Advancing the nonprofit marketing & charitable fundraising community since 1982

Ethics & Policy Resources for Nonprofits

Information to help your organization comply with member guidelines

Issues Threatening Data-Driven Marketing and Fundraising

California Consumer Privacy Act 2018 – Impact on Fundraising and Mission

Contact Senny Boone, Esq., ANA Nonprofit Federation, at 202.861.2498


The California Consumer Privacy Act of 2018 passed in less than one week and was signed into law by California Governor Jerry Brown on June 28, 2018. It was passed to avoid a sweeping state privacy rights ballot initiative launched by privacy advocate Alastair MacTaggart (see that, once passed, could not be amended by the state legislature. The ballot initiative proponents agreed to the new law and withdrew their ballot initiative as a result. The new law takes effect on January 1, 2020, there is a “look-back” provision for data source transparency for the preceding 12-month time frame.

Unfortunately, although the new law has laudable goals to provide Californians with enhanced data privacy, the new law adds new burdens to charitable giving as outlined below:

Data for good is at risk: Charities will lose support for Californians’ local missions
Giving is premised on smart, informed data sources. Data for good is foundational to the operations of a legitimate nonprofit organization. For charities that seek new data (individual or households) to be in touch with donors, supporters and new contacts about vitally important missions will find few legitimate data resources. As data sources shrink due to new California state regulatory barriers, nonprofits will need to seek new ways to be in contact with an ever-reducing (attrition rates for current donors) pool of data resources. This jeopardizes the future growth of charities and charitable giving in California.

Key provisions of the new law
The Act gives “consumers” (natural persons who are California residents) four basic rights to their personal information:

  1. The right to know (through a privacy policy and upon request) what information a business has collected about them, where it was sourced from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold. Nonprofit concern: what if the source is an organization? Does the organization face a new obligation to remove the data from its own database?
  2. An opt-out right – the consumer may choose to opt-out of the sale of their information to third parties; consumers under the age of 16 must first opt-in (parental consent.) Nonprofit concern: less consumer information available to outreach to donors.
  3. The right to data deletion – a business must delete the personal information. Nonprofit concern: what does this mean for data provided to a charity or sourced from a nonprofit organization?
  4. The consumer must still receive “equal service and pricing from a business,” even if they exercise their privacy rights, such as opting out of data selling, under the Act.

The Act applies to:
For-profit businesses (not nonprofit organizations) that collect and control California residents’ personal information, do business in California, and (a) have annual gross revenues in excess of $25 million; or (b) receive or disclose the personal information of 50,000 or more CA residents, devices (mobile data for example) or households on an annual basis; or (c) derive 50 percent or more of their annual revenues from selling California residents personal information. Nonprofit concern: although nonprofits are not included, their agencies and data providers are now subject to restrictions on data that impacts an organization’s ability to raise funds and to deliver on their important missions for Californians. For example, a local homeless shelter that seeks new data sources to obtain new donors to add to its list of potential supporters may no longer have access to the list, leading to less donors and less funds available to help support the homeless.

The type of consumer information/data protected is “personal information.”

Personal information is defined very broadly — “information that identifies, relates to, describes, is capable or being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The Act gives examples such as purchasing data, records of personal property, audio, electronic, visual, thermal, olfactory, or similar information.” Nonprofit concern: As worded, the definition of covered data subjected to new restrictions is incredibly broad since it could be used to describe any information that can link or identify an individual or the household. This definition defines privacy for households in addition to individuals and will impact local Californians since less data will be available for important missions and causes.

There are some very narrow exceptions to this sweeping definition—such as de-identified data (as defined in the Act) or aggregate consumer information (which is also defined in the Act.) Companies under the Act will need to ensure their compliance efforts are broad to include all potential data as a result leading to less data available for charities for missions and fundraising.

General issues

Company notice and choice
Most nonprofit organizations look to outside data sources now restricted by the CCPA that can supplement and enhance their existing records in order to update their data or to do new acquisition campaigns for new support or other mission-related involvement. There are many legitimate providers of properly sourced and protected data, but these providers must now take restrictive steps that will curtail data available for use. This stops new data insight and subsequent outreach about important causes.

So, for example, data collected by a company from an individual after an inquiry about cancer may not be used or shared to help the individual learn about helpful resources offered by a cancer organization or ways the data subject can help to raise money to find a cancer cure. Or, data provided about a household with pets may not be provided to organizations to seek support for the humane treatment of animals. Although nonprofit organizations are exempt, they are impacted due to their ongoing need for data to help Californians.

Companies will need to update or craft new privacy policies and the disclosures needed at the time that the data is collected. Businesses need to disclose proactively the existence and nature of consumers’ rights under the Act, the categories of personal information that is collected, the purpose for which the information is collected, and the categories of personal information that is sold or disclosed in the preceding 12 months. (This is known as the look-back provision.) This means that companies must determine what personal data they are collecting from individuals and households and for what purpose and update their privacy policy at least every 12 months. Data is often combined into various databases for data hygiene, new data resources and it can be difficult to provide a source of data for data that is not addressable or identifiable — new barriers to such data will impact nonprofit data users.

