In 2018, the European Union (EU) implemented the General Data Protection Regulation (GDPR) to put consumers in charge of their data and establish data privacy best practices.
(Of course, it’s a little more complicated than that. For more information about the GDPR and how the regulation affects nonprofits and associations, check out our blog post: A Guide to GDPR for Associations, Nonprofits, and Other 501(c) Organizations.)
Though the GDPR originated in the EU, high-profile data breaches have become increasingly more common and inspired similar regulations in the United States. According to the National Conference of State Legislatures (NCSL), all 50 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have enacted legislation that requires private entities or government agencies to notify individuals who have been impacted by security breaches that may compromise their personally identifiable information (PII).
These state data breach laws define the following:
- Who must comply with the law?
- What constitutes personal information?
- What constitutes a breach?
- When and how does a business have to notify affected individuals of a breach?
- What exemptions exist?
Most recently, California and New York have expanded their data privacy protections by enacting the California Consumer Privacy Act (CCPA) and New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act.
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) passed last year and is due to take effect on January 1, 2020. The act is the strongest privacy legislation enacted in any state and marks the beginning of stricter U.S. consumer privacy protections. The CCPA applies to for-profit companies that are based or do business in California and meet any one of the following three criteria:
- Generates gross revenue of more than $25 million a year
- Receives or shares personal information of more than 50,000 individuals
- Earns at least half of its annual revenue by selling the personal information of California residents
Are nonprofits and associations required to comply?
Primarily no. Sometimes yes.
According to Pillsbury Law, nonprofits and associations are exempt, except in the following cases:
- Nonprofit organizations that control for-profit businesses covered under the CCPA
- Nonprofit organizations that are controlled by for-profit businesses covered under the CCPA
- Nonprofit organizations that share common branding with a business covered under the CCPA. The statute defines “common branding” simply as a “shared name, service mark, or trademark”
Though most nonprofits won’t be affected by the CCPA, they will still need to comply with other California privacy and data breach laws.
Stop Hacks and Improve Electronic Data Security (SHIELD) Act
New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act amends the state’s current data breach notification law to better protect New York residents from data breaches of their private information.
The law takes effect on October 23, 2019 but provides 240 days for organizations to establish data protections. After March 21, 2020, any business that deals with private information of New York residents—regardless of whether that organization does business in New York—will be required to comply.
In a statement released by the New York State Attorney General Letitia James, the Office of the Attorney General describes the main points of the act, which include:
- Expanding the definition of “private information” to include biometric information, email addresses, and corresponding passwords or security questions and answers
- Broadening the definition of a “data breach”—which currently applies only to instances where private information is acquired—to include all instances where private information is accessed
- Requiring any person or entity with private information of a New York resident to send notifications when data breaches occur
- Updating the notification procedures companies and state entities must follow when there has been a breach of private information
- Creating reasonable data security and cybersecurity requirements tailored to the size of each business
Are nonprofits and associations required to comply?
Yes, nonprofits and associations are required to comply. However, nonprofits and associations may be afforded leniency as “small businesses” if the following conditions are met:
- fewer than 50 employees
- less than $3 million in gross annual revenue in each of the last three fiscal years
- less than $5 million in year-end total assets
According to Pillsbury Law, a small business will be deemed compliant with the SHIELD law’s data privacy requirements if it has adopted “reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.”
So why is this important for the nonprofit community?
Even if the GDPR, CCPA, and SHIELD Act don’t apply to all nonprofits, they are models of best practices for data governance and security. If your association isn’t compliant, it’s a good idea to review the data privacy protection acts and decide what steps will work for you to help secure your members’ data.
Even if it’s not required, it’s the right thing to do. If you value your members and their right to data privacy, you should be transparent about how you use the data you collect and focus on data privacy as you build or buy systems to manage data.
Interested in improving your data privacy practices?
If your association is required to comply to the regulations, you should seek the opinion of counsel. We’re not lawyers (nor do we play them on TV). However, DelCor can help you get started by reviewing your data policies and identifying areas that may require attention.