Data Privacy and Protection Laws: Wading into the Alphabet Soup

By Corinne Gartner and Kaitlyn Saberin

If you follow the news at all, you’ll be aware that data privacy and protection are hot topics. The daily headlines might catch your eye on a personal level, and have you wondering how the businesses that you interact with as a consumer are handling your personal information. Should data privacy and protection issues also concern you in your capacity as an executive or volunteer leader of a nonprofit organization operating in California, though? Not surprisingly, the answer is yes.

While California’s newest and most high profile privacy law, the California Consumer Privacy Act (CCPA) – which became effective on January 1, 2020 – generally only applies to for-profit entities1, there are a host of other laws and regulations that don’t exclude nonprofits from their scope, and that could potentially apply to your organization. For example:

  • Europe’s General Data Protection Regulation (GDPR): There is a misconception in the US that the GDPR, which became effective on May 25, 2018, only applies to companies located in the European Union (EU). In fact, this far-reaching regulation potentially applies to any organization (including US-based nonprofit organizations) that offers goods and/or provides services to EU-based individuals, or that monitors the behavior of EU-based individuals (including through the use of some types of “cookies,” web analytics, and tracking technologies). Merely having a website that is accessible by users within the EU does not necessarily subject a US-based organization to GDPR compliance obligations, but if, through its website, the US-based organization intends to draw in customers from the EU, the GDPR might be triggered.
  • Children’s Online Privacy Protection Act (COPPA): This US law applies to operators of commercial websites and other online services, including mobile apps, that collect personal information from their users if the website/service is directed at children under 13, or if the operator has actual knowledge that they are collecting personal information from children under 13. A website, app, or service operator that is subject to COPPA must, among other things, post a privacy policy that describes its practices for collecting, using, and disclosing personal information (as defined in the COPPA Rule) from children. Although nonprofits are generally considered to not be subject to COPPA (unless they are providing commercial services) it is recommended that, as a best practice, nonprofit organizations provide the privacy policy notices and COPPA protections to child visitors of their websites because of the potential liability that could result from handling/mishandling minors’ data.
  • California Online Privacy Protection Act (CalOPPA): This California law requires operators of online services and mobile applications that collect personally identifiable information of California residents online to conspicuously post a privacy policy on their website/online service and to follow the policy. The privacy policy must include certain disclosures and consumer rights set forth under California law.
  • Privacy Rights for California Minors in the Digital World: This California law, which applies to operators of internet web sites, online services, online applications, or mobile applications directed to minors (i.e., California residents under 18), gives minors the right to request that the information they posted on the website/service/app as a minor be taken down, and also provides some restrictions on advertising/marketing to these minors.
  • Health Information Privacy Laws: The federal Health Insurance Portability and Accountability Act, the Health Information Technology for Economic and Clinical Health Act, and their implementing regulations (collectively, HIPAA) provide protections for health information held by “covered entities” and “business associates” (as such terms are defined under HIPAA), and give patients an array of rights with respect to that information. At the state level, the California Confidentiality of Medical Information Act adds to the federal protections provided by HIPAA and imposes additional obligations on certain health care providers and other persons/entities that interact with patient medical information.

With an upward trend in state-specific laws governing data privacy and protection, and with state and federal enforcement action in this area on the rise, all California nonprofits are encouraged to wade into the “alphabet soup” of data privacy and protection laws and regulations, so they know which ones apply, and how to comply.

1 Nonprofits may be subject to certain obligations under the CCPA if they have for-profit affiliates who are covered by the CCPA.


The authors, attorneys at Delfino Madden O’Malley Coyle & Koewler (located at 500 Capitol Mall, Suite 1550, Sacramento), practice in the firm’s nonprofit and tax-exempt organization practice group, and serve as both general and special counsel to a wide variety of nonprofit and tax-exempt organizations on issues ranging from entity formation and obtaining tax-exempt status, to corporate governance and operations/compliance matters (including privacy issues), to restructuring, mergers, and other complex business transactions. They will give a presentation on data privacy and protection issues for nonprofits at the 2020 What IF Conference.