Companies that sell data to third parties need to disclose that practice and must give consumers the ability to opt-out of the sale by supplying a link titled “Do Not Sell My Personal Information” on the business’s home page. This will lead to less data available for charities serving California.

Company transparency about PI held
Consumers have a right to request certain information from businesses, including the source of the information, the type of information it collected about the consumer, and all the third parties with which it shared the data. The consumer should be able to access this full set of information via a toll-free number or a Website. (A no cost resource.) This information must be provided to the consumer within 45 days of the consumer’s request. For nonprofit organizations, this may mean more requests by donors to learn the source and why their name was shared by the nonprofit with others.

Act enforcement
The Act is enforced by the California Attorney General, subject to a 30-day cure period. The civil penalty for intentional violations of the Act is up to $7,500 per violation.

For data breach of more sensitive information (sensitive information is more narrowly defined than personal information above) there is a new private right of action that can be brought by a consumer to seek financial damages and this can be between $100 and $750 per CA resident per incident. For companies often the target of hacks, this can be prohibitively expensive due to new consumer lawsuits if they experience a data breach with thousands of customers impacted.


The California law is going into effect on January 1, 2020. Companies subject to the Act or working now to come into compliance, particularly those data source companies that buy, share, sell all types of “personal information” under the Act. This includes a full review of the past 12 months of personal information data sold or disclosed (i.e., a look back of data provided, shared, disclosed…) This is overly broad since there are general data points that cannot be clearly extracted such as a public record resource combined with aggregated data. This provision is duplicative, costly and unnecessary since the company must already provide data sources to the consumer upon request.

The Attorney General Xavier Becerra is holding hearings across California to get input before issuing regulations that will implement the CA law, ANA has provided testimony at these hearings.

New legislation to offer consumers a private right of action to sue data providers is supported by the Attorney General in California. CA SB 561 by State Senator Hannah-Beth Jackson would add new provisions to the CCPA to allow for more lawsuits.

A national federal data privacy standard is needed to ensure there is a uniform standard v. multiple state laws that would be costly and difficult to follow due to the variances in language, leading to less data overall for important nonprofit missions.

General Tips for GDPR Compliance

The General Data Protection Regulation (GDPR) is in effect for organizations active in the EU as of May 25, 2018 and replaces the European Data Protection Directive in all EU member states. The GDPR does not exempt nonprofit organizations, which collect a great deal of personal information and must comply with the GDPR. The fines are very steep: 4% of annual turnover or 20 million euros, whichever higher. Please note that this update does not replace legal advice — please review the GDPR and its impact with your own legal counsel. If you have questions or require assistance, contact ANA NF’s Senny Boone. The key points in this document were developed in conjunction with the Email Experience Council.

Comprehensive Tax Reform and the charitable deduction
January 12, 2018

With the passage of the Comprehensive Tax Reform bill, we fear less individual contributions to charity. The charitable deduction remains, but not for everyone. Since the standard deduction is doubled for individuals ($12,000) and for married couples ($24,000), it translates to fewer itemizers and as such those who may claim the charitable deduction. According to Congress’ Joint Committee on Taxation, charitable giving may decline by as much as $15 billion per year. The ANA NF and many other organizations sought an amendment for a universal charitable tax deduction — even for itemizers. We are grateful to the organizations who sent letters in support of the amendment. Oklahoma Senator James Lankford’s universal charitable deduction amendment did not make it into the final version of the bill due to its high cost of over $220 billion. It remains to be seen when and if another legislative vehicle will be offered so that a change can be made. For now, charities must track impact on year-over-year giving. The number of individuals who itemize will be impacted by the changes to the SALT deductions at the local level and the mortgage interest deduction cap. The Unrelated Business Income Tax on royalty income for the use of an organization’s name and logo was removed from the final version of the bill. The final version of the bill also preserves historic tax credits. ANA NF continues its work to secure a universal charitable tax deduction.

If you have questions or comments, please contact Senny Boone.

NF’s Crisis Response Toolkit

NF’s Top 10 Nonprofit Good Giving Tips

Accounting for Costs of Activities that Include Fundraising

How to Comply with The American Institute of Certified Public Accountants’ Statement of Position SOP 98-2

ANA NF Nonprofit Accountability Dashboard

This tool provides snapshot transparency of relevant metrics to donors who otherwise look to third party reporting sites. While most of the information on the Nonprofit Dashboard is already available on an organization’s website within annual reports, etc., many donors and other constituents prefer quick views over poring through multi-page online publications. ANA NF nonprofit members are strongly encouraged to take the industry lead in adopting the Nonprofit Dashboard into its annual public reporting.

