Dear Ethicist,

I keep getting all these emails from companies regarding their privacy policies, which reminded me of when the European Union’s General Data Protection Regulation (GDPR) went into effect. This year’s emails are in response to the new California Consumer Privacy Act (CCPA). Some have called the law “GDPR Light,” and I am concerned about how this will affect my work in prospect development. While I’m not located in California, some of my prospects and vendors are. What do I need to do to make sure I’m in compliance with the CCPA?

Signed,

Concerned About California Privacy Act

Dear Concerned,

The CCPA went into effect on Jan. 1, 2020, and enforcement is set to begin July 1. The law gives folks in the United States the right to find out what data is being held by companies and the right to be forgotten (think unsubscribe or opt-out) by companies. All companies that serve California residents and have at least $25 million in annual revenue, as well as companies that have personal data on at least 50,000 people fall under the law. Companies don’t have to be based in California to fall under the law as it covers personally identifiable information (PII) of California residents, regardless of where your organization is located. 

Stay up to date on the latest ethics issues and trends by reading, “Rest Easily With the Right Policies in Place.”

You may be thinking, I work for a nonprofit, so does this even apply to me? Even though the law is geared toward companies, and nonprofits are technically not subject to CCPA, there are some gray areas for certain nonprofits that:

• Control or are controlled by a for-profit organization that fits CCPA criteria
• Operate under a brand name shared with a company (such as a corporate foundation)
• Enter a joint venture with a for-profit entity
• Contract with an entity through an agreement that requires compliance with the CCPA

Even if your organization doesn’t fall into these categories, the law codifies the general privacy principles that individuals have come to expect from those collecting and using their data, and we should all consider processes and policies that reflect these principles.

Most of us in the prospect development world tend to follow CCPA standards already. If donors request to not be solicited, have their information sold/traded, to be unsubscribed from mailing lists, or if they ask for their information, we abide. With these new regulations, here are a few simple steps to ensure compliance:

1. Talk to your leadership and counsel about CCPA, how it affects your organization, and what policies you have in place to address it.
2. Talk to your third-party (and potential) vendors about CCPA and what they are doing to be compliant.
3. Revise your organization’s privacy statement to make sure it is clear and includes language that covers CCPA regulations, including clear opt-out language.
4. Be educated and prepared. With GDPR and CCPA, privacy acts are now a trend. Additionally, the CCPA was written in only seven days, so expect amendments and revisions.