Sublime Digital Marketing Group

About Ken

Ken Henderson is a seasoned entrepreneur and digital marketing professional, presently serving as the CEO of Sublime Digital Marketing Group, a respected marketing agency located in Rancho Cordova, California.


Boasting over two decades of industry experience, Ken has cultivated expertise in numerous facets of digital marketing, such as website design, Search Engine Optimization (SEO), copywriting, communication, CRM systems, and advertising on platforms like Facebook and Google. As a certified Google Partner and Zoho Partner, Ken’s knowledge is both extensive and cutting-edge.


Alongside his marketing abilities, Ken has delved into automation and artificial intelligence applications, integrating them into his collaborations with businesses and non-profits. His work with a wide array of clients, including non-profits, law firms, property managers, political campaigns, private schools, and small to medium businesses, has aided them in achieving their marketing goals.


Beyond his business accomplishments, Ken is an active community leader. He sits on the board of the Rancho Cordova Chamber of Commerce, contributing to the shaping of the region’s economic outlook, and is also a special advisor to MLK365, a group dedicated to making positive impact in communities. Moreover, he is a graduate of the prestigious Rancho Cordova Leadership Program and also a Certified GENEIUS, attesting to his remarkable leadership qualities.


Ken’s speaking engagements provide valuable insights into digital marketing, automation, and artificial intelligence and creative finance for businesses. His goal is to encourage others to embrace innovative marketing strategies and utilize technology for business growth.


Social Venture Partners

About Brad

Brad brings over 20 years of executive leadership in both the for-profit and non-profit sector. As a technology entrepreneur, he has helped to launch several enterprise software startups, one of which he led as Co-Founder and Vice President from 2002 through to its exit in 2016. He brings a people-centered style of leadership that leads to healthy organizational culture. He enjoys developing systems, strategy, and structure that set the foundation for organizations to scale and grow. Brad is considered a purpose-driven person and always seeks to “start with why” in everything he gets involved with. 
Beyond the enterprise technology roles he’s held, Brad was also instrumental in launching several community-based social entrepreneurship endeavors. He is the founder of the Orangevale-Fair Oaks Food Bank, Orangevale Food Bank Farm, HART of Orangevale and Fair Oaks, and the Big Day of Service. He also served as President of the Orangevale Chamber of Commerce from 2018-2022 where his impact led to a re-energized business and nonprofit membership community. Under his leadership, the Chamber secured $10M funding from SACOG for Greenback Lane streetscape improvements, 3x membership growth, 5x budget growth, formation of the Orangevale Community Council, and a more vibrant culture throughout the community. Brad currently serves on the boards of several other nonprofit organizations in the Capital Region. 
Brad currently serves as the Executive Director for Social Venture Partners of Sacramento, an organization seeking to build nonprofit connections and capacity by bringing together leaders from the business and nonprofit community. He oversees partnership growth strategy, daily operations, portfolio engagement, and major events such as the annual Fast Pitch social innovation program.
In 2018, Brad and family also launched a 10-acre u-pick flower farm called Heirloom Acres Farm. Thousands of people visit their farm all summerlong for flower u-pick events, and they also host a holiday barn market and have Christmas trees available in December. 
Brad’s superpower and life mission is about bringing people together for a purpose. He believes our community will be stronger when leaders are connected and engaged. 



About Debbie

Debbie is the founder and Executive Director of Health Education Council. Her two primary areas of expertise are cross-sector coalition building and reducing health disparities in diverse low-income communities.



About Michelle

Michelle Odell is the Director of Public Affairs for Kaiser Permanente in South Sacramento, where she oversees all aspects of Public Affairs including community relations, government relations; community health and community benefit planning; and internal and external communications, including media relations.

NonProfit Membership Rates

Annual Operating Budget Dues
Under $200,000
$200,000 – 500,000
$500,001 – 1,000,000
$1,000,001 – 4,000,000
$4,000,001 +

SignUp Now




Kristi Rolak is Sales Director in Sacramento for One Workplace, a full service commercial interior furnishings company headquartered in Santa Clara and serving greater Sacramento.