What Does GDPR and CCPA Mean to Faith Based Organizations?

Do you wonder why websites now give you the option to accept, decline or even read their privacy polices?  The answer is the European Union’s General Data Protection Regulation (EU GDPR.)  

This Regulation expands the rights of EU citizens regarding their personally identifiable information (PII), forever changing how PII is used and stored by organizations. For example, the Court of European Justice (CJEU) ruled that internet companies, such as Facebook and Twitter can no longer use ad-tracking (implied) consent cookie policies. Rather, they now must offer active consent cookie policies.

Due to the proliferation of cloud computing technologies and mobile applications, GDPR set certain precedents for its citizens to include:

  • Being informed what PII is being collected and how it is used.
  • PII includes names, addresses, telephone numbers, emails, other online identifiers, and biometrics.
  • Delete PII for any reason.
  • Legal right to sue organizations due to a data breach or theft. 
  • GDPR’s reach is global based on PII being processed.  

This has prompted other jurisdictions, such as California, to enact similar rules. On January 2020, CaliforniaConsumerPrivacyAct (CCPA) takes effect. It defines PII as portable and under the control of California consumers,   requiring businesses, service providers and third parties to revise their data management practices.  

CCPA currently exempts non-profits but based on the law’s definitions and intent, it’s similar to GDPR’s scope.

Assuming that GDPR and CCPA are likely to be adopted elsewhere, faith-Based Organizations (FBOs) should revise data management, applications, and business processes to avoid penalties and fines.


  1. Identify how and when (PII)  data is collected, used and managed. Extend this review to current and former contributors, donors and members. Include all consultants, contractors, subcontractors, and vendors in this review.
  2. Determine if (PII) is being collected and used for legitimate FBO purposes. Include workflow practices and all business processes. For example, many software vendors integrate with other social media and email solutions.  
  3. Draft Data Protection Agreements. Require relevant parties to follow all requirements or sanctions occur.  Include consent and opt-out provisions and privacy use policies.
  4. Develop data controls that allow for granular access to offer situational awareness. For example, many FBOs are linking PII with all online and web forms.  
  5. Implement data anonymization and encryption technologies.
  6. Update privacy use consent agreements and newer data handling and security training.

What Do You Think?

Author Disclosure

I am the author of this article and it expresses my own opinions. I have no vested interest in any of the products, firms or institutions mentioned in this post. Nor does the Analyst Syndicate. This is not a sponsored post.

Updated 10.08.2019



The views and opinions in this analysis are my own and do not represent positions or opinions of The Analyst Syndicate. Read more on the Disclosure Policy.


  1. […] Is this GDPR compliance sufficient for CCPA?  Many are hoping they are legally exempt or being located outside of California protects them from CCPA’s reach.  This position is temporary. Currently, almost all states have data breach notification laws and those usually do not exempt not-for-profit organizations. We can expect to see similar data protection and privacy laws enacted across the United States. For example, New York and Washington are working on laws and regulations based in part on CCPA and GDPR. […]

Leave a Reply