It’s important to be aware of data protection legislation across the globe so that non-profits are familiar with requirements. If nothing else, these requirements tend to become the norm and therefore shape the expectations of your donors and supporters.
The CCPA applies to “businesses.” The Act defines that term to include any legal entity (e.g., corporations, associations, partnerships, etc.) that is “organized or operated for the profit or financial benefit of its shareholders or other owners.”1 This accords with the fact that non-profits are exempt from many of the data privacy and security regulations within the United States – in particular, they are largely exempt from enforcement by the Federal Trade Commission, and, therefore, are exempt from compliance with the rules, regulations, and guidance of the Federal Trade Commission to the extent that such rules, regulations, or guidance are not incorporated in state laws that do apply to the non-profit.
In comparison, the European GDPR does not contain any exemptions for non-profit organizations.
So, unless your non-profit has a commercial branch or deals in selling data lists, CCPA does not apply. GDPR, however, does – if you are dealing with citizens of the European Union.
The California Consumer Protection Act requires businesses and charities to make disclosures in their public-facing privacy policies and to update annually such disclosures, starting January 1, 2020.
The California Consumer Privacy Act will effectively be the US national data privacy standard for consumer business and brands when it takes effect on January 1, 2020. (Although enforcement by the California attorney general has been delayed until June 2020, individual and class-action law suits may begin immediately.)
As of this writing, that’s precisely 12 weeks, or no more than 55 working days, allowing for the holidays. Given how many companies were radically unprepared for the GDPR given two years for preparation, this implies that lots of companies need to do lots of work lots of fast.
There are three interrelated and inescapable reasons why CCPA-compliant data practices will quickly become the standard across the US, even for companies that don’t do business in California. Here, Tim Walters, Ph.D. explains more.
The California Consumer Privacy Act could have more repercussions on U.S. companies than the European Union’s General Data Protection Regulation (GDPR) that went into effect in 2018. The California law doesn’t have some of GDPR’s most onerous requirements, such as the narrow 72-hour window in which a company must report a breach. In other respects, however, it goes even farther.
The California Consumer Privacy Act (CCPA) takes a broader view than the GDPR of what constitutes private data. The challenge for security, then, is to locate and secure that private data.
CSO, which serves enterprise security decision-makers and users with the critical information they need to stay ahead of evolving threats and defend against criminal cyberattacks, shares an excellent guide on what CCPA means to you.
On January 1 2020, a landmark new data law comes into effect, subjecting U.S. businesses to a sea change of privacy regulations. After that date, Americans will be able to demand that charities disclose what personal data they have collected about them, and also ask them to delete that data. The California Consumer Protection Act (CCPA) will severely impact tech giants like Google and Facebook, as well as retailers like Macy’s and Walmart.
This heralds the end of an era in which the U.S. defied a shift in global privacy norms, and allowed American companies to commodify consumer data.
There remains, however, considerable confusion over how the law will be enforced, and how much of a burden it will be to U.S. companies. What follows is Forbes’ plain English explanation of the law, the politics surrounding it, and how it will affect businesses and consumers.
Fundraising charities rely on information about their supporters to survive; such as names and addresses, financial information and other private data. Information such as this will always be integral to the fundraising process, and the storage and safety of this information will be too.
GDPR’s rules around proving consent necessitate new processes at the back and front ends of data collection – and it’s going to be hard work. The fundraising sector has a lot of fundamental changes to make in a short amount of time.
Jenny Daw, editor of The Fundraiser, wonders that with so much to learn and do, there may well be a need for organisations to take on new talent and skills to push these changes through.
At the end of 2016, when the ICO fined several charities for breaching the Data Protection Act 1998, Ian MacQuillin, wrote a fascinating philosophical piece on how charities are perceived by different types of people.
Even though this feels like a long time ago, it’s still as relevant today as it was back then. Whenever you feel that GDPR and data protection are not your friend, have a read of this.
The Guidance prepared by the Data Protection Network is a practical tool aimed at helping commercial and not-for-profit organisations to assess whether or not they can rely on Legitimate Interests as a lawful basis for processing personal data under the GDPR.
The Guidance covers:
- Understanding what Legitimate Interests are
- Identifying areas of processing where Legitimate Interests may apply
- The Legitimate Interests Assessment (LIA) – the 3 stage test
- Transparency and the consumer
Adrian Beney is back with an update on CASE’s work on providing guidance for charities for adopting GDPR best practise.
This document lays out in detail and with great clarity the circumstances under which these activities, regarded in recent years by some at the Information Commissioner’s Office as very controversial, can be carried out lawfully.
Follow the link below for full details.
Prospect research and wealth screening do not sit easily with GDPR:
- Can individuals reasonably expect to be researched for wealth?
- Would they expect to charities to find public information about them and use it?
- How about if the charity uses a third-party supplier?
Nicola Williams, MA in Philanthropic Studies, has written several helpful guides at Factary to help you answer those questions for your own charity.
Although there is still no confirmed date when the new e-privacy regulation will be released, here is some excellent guidance on how the Privacy and Electronic Communications Regulations (PECR) combines with GDPR to give more power to consumers.
Adrian Beney has a wonderful grasp of GDPR, particularly around the pros and cons on using consent and legitimate interests by charities.
This guide of his provides the perfect introduction to GDPR and how it impacts communication, prospect research and fundraising. A reassuring read to those old and new to the profession.