From Apra Carolinas Blog Post Editor Ashley Smith -- some thoughts on the new privacy laws that will be changing the way we do our work:

Data privacy laws are having their moment as more people realize that numerous organizations are collecting their personal information without clearly disclosing what they do with it, who has access to it, and how it’s protected from unauthorized use (I’m looking at you, Facebook and Cambridge Analytica). Several countries have passed laws limiting the kinds of personal information that organizations may collect while giving their citizens greater control over their data. Some data privacy laws, like the one in Europe, have significantly changed how nonprofits do prospect research. US privacy laws, however, haven’t had much of an impact on prospect research in the states, but that is a temporary reprieve. With growing concerns over organizations’ data collection practices, lawmakers will eventually pass a privacy law, either at the state or federal level, that will force us to change some of our business practices. Now is the time to prepare.             

In 2016 the European Union adopted the General Data Protection Regulation (GDPR), a law that requires organizations to be more transparent on how they’re using the personal data of EU and UK citizens. The law restricts the kinds of personal data organizations may collect and applies to nonprofit institutions in addition to for-profit companies. Charities, educational organizations, and other nonprofits may only use personal data for lawful, specific purposes, like carrying out their institution’s mission or advancing public policy. Any other uses outside of these purposes are prohibited. The GDPR affects not only companies and institutions in the UK and EU, but also organizations outside those countries that handle the personal data of British and European citizens (aka, data subjects).

Not surprisingly, the GDPR has impacted how nonprofits collect and use personal data to fundraise. The EU treats privacy as a fundamental human right, and the GDPR gives its citizens greater control of their personal data. While the law does not explicitly ban prospect research or certain tools of our trade, like wealth screenings, it does require organizations to disclose how they use their constituents’ personal information and to give their constituents the right to choose how their data may be used. Under the GDPR, nonprofits can no longer conduct prospect research without the knowledge of their prospects, and they must now get permission from their European data subjects to do wealth screenings.

As of November 2019, there is not a centralized law that protects the personal data of US citizens. Federal data privacy laws so far have been sector specific with Congress passing legislation that restricts how banks, health care organizations, and schools, etc. collect and disseminate US citizens’ personal information. To fill this void, states like California, Nevada, and Maine have passed their own privacy laws. When it becomes effective on January 1, 2020, the California Consumer Privacy Act (CCPA) will be the strongest data privacy law enacted in the US, and like the GDPR, it will compel organizations that collect California residents’ personal data to disclose that practice while giving them the choice on how organizations may use their data. Unlike the GDPR, the CCPA applies only to for-profit organizations that hold the personal data of more than 50,000 California consumers and have over $25 million in revenue. While it’s unclear how the CCPA will impact nonprofit development – and prospect development in particular – third-party vendors, like edtech companies or CMS providers, that collect and process the data of California residents will have to comply with the new law.

There is strong bipartisan support for a federal law giving US citizens greater control over their personal data, but it’s uncertain when Congress will pass a comprehensive data privacy law and whether such a law will have the same level of privacy protections as the GDPR. Until then, people who work with personal data will have to be mindful of the patchwork of federal regulations and privacy laws enacted by state legislatures. As prospect development professionals, we already know that we have a responsibility to protect our donors’ private information, but that responsibility will continue to evolve as more state privacy laws are passed and our organizations adopt policies to be in compliance with those laws.