The Analyst Syndicate

What Is The Impact of CCPA On Not-for-Profits?

The California Consumer Protection Act (CCPA) of 2018 went into effect January 1, 2020 but enforcement begins July 1, 2020. This Act expands personal data categories beyond name(s), addresses, account names, social security, drivers’ license and passport numbers  to include biometrics, geolocation data and employment information, thus changing how organizations collect and manage personal data.

Does CCPA Impact Not-for-Profits?

The answer is soon. It is reasonable for not-for-profits to protect their donors, employees and members from inappropriate access and use. The CCPA covers for-profit legal entities and partially exempts not-for-profit organizations. Yet, these exempt organizations are still legally considered the data controller under CCPA.  Many not-for-profits use third party service providers to collect and manage personal data. Financial and membership management, fundraising and social media engagement requires CCPA compliance.  Penalties for non-compliance include granting citizens a right to file lawsuits. In addition, the State of California can levy fines for intentional or unintentional violations. The costs can add up to millions of dollars.

How to Prepare?

You may have noticed not-for-profit organizations and their service providers updating website “Cookie” and “Privacy” policies. In addition, they are taking steps to anonymize IP addresses to prevent data aggregation.  The reason is the European Union’s General Data Protection Regulation of 2018. That does not exempt not-for-profit organizations, from collecting and managing personal data of donors, employees or visitors to mobile apps and websites.  Many not-for-profit organizations do not collect personal data on EU citizens, but their service providers do, effectively resulting in global GDPR compliance.  It is easier for service providers to apply consistent data protection and privacy policies for all of their customers.

Is this GDPR compliance sufficient for CCPA?  Many are hoping they are legally exempt or being located outside of California protects them from CCPA’s reach.  This position is temporary. Currently, almost all states have data breach notification laws and those usually do not exempt not-for-profit organizations. We can expect to see similar data protection and privacy laws enacted across the United States. For example, New York and Washington are working on laws and regulations based in part on CCPA and GDPR.


Demonstrate CCPA compliance by::

  • Designating a data protection officer (or privacy officer)  responsible for ensuring the organization and all service providers. Comply with privacy and data protection rules.
  • Update existing privacy policies to address how personal data is to be managed and protected. Focus on the rights of donors, members, employees and visitors.
  • Quarterly train all employees and volunteers who have access and manage or otherwise process personal data. Provide training on best practices for protecting personal data and privacy.
  • Establish contractual requirements that direct how service providers will process personal data
  • Require service providers to provide appropriate documentation, such as an AICPA SOC2 Privacy certification to demonstrate that their procedures have been assessed by a third party for compliance with privacy rules
  • Consider additional risk assessments, audits and inspections of third-party service providers.


What Do You Think?

Author Disclosure

I am the author of this article and it expresses my own opinions. I have no vested interest in any of the products, firms or institutions mentioned in this post. Nor does the Analyst Syndicate. This is not a sponsored post.

Disclaimer: The author is not a practicing attorney and as such is not offering legal advice.







The views and opinions in this analysis are my own and do not represent positions or opinions of The Analyst Syndicate. Read more on the Disclosure Policy.