3. The right to data deletion – a business must delete the personal information. Nonprofit concern: what does this mean for data provided to a charity or sourced from a nonprofit organization?
  4. The consumer must still receive “equal service and pricing from a business,” even if they exercise their privacy rights, such as opting out of data selling, under the Act.

The Act applies to:
For-profit businesses (not nonprofit organizations) that collect and control California residents’ personal information, do business in California, and (a) have annual gross revenues in excess of $25 million; or (b) receive or disclose the personal information of 50,000 or more CA residents, devices (mobile data for example) or households on an annual basis; or (c) derive 50 percent or more of their annual revenues from selling California residents personal information. Nonprofit concern: although nonprofits are not included, their agencies and data providers are now subject to restrictions on data that impacts an organization’s ability to raise funds and to deliver on their important missions for Californians. For example, a local homeless shelter that seeks new data sources to obtain new donors to add to its list of potential supporters may no longer have access to the list, leading to less donors and less funds available to help support the homeless.

The type of consumer information/data protected is “personal information.”

Personal information is defined very broadly — “information that identifies, relates to, describes, is capable or being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The Act gives examples such as purchasing data, records of personal property, audio, electronic, visual, thermal, olfactory, or similar information.” Nonprofit concern: As worded, the definition of covered data subjected to new restrictions is incredibly broad since it could be used to describe any information that can link or identify an individual or the household. This definition defines privacy for households in addition to individuals and will impact local Californians since less data will be available for important missions and causes.

There are some very narrow exceptions to this sweeping definition—such as de-identified data (as defined in the Act) or aggregate consumer information (which is also defined in the Act.) Companies under the Act will need to ensure their compliance efforts are broad to include all potential data as a result leading to less data available for charities for missions and fundraising.

General issues

Company notice and choice
Most nonprofit organizations look to outside data sources now restricted by the CCPA that can supplement and enhance their existing records in order to update their data or to do new acquisition campaigns for new support or other mission-related involvement. There are many legitimate providers of properly sourced and protected data, but these providers must now take restrictive steps that will curtail data available for use. This stops new data insight and subsequent outreach about important causes.

So, for example, data collected by a company from an individual after an inquiry about cancer may not be used or shared to help the individual learn about helpful resources offered by a cancer organization or ways the data subject can help to raise money to find a cancer cure. Or, data provided about a household with pets may not be provided to organizations to seek support for the humane treatment of animals. Although nonprofit organizations are exempt, they are impacted due to their ongoing need for data to help Californians.

Companies will need to update or craft new privacy policies and the disclosures needed at the time that the data is collected. Businesses need to disclose proactively the existence and nature of consumers’ rights under the Act, the categories of personal information that is collected, the purpose for which the information is collected, and the categories of personal information that is sold or disclosed in the preceding 12 months. (This is known as the look-back provision.) This means that companies must determine what personal data they are collecting from individuals and households and for what purpose and update their privacy policy at least every 12 months. Data is often combined into various databases for data hygiene, new data resources and it can be difficult to provide a source of data for data that is not addressable or identifiable — new barriers to such data will impact nonprofit data users.

Companies that sell data to third parties need to disclose that practice and must give consumers the ability to opt-out of the sale by supplying a link titled “Do Not Sell My Personal Information” on the business’s home page. This will lead to less data available for charities serving California.

Company transparency about PI held
Consumers have a right to request certain information from businesses, including the source of the information, the type of information it collected about the consumer, and all the third parties with which it shared the data. The consumer should be able to access this full set of information via a toll-free number or a Website. (A no cost resource.) This information must be provided to the consumer within 45 days of the consumer’s request. For nonprofit organizations, this may mean more requests by donors to learn the source and why their name was shared by the nonprofit with others.

Act enforcement
The Act is enforced by the California Attorney General, subject to a 30-day cure period. The civil penalty for intentional violations of the Act is up to $7,500 per violation.

For data breach of more sensitive information (sensitive information is more narrowly defined than personal information above) there is a new private right of action that can be brought by a consumer to seek financial damages and this can be between $100 and $750 per CA resident per incident. For companies often the target of hacks, this can be prohibitively expensive due to new consumer lawsuits if they experience a data breach with thousands of customers impacted.


The California law is going into effect on January 1, 2020. Companies subject to the Act or working now to come into compliance, particularly those data source companies that buy, share, sell all types of “personal information” under the Act. This includes a full review of the past 12 months of personal information data sold or disclosed (i.e., a look back of data provided, shared, disclosed…) This is overly broad since there are general data points that cannot be clearly extracted such as a public record resource combined with aggregated data. This provision is duplicative, costly and unnecessary since the company must already provide data sources to the consumer upon request.

The Attorney General Xavier Becerra is holding hearings across California to get input before issuing regulations that will implement the CA law, ANA has provided testimony at these hearings.

New legislation to offer consumers a private right of action to sue data providers is supported by the Attorney General in California. CA SB 561 by State Senator Hannah-Beth Jackson would add new provisions to the CCPA to allow for more lawsuits.

A national federal data privacy standard is needed to ensure there is a uniform standard v. multiple state laws that would be costly and difficult to follow due to the variances in language, leading to less data overall for important nonprofit missions.

Not a member? Register