Let’s be honest, who doesn’t like to be fashionable? In one way or another, we all want to be up to date with the latest. It seems that legislators also want to be on trend. Check out this summary of a data–privacy trend gaining popularity among state legislators and in Washington, DC, too!
This map, updated on May 20, 2024 by the International Association of Privacy Professionals (IAPP), reveals a striking legislative trend.
It vividly shows how, in the absence of federal regulation, data privacy is being regulated in each state at a rapid pace. This is not a trend to be taken lightly, as it is shaping the data privacy landscape in the United States.
The trend in numbers is surprising. Since 2020, 17 state laws on data privacy have been approved, 12 in the last two years. Additionally, several bills have been introduced in 14 other states.
Following the IAPP legislative tracker, California was the first state to approve a data privacy law in 2018, effective in 2020. In 2021, Colorado and Virginia joined this group of pioneers. In 2022, Connecticut and Utah joined the group, and the American Data Privacy and Protection Act (ADPRA) was also introduced (H.R. 8152).
In 2023, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, and Texas decided to pass their own data privacy regulations. So far in 2024, Kentucky, Maryland, Nebraska, New Hampshire, and New Jersey have approved their own legislation. And the icing on the cake? In Washington, DC, in April 2024, a draft for possible federal regulation on data privacy (American Privacy Rights Act, APRA) was released as a possible bipartisan and bicameral deal.
However, in this universe of state data privacy regulations, the implications for the nonprofit sector vary from state to state. This has raised questions, like whether the nonprofit sector should be included or exempt from this regulation, and whether the rules that apply to the private sector should apply to the charitable sector in the same way. Based on these questions, it is possible to classify state regulations into at least two categories — those that exempt nonprofits and those that do not.
Those that exempt nonprofits:
California. The California Consumer Privacy Act (CCPA) was the first legislation to create comprehensive data privacy regulation in the United States. It was adopted in 2018, but didn’t take effect until January 1, 2020. According to the RKD GROUP, “For CCPA specifically, nonprofits are exempt. Therefore, the responsibility is on businesses that are covered by the law, including all vendors, providers and agencies.”
Connecticut. The Connecticut Data Privacy Act (CTDPA), approved in 2022 and effective on July 1, 2023, shares some similarities with the California legislation, including the exemption for nonprofit organizations. “The CTDPA exempts state and local government entities, nonprofits, institutions of higher education, certain national security associations, financial institutions covered by the Gramm-Leach-Bliley Act (GLBA) and “covered entities” and “business associates” as defined under HIPAA,” as explained by Akin LLP. Note: The Gramm-Leach-Bliley Act (GLBA) addresses financial services regulation, including personal data protection. HIPAA refers to the Health Insurance Portability and Accountability Act.
Indiana. The Indiana Consumer Data Protection Act (INCDPA), approved in 2023, will take effect on January 1, 2026. As mentioned by White & Case LLP, “Notably, the Indiana Data Privacy Law does not have a revenue threshold for entities to be subject to privacy obligations. In addition, the Indiana Data Privacy Law does not apply to government entities, nonprofits, HIPAA-covered entities and business associates, higher educational institutions (public or private), and Gramm-Leach-Bliley Act-regulated entities and data. The Indiana Data Privacy Law also does not apply to certain classes of data including health records, scientific research data, consumer credit-reporting data, data regulated by the Family Educational Rights and Privacy Act or federal Farm Credit Act, and employment-related information.”
Iowa. Approved in 2023, the Iowa Data Privacy Law (SF 262) takes effect after January 1, 2026. According to the IAPP, the “The Iowa privacy law does not apply to Government entities, Financial institutions, their affiliates and entities subject to the Gramm-Leach-Bliley Act, Entities who are subject to and comply with the Health Information Technology for Economic and Clinical Health Act and/or HIPAA, and Nonprofit organizations.”
Kentucky. The Kentucky Consumer Data Protection Act (CDPA) was approved in 2024, but will not be effective until October 1, 2025. As explained by White & Case LLP, “The Kentucky CDPA exempts several categories of entities, including state and city government agencies; financial institutions and data regulated by the Gramm-Leach-Bliley Act; nonprofit organizations; institutions of higher education; and HIPAA-covered entities and business associates.”
Montana. In 2023, Montana state legislators approved the Montana Consumer Data Privacy Act (MTCDPA), which will take effect on October 1, 2024. The MTCDPA follows the so-called California Model and “includes exemptions in line with most other State Data Privacy Laws, such as for state political subdivisions or entities, nonprofit organizations, institutions of higher education, and any information or data regulated by certain other privacy laws, including the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act,” according to the Law firm Clifford Chance.
Nebraska. In 2024, the Nebraska legislature approved the Nebraska Data Privacy Act (LB 1074). This state law, effective on January 1, 2025, follows the California model excepting “entities subject to the GLBA, HIPAA covered entities and business associates, nonprofits, higher education institutions, and certain types of utility suppliers,” according to Husch Blackwell’s Data Privacy & Cybersecurity.
