Consumer privacy is getting the attention of state and federal legislators. For example, the California Consumer Privacy Act (CCPA) was passed very quickly in mid-2018, without any serious vetting with impacted stakeholders, and will become effective in January 2020.
CCPA introduces new privacy requirements, and while nonprofit organizations do not literally fall under the jurisdiction of the CCPA, they are nevertheless an unintended casualty. A CCPA nonprofit exemption does not include an exemption of a nonprofit’s sources of third-party data, including acquisition lists, data coops, and data modeling to better reach those people most likely to be interested in a particular cause or offer.
Among the more onerous provisions of the CCPA are burdensome reporting requirements, resulting from an overly broad definition of “personal information.”
Companies that collect and provide data face new technical resource demands, which one major data company estimated will come at a cost of “millions of dollars” — a price tag that will be passed onto their clients, including nonprofits. Unfortunately, this expense to comply with the law as written is not, in all cases, providing actual value to consumers.
A more tightly-written definition of personally-identifiable, sensitive information could ease the unnecessary expense to nonprofits without any meaningful difference to data transparency and access to individual consumers. However, privacy advocates argue that the recommended clarifications weaken the law and leave consumers vulnerable to hidden use of their information for corporate profit.
Data companies generally agree that the greater threat is liability to private rights of action rather than a single expert compliance agency. The California Attorney General’s Office, which under other circumstances would have compliance responsibility, claimed to have inadequate staff resources to oversee a new law of this magnitude. The lawmakers’ default to private right of action leaves responsible data companies vulnerable to a potential class action lawsuit, including potentially frivolous fishing attempts by plaintiffs’ attorneys.
These could cause significant cost and reputational damage even when the claims are eventually found to be unmerited. That risk is causing some data companies, including those that currently partner with nonprofits, to re-evaluate the future use of California data.
California represents about 12 percent of the United States’ population and nearly 20 percent of philanthropic giving. Diminished access to California consumer data could seriously hobble national nonprofits, with even greater impact to regionally-based outreach programs that focus on programs and beneficiaries in California.
A number of bills to “fix” CCPA were put forth by both industry and consumer advocates throughout the 2019 state legislative session. Those that made it out of the California State Assembly in May were funneled to the California State Senate’s Judiciary Committee and heard on July 9, the final day before the monthlong recess.
Meanwhile, a number of other states have been considering data privacy and ethics bills. There is clear indication that they are waiting to see the final language in California’s law to capitalize on the final outcomes of the heated industry versus consumer political negotiations.
Texas, for example, initially considered a bill, HB 4390, that included similar privacy parameters, but opted to only implement in 2019 the portion related to data breaches. The new law, which takes effect on Sept. 1, creates a Texas Privacy Protection Council that will study and make recommendations for data privacy legislation no later than December 2020.
The Shared State Legislation Committee of the Council of State Governments met on July 19 to examine bills that have become law in one state to identify those that the committee will recommend to other states for consideration. Among those on the docket include the 2018 Vermont law that requires data broker registration and the CCPA.
As with other data-driven industries, nonprofits are looking to Washington, D.C., for federal legislation that would pre-empt state laws and call for a balanced national privacy standard. Industry groups are also pointing to the need for a single agency, such as the Federal Trade Commission (FTC), to oversee and enforce compliance.
The battleground at the moment is in the U.S. Senate, where the principal committee of jurisdiction, the Senate Commerce Committee, is working on a national privacy bill. The key players in the Senate Commerce Committee are the so-called “Gang of Six,” a bipartisan group of six Commerce Committee senators who meet weekly to try to hammer out a compromise on a national privacy bill.
At a February Senate Commerce Committee hearing on privacy, Sen. John Thune (RS. D.), one of the Gang of Six, stated directly: “Our goal is a robust, transparent, bipartisan national privacy bill.” Getting to that goal will be no easy task. A number of senators are reluctant to support legislation that would preempt the states. The other five members of the working group are Richard Blumenthal (D-Conn.), Maria Cantwell (D-Wash.), Jerry Moran (R-Kan.), Brian Schatz (D-Hawaii), and Roger Wicker (R-Miss.).
As the debate and political negotiation continues, so too does the ticking clock, getting ever closer to January 1, when CCPA is slated to take effect.
Shannon McCracken is executive director of The Nonprofit Alliance, a membership association that formed in 2018 to promote, protect, and strengthen the philanthropic sector in the best interests of donors and beneficiaries. For more information, visit the website, https://tnpa.org.
