The U.S. House of Representatives is considering the American Data Privacy and Protection Act (H.R. 8152). What would this federal data privacy legislation require of the nation’s nonprofits? What are its chances of passing in the near future? Join us on Thursday, December 15 at 2:00 PM ET for a special Monthly Policy Update that is open to the public to discuss this legislation and topic. In this essay, Manuel Gomez of Independent Sector’s public policy team provides context and insight about both.
It may sound cliché, but when we talk about data privacy and regulation, it is impossible not to think about George Orwell and his fabulous book 1984. Orwell’s work, written in 1949, remains an impressive description of reality in the 21st century. Data mining and collection are powerful sources of information that allow analysts to predict data owners’ preferences and behaviors accurately. It is such a powerful tool that it can predict pregnancy or change the course of an election. If you think I exaggerate, you can check when “Target knows when you’re pregnant” or watch the documentary “The Great Hack.”
In the nonprofit world, data collection and analysis are powerful tools. They allow us to understand our network better and more accurately measure and share our organization’s impact with our community and donors without forgetting that data collection, storage, and use are central to our daily activities. I hope to explore this further in a future blog.
However, the dark side of data is the power it can hold without proper control. In Orwell’s book, Big Brother controlled everything by collecting personal information. Collection, storage, updating, and use of data are currently regulated, and are a subject of debate in the United States and around the world because, as technology advances, timely regulations are required to protect the owners of the information and provide clear ground rules for organizations that store and use that information.
In the U.S., data privacy is a fashionable legislative topic. According to the National Conference of State Legislatures, “At least 35 states and the District of Columbia introduced or considered almost 200 consumer privacy bills in 2022.” Depending on your organization’s activities, these laws may apply in whole or part. Let me give you an overview of the current regulation and how a GDPR (General Data Protection Regulation) -like regime in the U.S. could affect nonprofit organizations and charities in the future.
According to Ricky Luttrell, a CPA who writes about nonprofit finance issues, The Telephone Consumer Protection Act of 1991 (TCPA) was introduced to protect consumers from unwanted telephone calls, mostly related to marketing. This rule has become a fundamental piece of legislation to protect the users of our data for commercial purposes, so it has been updated several times, including, among others, the need for written authorization for the benefit of data (even when there is a previous commercial relationship), as well as defense mechanisms that allow data owners, state attorney generals, and the FCC to initiate legal actions to protect the data, and to seek the recovery of damages with financial penalties that vary depending on the case.
Luttrell asserts that “nonprofits are exempt from some TCPA requirements, but not all. For example, “drop rules” are an exemption for nonprofits, and the requirements for autodialers and prerecorded calls are different for nonprofits than for commercial entities. Although the requirements are less restrictive, nonprofits cannot afford to ignore the TCPA altogether because some requirements still apply, and the cost of getting it wrong can be enormous.” Cases such as Capital One or Bank of America, which paid between $75.5 million and $32 million for misuse of consumer data in phone calls, remind us of the importance of obtaining written consent for the use of such data since any organization with a list of phone numbers could be exposed to such fines.
At the state level, most states have regulations for collecting and storing personal data. These laws go beyond telephone data and introduce controls for the use of data in the context of more current technologies, such as the internet. If you are interested in more detailed information by state, this publication of the National Conference of State Legislatures contains a comprehensive listing of data protection regulations, updated year by year.
At this point, you may wonder about federal regulation of data usage beyond phone data, which is an ongoing conversation. From an international perspective, in 2016, the European Union approved a law that imposes high standards for the collection, storage, and especially the use and updating of consumer data on the internet. This regulation is noteworthy for two reasons. First, it requires a minimum standard for any organization that collects or uses data in the European Economic Area, so if your organization has dealings there, it directly affects you. But it is also important because it is a reference to how the regulation of the use of data is evolving toward the establishment of standards in levels of government that go beyond the state regulations.
Saryu Nayyar, Forbes Councils Member, asks whether it is time for a U.S. version of a GDPR-like data privacy legislation. Some federal legislators – like those advancing H.R. 8152 – American Data Privacy and Protection Act (ADPPA) – are trying to create the U.S. version of the GDPR, which includes regulations in areas such as the Right of control and consent for the use of data, the use of algorithms, the Federal Trade Commission (FTC) as the regulator to enforce the bill at the federal level, private right of action and, minimal duty of loyalty. If you are interested in knowing in detail the impact of this bill on nonprofits, Independent Sector published a detailed analysis here.
The conversation is open and will be in debate for a long time. As technology progresses, the use of data will be increasingly essential in all sectors, including nonprofits, so the regulation will have to be updated. Therefore, the nonprofit sector must have a continuous conversation about the role of the use of data in nonprofits so that the information of our donors, staff, and work networks is protected without imposing unnecessary regulations that hinder our work in our community. On Thursday, December 15 at 2:00 PM ET, Independent Sector is hosting a special Monthly Policy Update to discuss data privacy regulation in nonprofits. Please register and join us for this conversation. Click here for more information.
Manuel Gomez is manager of public policy at Independent Sector.