New Hampshire. Approved in 2024, but not effective until January 1, 2025, the New Hampshire Comprehensive State Privacy Law, “like other state privacy laws, carves out exemptions for certain entities and categories of data. For example, these exemptions include entities subject to Title V of the Gramm-Leach-Bliley Act, nonprofit organizations, and institutions of higher education to name a few. Additionally, the law provides data level exemptions, such as protected health information under HIPAA,” as mentioned by Troutman Pepper Hamilton Sanders LLP.
Tennessee. The Tennessee Information Protection Act (TIPA) was approved in 2023 but will not be effective until July 1, 2025. As indicated by Wagenmaker & Oberly, LLC, the TIPA “contains the broadest definition of “nonprofit’ including not only corporations formed under the state’s nonprofit corporation law, but also entities exempt from federal income under any subsection of IRC section 501(c), as well as any entity owned or controlled by a nonprofit organization. Most nonprofits should be exempt under the TIPA.” Additionally, according to White & Case LLP, TIPA does not apply to nonprofits and other entities like higher education or government institutions.
Texas. In 2023, Texas state legislators approved the Texas Data Privacy and Security Act (TXDPSA). Effective in July 2024, this law follows the state bills approved in California, and excludes “nonprofit organizations, institutions of higher education, and any information or data regulated by certain other privacy laws,” as mentioned by Clifford Chance.
Utah. Utah state legislators approved the Utah Consumer Privacy Act (UCPA) in 2022 and was made effective on December 31, 2023. According to Whiteford, Taylor & Preston LLP,“The Utah Consumer Privacy Act, for example, additionally excludes from its scope domestic nonprofit organizations that are incorporated under Utah’s nonprofit laws.” Additionally, JDsupra indicates that government entities, tribes, and universities are also exempt.
Virginia. Virginia was the second state to enact data privacy legislation. The Virginia Consumer Data Protection Act (VCDPA) was approved in 2021 and became effective on January 1, 2023. According to Bloomberg, the VCDPA excludes any nonprofit organization, and in 2022, the law was amended to include in its nonprofit definition tax-exempt political organizations.
Those that partially exempt nonprofits:
Colorado. The Colorado Privacy Act (CPA) was approved in 2021 and became effective after July 1, 2023. It “applies to legal entities (including nonprofits) conducting business in Colorado, or producing or delivering commercial products or services that are intentionally targeted to Colorado residents, that: Control or process the personal data of at least 100,000 Colorado consumers during a calendar year; or derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 consumers or more. Thus, by its own terms, the definition applies to nonprofits that meet either of the processing thresholds,” according to JDsupra.
Delaware. The Delaware Personal Data Privacy Act was signed by the governor in 2023, but will not be effective until January 1, 2025. As indicated by Whiteford, Taylor & Preston LLC, “Joining a minority of states, namely Colorado and Oregon, Delaware does not broadly exempt nonprofit organizations.(…) Instead, the Delaware privacy law contains two narrow exceptions applicable to nonprofit organizations. The first is an enterprise-level exception for nonprofit organizations dedicated exclusively to preventing and addressing insurance crime. The other is a data-specific exception covering personal data of a victim of or witness to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking that is collected, processed, or maintained by a nonprofit organization that provides services to victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felony. (…) Outside of these limited exceptions, the Delaware law is applicable to any nonprofit organization that offers services in the state and otherwise meets the jurisdictional threshold requirements noted above.”
Maryland. The Maryland Online Data Privacy Act (MODPA) was approved in 2024 but will not be effective until October 1, 2025. According to Fisher & Phillips LLP, “Maryland’s proposed law does not provide a blanket exemption for nonprofits or institutions of higher education.” More specifically, the only exempt nonprofit organizations in Maryland are those “that process or share data solely to assist law enforcement agencies investigating insurance fraud or first responders responding to catastrophic events,” as explained by Nixon Peabody LLC.
New Jersey. The New Jersey Privacy Act (NJPA) was approved in 2024 and becomes effective on January 15, 2025. Similar to Colorado or Delaware, in the NJPA “nonprofit organizations are largely not exempt and are required to comply with the NJPA,” according to AKIN.
Oregon. While the Oregon Consumer Privacy Act (OCPA) was approved in 2023 and will be effective on July 1, 2024, it will not be effective for nonprofits until July 1, 2025 (see law’s Section 13). According to the law firm Lane Powell, as a general rule OCPA applies to nonprofit organizations in Oregon with the exception of those that are “established to detect and prevent fraudulent acts in connection with insurance.” It also exempts “noncommercial activities of a nonprofit organization that provides programming to radio or television networks.”
Bonus. The data privacy “fashion” is trending again on Capitol Hill. The draft presented in April by the chair of the House Energy and Commerce Committee, Rep. Cathy McMorris Rodgers (R-WA.), and the chair of the Senate Commerce Committee, Sen. Maria Cantwell (D-WA.), was modified and included as part of a markup in the House’s Innovation, Data, and Commerce Subcommittee. This legislation could impact nonprofit organizations and the communities they serve in a variety of ways, as outlined in Independent Sector’s summary of the April discussion draft.
This new version includes some modifications that recognize federated nonprofits, but it still raises questions about critical topics for nonprofits, such as the Federal Trade Commission’s jurisdiction, volunteer data, and costs associated with enforcing these bills. For a comprehensive contrast between the drafts, please see the IAPP comparison.
Manuel Gomez is Manager, Public Policy at Independent Sector.
