When the European General Data Protection Regulation went into effect this past May, I’d hazard a guess that a majority of the medium-to-largest charitable organizations in the UK and Europe were on the motorway to compliance if not already there.
Here in the United States, not so much. The folks at most of the very large nonprofits that I spoke with were somewhere on the compliance road, but the medium-to-small nonprofits were either unaware of the regulation, uncomfortable about their compliance, or uneasily going with the plan that GDPR didn’t apply to them.
There’s a new law in town
Any feelings of privacy-law-compliance comfort that database administrators may have had is about to change. A new privacy law was passed in California this summer that will ripple across the country in 2020. It will affect companies and nonprofits nationally – and internationally.
The California Consumer Privacy Act of 2018
On June 28, the California legislature passed the California Consumer Privacy Act of 2018 (CaCPA). The law passed at bullet-train speed in order to avoid a consumer privacy-inspired ballot measure that would have been even more restrictive to businesses that collect, use, or sell peoples’ private information.
Since legislation from a ballot measure would have been harder to amend, business advocates/lobbyists and legislators worked together swiftly to write and pass what became the CaCPA.
The law covers businesses that collect or sell California residents’ personal information. Companies that are required to comply with the law will meet or exceed at least one of these three categories:
- They have annual gross revenues of $25 million;
- The company obtains personal information from 50,000 or more California residents, households, or devices annually; or
- 50% or more of their annual revenue is derived from selling California residents’ personal information
If your organization is not in California (or you don’t have constituents there), do you have to care?
Well, as goes California, so (usually) goes the rest of the country where protective legislation is concerned. Privacy experts are making noises that this is the tip of a coming global data privacy wave, so it’s possibly new legislation may be coming to your state (or even all of the States in a federally enacted law) soon-ish.
Wait, you said businesses. Does that mean that nonprofits are exempt?
Well, maybe so, maybe no. Legal eagles are writing opinion articles right and left, and some say no but more than a few others say yes. Based on the nature of the private information that the legislation covers, even if the language is currently tightly written using the term “businesses” now, it’s likely a matter of time before nonprofits are held to the same standard.
So what are the basics?
Beginning January 1, 2020, CaCPA will allow customers/consumers/constituents in California the right to request:
- the categories and specific pieces of information that a business collects about that person;
- the categories of sources from which the information was collected;
- the business purposes for collecting or selling that information; and
- the categories of third parties with which that information is shared. ALSO:
- consumers would also have the “right to be forgotten” – meaning that they would have the right to request the deletion of their personal information from an organization’s database.
Organizations would be required to make disclosures about the information and the purposes for which it is being used.
If personal information is being shared or sold on to third parties, individuals would also have the right to learn what categories of information are being sold/shared (as opposed to the specific information being sold/shared) and what categories of companies are buying/using it. Unlike GDPR which requires consumers to opt in, here in the United States consumers would have to opt out of having their information collected/shared.
Like GDPR, there are fines for noncompliance
But unlike GDPR, they’re not eye-wateringly punitive – $7,500 per violation. For the average $25 million-dollar business, absorbing a fine at that level is a light slap on the wrist compared to a GDPR violation of up to €20 million or 4% of an organization’s net revenue. For the average nonprofit, that could still be an uncomfortable reckoning, though, and an embarrassing conversation for an executive director to have with the board or a donor.
Here’s where you can get more information:
- The law: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375
- cyber/data/privacy insights blog from law firm Cooley LLP: https://cdp.cooley.com/2018/08/02/california-consumer-privacy-act-faqs-1/
- Interesting background article: https://www.wsj.com/articles/the-real-estate-developer-who-took-on-the-tech-giants-1530308857#comments_sector
- Informative blog post from the privacy law blog at law firm Proskauer Rose LLP: https://privacylaw.proskauer.com/2018/07/articles/data-privacy-laws/the-california-consumer-privacy-act-of-2018/
I am not a lawyer, and the above should not be construed as legal advice. It is for general information purposes only. If you have questions about whether your nonprofit or business is required to be in compliance with this (or any) law, please contact your organization’s legal counsel.