Data Privacy Changes 1/1/20: Are You Ready?

As direct marketers working to maximize donors and contributions to your organization, you collect and store a treasure trove of personal information. Donors trust you with their information, but until now, no laws have existed in the United States to protect their personal information. That is all about to change when the California Consumer Privacy Act (CCPA) goes into effect on January 1,2020.

On 10/2, Britt Vatne, President of Data Management at ALC, and Shannon McCracken, CEO of the Nonprofit Alliance gave a webinar presentation on the implications of the CCPA for nonprofits. If it hasn’t been discussed at your nonprofit yet, or if you’ve only had minimal conversion but done nothing about it, you’re not alone. In an informal poll of webinar participants, 76% of the audience hadn’t either.

In the webinar, hosted by the DMFA, Vatne and McCracken explained that CCPA doesn’t ban the collection of consumer data, but mandates consumers be made aware up-front that their personal information is being collected and why. Unlike the EU’s GDPR, CCPA applies to both digital and direct mail communication and mandates the consumer be given a choice to opt out of having their personal information shared or sold. While GDPR only applies to digital, consumers must opt in to receiving future communications and having their personal information shared.

The CCPA exempts most nonprofits unless they share common branding with a covered business or are controlled by a covered business. Although it doesn’t sound like CCPA applies to nonprofits, donors are our consumers and laws like CCPA will only proliferate as other states like Vermont and Illinois are considering their own privacy protection and data security laws. The federal government could step in, but that seems unlikely by the January 1 deadline.

One thing you should absolutely know is that CCPA requires companies purchasing data from 3rd parties or participating in COOPs to ensure that all data partners comply with CCPA. Vatne and McCracken urged NPOs to proactively develop best practices around this provision, for example: only contract with agencies that comply, have a clear disclosure (easily found on your website) and an opt out button for data sharing, and conduct internal audits to know where you’re collecting data from and how you’re selling or sharing it. Think about what your donors’ experience should be on the front lines of your fundraising; donors will likely not be aware of the nonprofit exemption. Review privacy policies, fortify data security and update legal language.

Don’t be fooled into thinking there’s nothing to be done. If you already comply with GDPR by using ROI’s Forget Me function for EU donors who exercise their right to be forgotten and related account flags, you’ve only done some of the heavy lifting required to abide by CCPA. By implementing best practices and keeping people’s trust, you’ll be set up to succeed.