As part of this initiative, ANA NF evaluated opportunities to include qualitative — as well as quantitative — reporting within the Dashboard to share, in a very public-friendly way, organizational priorities, progress against short- and long- term goals, and obstacles to success. Charting Impact, an initiative led by the BBB Wise Giving Alliance, GuideStar USA, and Independent Sector, does exactly this. Many organizations are already using Charting Impact as part of GuideStar Exchange. ANA NF therefore is coordinating with GuideStar to promote Charting Impact and to explore future opportunities for shared efforts in this area.

Kudos to Dashboard Adopter!

Email Alicia Osgood if your organization is participating:

Instructions to ANA NF nonprofit members

  1. Complete the ANA Nonprofit Dashboard with 3 years of quantified performance across 8 metrics. Numbers reported in the Nonprofit Dashboard should be consistent with audited financial statements and other published service reports, as applicable.
  2. Post the Nonprofit Dashboard on your website.
    • Post the dashboard with your annual report, audited financials, etc. That’s where donors will naturally navigate to find this type of information. This should be no more than two clicks from your home page.
    • Include a link on other pages highly trafficked by donors, e.g., a donors services FAQ page.
    • Use the term “Nonprofit Dashboard” when referring to or linking to this graph. Together we will build name recognition over time.
    • Educate your donor services staff to direct donors to this new resource.
  3. Complete a Charting Impact report via Guidestar. Charting Impact helps your organization tell your story in an accessible, concise way by answering five simple yet powerful questions. ANA NF is encouraging members to use this functionality within Guidestar and link to it from your Dashboard.
  4. Ongoing: Update most recent year numbers annually, when your new annual report and audited financials are made available to constituents.

Thank you for your leadership in adopting the Nonprofit Dashboard reporting tool as part of your organization’s due diligence in providing complete, relevant, and easy to use information to the public. Your feedback is very important. We welcome suggestions to ensure the Nonprofit Dashboard a useful tool for your organization and your supporters.

Questions? Email Alicia Osgood.

  • Sample ANA NF Nonprofit Accountability Dashboard
  • Template for ANA NF Nonprofit Accountability Dashboard

Ethical Guidelines

ANA/DMA Consumer Preference Services

We ask that all members abide by consumer choices for their marketing offers, regardless of the marketing channels used. The ANA/DMA provides several suppression file services for subscribing companies and organizations as they prepare marketing and fundraising campaigns to ensure they are not contacting individuals who have opted out of future mailings or to prevent contacting deceased individuals. This process will save you postage since you will no longer mail to individuals who have opted out from all marketing mail and you may focus resources on other potential donors.

See more information about the ANA/DMA Consumer Choice Suppression Services here: (General outline) (Subscribe)

Ethics & Nonprofit Organizations

The Nonprofit Federation intends and believes that its guidelines for ethical behavior are the most comprehensive in the direct marketing and charitable communities. As an operating division of the ANA, the Nonprofit Federation asks its members to adhere to the same ethical guidelines as other members, as delineated in the Guidelines for Ethical Business Practice and The Donor Bill of Rights, as adopted by the Nonprofit Federation and other major organizations representing the nonprofit sector.

Ethics Committee members and staff monitor the business practices of the membership and others in the nonprofit community. The NF will take appropriate action in cases of potential ethical violations. To report a potential ethics violation, please contact us at or write to us at:

ANA Nonprofit Federation
Attention: Ethics Report
225 Reinekers Lane
Suite 325
Alexandria, VA 22314

The Donor Bill of Rights

Complaints to the Committee on Ethical Business Practice are handled confidentially. If possible, complaints are resolved by modifying the offending documents or procedures, which the Committee reviews before closing the case. If a known violation continues, the Committee will publicize its findings, including the name of the violator and the facts of the case. Where a law may have been violated, it forwards the case to the appropriate law enforcement agency, and publicizes the referral.

Policy Alerts & Information

POSTAL CENTER: Like us on Facebook (ANA Nonprofit Federation), follow us on Twitter (@ANANonprofit) and read our bi-weekly News Update (Thursdays) to stay continuously informed.

CHARITABLE DEDUCTION: We continue to monitor all tax reform proposals and will keep you apprised as developments occur.

Questions or comments? Contact Xenia “Senny” Boone, Esquire.

Charity Watchdogs

Executive summaries of NF-commissioned studies take the bite out of Watchdogs.

DMANF Grassroots Network

Make a difference!

Contact your Congressman or Senator about the issues that affect you and your organization. And make sure your voice is heard by enrolling in the ANA Grassroots Network!

ANA Member Privacy Shield Program

Learn more and how to enroll here.

More resources & tools

Members-only content

Lost your password? Please enter your username or email address. You will receive a link to create a new password via email.

Not a member? Register