“Almost GDPR” California’s Privacy Laws and What It Means for Nonprofits

What is this law?

The California Consumer Protection Act (CCPA) will go into effect on January 1st, 2020 and enforcement begins July 1, 2020. Many are calling it “almost GDPR,” after the European Union’s recent General Data Protection Regulation that made their privacy laws stricter that went into effect in 2018.

The law gives Americans the right to find out what data is being held by companies and to delete it on demand

What are the key findings about the law?

  • Similar to GDPR, personal data is any identifiable information such as name, address, phone number, etc.
  • The law applies if your organization is based in California and/or if there are California residents in your database, regardless of where you are located.
  • The new law will provide people with five new rights regarding their personal information. Pillsbury Law provides a nice roundup:
    • The right to know what categories of personal information is collected, where it is collected, if the collection is sold or disclosed
    • The right to request a copy of the personal information collected in the past 12 months before the request
    • The right to have the information deleted (though with some exceptions).
    • The right that personal data not be sold to third parties.
    • The right not to be discriminated against because the person has exercised their rights
  • Pillsbury law points out that the new law applies to any California resident “and eliminates the restriction of transacting for personal, family or household purposes. It also expands the definition of “personal information” to include any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
  • Privacy policies need to be updated to include the following:
    • Description of the new rights for California residents
    • Description of how to submit a request for personal info or deletion request, an opt-out page
    • “A list of all the categories of personal information that have been collected in the past 12 months”
    • Sources of the categories of information collected
    • The purpose of each category being collected
    • “A list of all categories of personal information” sold in the past 12 months
  • However, the law apparently does not apply to everyone. Fortune writes: “Like GDPR, it will take some time to figure out how the new rules will be enforced but that doesn’t mean organizations can be complacent about compliance.” However, whether nonprofits fall in those categories is an open question.
  • There is concern that the CCPA does not have strong enough penalties for violators. Penalties can be up to $7,500. There’s also a “cure provision” that allows companies time to make amends that may defang the ability of people filing class action lawsuits.

What can I do as a result?

How do I prepare myself and my organization?

  • Check your database. Do you have any constituents with a California address? You might need to update your privacy statement and create a procedure to handle constituents’ request for their data. You’ve been meaning to review your privacy statement anyway, right?
  • Ask an expert! Your organization probably employs an attorney, in-house or out-sourced. Ask your attorney about your organization’s legal obligations and for advice on achieving compliance. They might even have information published for you to read.
  • Consider donors’ expectations. Like GDPR, it will take some time to figure out how the new rules will be enforced, but that doesn’t mean organizations can be complacent about compliance. Donors may expect companies to be in compliance so you want to balance those needs and expectations with your organization’s needs.
  • Do you raise money from technology and data companies? The new tech law may impact tech and data companies’ perception of their earnings and may have an impact on their philanthropy and sponsorships.
  • Recognize that this could be a trend you probably don’t want to ignore. There have been rumors that the California law might lead to the creation of a federal law that would cover all Americans, but that remains to be seen.

Note: Aspire Research Group LLC and its researchers are not attorneys, so please do not take this information as legal advice. Compliance with privacy laws is important and often complex. If you have legal questions,you are strongly urged to consult an attorney.

Additional Resources

1 thought on ““Almost GDPR” California’s Privacy Laws and What It Means for Nonprofits

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.