Legal and ComplianceNonprofit News

Data Privacy and Protection Laws: Wading into the Alphabet Soup

By December 13, 2019 No Comments

By Corinne Gartner and Kaitlyn Saberin

If you follow the news at all, you’ll be aware that data privacy and protection are hot topics. The daily headlines might catch your eye on a personal level, and have you wondering how the businesses that you interact with as a consumer are handling your personal information. Should data privacy and protection issues also concern you in your capacity as an executive or volunteer leader of a nonprofit organization operating in California, though? Not surprisingly, the answer is yes.

While California’s newest and most high profile privacy law, the California Consumer Privacy Act (CCPA) – which became effective on January 1, 2020 – generally only applies to for-profit entities1, there are a host of other laws and regulations that don’t exclude nonprofits from their scope, and that could potentially apply to your organization. For example:

  • Europe’s General Data Protection Regulation (GDPR): There is a misconception in the US that the GDPR, which became effective on May 25, 2018, only applies to companies located in the European Union (EU). In fact, this far-reaching regulation potentially applies to any organization (including US-based nonprofit organizations) that offers goods and/or provides services to EU-based individuals, or that monitors the behavior of EU-based individuals (including through the use of some types of “cookies,” web analytics, and tracking technologies). Merely having a website that is accessible by users within the EU does not necessarily subject a US-based organization to GDPR compliance obligations, but if, through its website, the US-based organization intends to draw in customers from the EU, the GDPR might be triggered.
  • Children’s Online Privacy Protection Act (COPPA): This US law applies to operators of commercial websites and other online services, including mobile apps, that collect personal information from their users if the website/service is directed at children under 13, or if the operator has actual knowledge that they are collecting personal information from children under 13. A website, app, or service operator that is subject to COPPA must, among other things, post a privacy policy that describes its practices for collecting, using, and disclosing personal information (as defined in the COPPA Rule) from children. Although nonprofits are generally considered to not be subject to COPPA (unless they are providing commercial services) it is recommended that, as a best practice, nonprofit organizations provide the privacy policy notices and COPPA protections to child visitors of their websites because of the potential liability that could result from handling/mishandling minors’ data.
  • California Online Privacy Protection Act (CalOPPA): This California law requires operators of online services and mobile applications that collect personally identifiable information of California residents online to conspicuously post a privacy policy on their website/online service and to follow the policy. The privacy policy must include certain disclosures and consumer rights set forth under California law.
  • Privacy Rights for California Minors in the Digital World: This California law, which applies to operators of internet web sites, online services, online applications, or mobile applications directed to minors (i.e., California residents under 18), gives minors the right to request that the information they posted on the website/service/app as a minor be taken down, and also provides some restrictions on advertising/marketing to these minors.
  • Health Information Privacy Laws: The federal Health Insurance Portability and Accountability Act, the Health Information Technology for Economic and Clinical Health Act, and their implementing regulations (collectively, HIPAA) provide protections for health information held by “covered entities” and “business associates” (as such terms are defined under HIPAA), and give patients an array of rights with respect to that information. At the state level, the California Confidentiality of Medical Information Act adds to the federal protections provided by HIPAA and imposes additional obligations on certain health care providers and other persons/entities that interact with patient medical information.

With an upward trend in state-specific laws governing data privacy and protection, and with state and federal enforcement action in this area on the rise, all California nonprofits are encouraged to wade into the “alphabet soup” of data privacy and protection laws and regulations, so they know which ones apply, and how to comply.

1 Nonprofits may be subject to certain obligations under the CCPA if they have for-profit affiliates who are covered by the CCPA.


The authors, attorneys at Delfino Madden O’Malley Coyle & Koewler (located at 500 Capitol Mall, Suite 1550, Sacramento), practice in the firm’s nonprofit and tax-exempt organization practice group, and serve as both general and special counsel to a wide variety of nonprofit and tax-exempt organizations on issues ranging from entity formation and obtaining tax-exempt status, to corporate governance and operations/compliance matters (including privacy issues), to restructuring, mergers, and other complex business transactions. They will give a presentation on data privacy and protection issues for nonprofits at the 2020 What IF Conference.