by Donata Stroink-Skillrud, Esq., CIPP, co-founder of Termageddon
Which privacy laws apply to nonprofit organizations?
When discussing compliance, you first want to have a good understanding of what laws apply to you before you start implementing solutions. Privacy laws are a bit different from what you are probably used to in the sense that privacy laws were created to protect the consumers of certain states and countries, not the businesses. This means that the laws of a particular state or country may apply to your organization even if you are not based there. The following privacy laws can apply to non-profits:
- The General Data Protection Regulation (GDPR) is the European Union law that protects the privacy rights of residents of the European Union. GDPR does not have an exemption for nonprofits and is a highly enforced privacy law, with dozens of decisions and fines being levied. GDPR applies to you if you:
- Are located in the European Union;
- Offer goods or services to European Union residents, regardless of your location;
- Monitor the behavior of European Union residents, regardless of your location; or
- Process and hold the personal data of European Union residents, regardless of your location.
- California Online Privacy Protection Act of 2003 (CalOPPA) applies to any commercial website that collects the PII of California consumers. The “commercial” part may not be an easy “applies to for-profit businesses only” and the law may apply to nonprofits whose websites:
- Promote business activities unrelated to the nonprofit;
- Include paid advertising; or
- Solicit new members who may receive a commercial benefit not related to your nonprofit’s exempt purpose in return for their dues.
- Nevada Revised Statutes Chapter 603A protects the personal information of Nevada consumers and applies to both for-profit and nonprofit organizations. Even though this law applies to websites operated for business purposes, Nevada’s law does not state that nonprofits are exempt from this law. The Nevada privacy law and its amendment applies to “operators” which are defined as any person who:
- Owns and operates a website or online service for business purposes;
- Collects and maintains the personal information of consumers who reside in Nevada and use or visit the Internet website or online service; and
- Purposefully directs its activities towards Nevada, consummates a transaction with the state of Nevada or a resident of Nevada, purposefully avails itself of the privilege of conducting activities in Nevada or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the U.S. Constitution.
If you have questions about privacy policies for your website, please feel free to contact us: