Privacy Laws: Nonprofit Compliance And Consumer Trust

what privacy laws apply to nonprofits

Nonprofits are subject to a patchwork of state and federal privacy laws, which can be challenging to navigate. While many state privacy laws contain certain exemptions for nonprofit organizations, each exemption is different and may not extend to all nonprofits. For example, the California Consumer Privacy Act (CCPA) broadly exempts nonprofits, whereas the Colorado Privacy Act does not include an explicit exception. Nonprofits should be especially attentive to emerging data privacy requirements and determine which state privacy laws apply to them. They should also assess the impacts of those specific state privacy laws and start on the path to compliance, which may include creating processes to field and respond to consumer privacy rights requests, updating privacy policies, and conducting regular audits.

Characteristics Values
Applicability Privacy laws vary from state to state. Some states have comprehensive data privacy laws, while others have issue-specific laws.
Exemptions Some states exempt nonprofits from privacy laws, but the criteria vary. For example, California maintains that only for-profit entities can be regulated as "businesses", while Colorado does not explicitly exempt nonprofits.
Consumer Rights Individuals have rights such as the right to access and correct their personal data, the right to opt out of data sales, and the right to non-discrimination.
Compliance Requirements Nonprofits must assess the impact of privacy laws on their operations and implement necessary changes, such as creating processes to handle consumer requests and updating privacy policies.
Enforcement Nonprofits that do not meet privacy requirements may face enforcement actions from state attorneys general or the Federal Trade Commission (FTC).

lawshun

Nonprofits and the collection, use, and transfer of consumer data

Nonprofits are subject to a variety of privacy laws that govern the collection, use, and transfer of consumer data. In the US, the regulatory framework for data privacy is complex and constantly evolving, with state-level variations that nonprofits must navigate. While many state privacy laws contain certain exemptions for nonprofit organizations, these vary significantly and may not apply to all nonprofits or entities working with them. As such, nonprofits must closely monitor the privacy laws in the states in which they operate and understand their specific obligations.

In 2023, six US states—Oregon, Texas, Tennessee, Montana, Iowa, and Indiana—enacted comprehensive data privacy laws, bringing the total to eleven states with such legislation over the past three years. Notably, Colorado and Oregon's laws offer virtually no nonprofit exemptions, and other state exemptions may be more limited than expected. These new laws have implications for nonprofit website operations and the handling of personally identifiable information (PII), including donor information, employee details, and beneficiary data.

To ensure compliance with the evolving privacy landscape, nonprofits should take several key steps:

  • Understand the specifics of each applicable law: Nonprofit operational teams should familiarize themselves with the requirements of each relevant state law, as they differ significantly.
  • Identify and categorize collected data: Nonprofits should know what types of personal information they collect and process, why they collect it, and with whom they share it.
  • Implement and maintain privacy policies: Ensure your privacy policy is clear, up-to-date, and reflective of your organization's actual practices.
  • Invest in secure data storage and management systems: Evaluate your data storage and management systems to ensure they meet stringent data security standards mandated by the new state laws.
  • Prepare for potential data breaches: Implement data breach response plans, as all 50 US states have data breach notification laws, and nonprofits are generally subject to these requirements.
  • Train your staff: Regularly educate staff and volunteers about the importance of data privacy and applicable compliance requirements.
  • Conduct regular audits: Regularly assess your organizational data handling practices to improve compliance and make any necessary adjustments.

By following these steps, nonprofits can navigate the complex privacy landscape and ensure they meet their legal obligations regarding the collection, use, and transfer of consumer data.

lawshun

Nonprofit applicability and exemptions

The applicability of privacy laws to nonprofits varies across different states. While some states have comprehensive privacy laws in place, others have yet to enact such legislation. As of 2024, 14 states have privacy statutes, and this number is expected to grow. The applicability of these laws to nonprofits depends on various factors, including the state in which the nonprofit operates, the type of data collected and processed, and the nonprofit's tax status.

State-specific applicability:

In Colorado, the privacy law applies to nonprofits that conduct business in the state or deliver commercial products/services targeted to state residents, meeting certain data processing or revenue thresholds. California maintains that only for-profit entities can be regulated as "businesses", but nonprofits may fall under other defined entities like "service providers" or "contractors." Delaware and Oregon have more specific exemptions, with Delaware exempting nonprofits dedicated to preventing insurance crime and serving victims of specific crimes, while Oregon exempts those established to detect insurance fraud and nonprofits providing programming to radio/TV networks. Nevada's privacy law is vague regarding nonprofit applicability, while Connecticut, Florida, Indiana, Iowa, Montana, Tennessee, Texas, Utah, and Virginia provide exemptions for "nonprofit organizations" or "nonprofit corporations." However, each state defines these terms differently, so nonprofits must carefully review the applicable laws.

Data collection and processing:

The type of data collected and processed by nonprofits can also impact their applicability under privacy laws. For example, the collection and processing of health data, data associated with minors, and data brokers are often subject to specific laws and regulations. Additionally, the volume of data processed and the revenue derived from data sales may also be factors in determining the applicability of privacy laws to nonprofits.

Tax status:

The tax status of a nonprofit can also play a role in determining the applicability of privacy laws. Some states refer to the Internal Revenue Code to define "nonprofit organizations" that are exempt from certain privacy laws. For instance, organizations exempt from taxation under specific sections of the Internal Revenue Code may qualify for exemptions in some states. However, it's important to note that the definition of "nonprofit" can vary across states, and exemptions may depend on the entity's jurisdiction of formation or state of incorporation.

Exemptions and partial exemptions:

While some states provide broad exemptions for nonprofits, others offer partial exemptions or no exemptions at all. For example, Oregon and Colorado have limited or no exemptions for nonprofits under their state statutes. On the other hand, states like Connecticut, Florida, Indiana, Iowa, Montana, Tennessee, Texas, Utah, and Virginia provide varying levels of exemptions for "nonprofit organizations" or "nonprofit corporations." These exemptions often come with conditions and may not apply to all nonprofits operating within those states.

To navigate the complex landscape of state privacy laws, nonprofits should consult legal experts and closely monitor legislative developments. Understanding the specifics of each law, identifying the types of data collected and processed, implementing privacy policies, investing in secure data storage, and conducting regular audits are crucial steps for nonprofits to ensure compliance and maintain donor trust.

lawshun

Nonprofit compliance and implementation

  • Understand the Specifics of Each Law: Nonprofits must stay up to date with the privacy laws in the states they operate and understand the specific requirements and definitions of "nonprofit" in each law. This is crucial as the laws vary significantly across states, and failing to comply can lead to legal consequences.
  • Identify and Categorize Collected Data: It is essential to know what types of personal information the nonprofit collects and processes, the purpose of collection, and with whom it is shared. This step helps nonprofits understand their data handling practices and identify areas that need improvement to meet privacy standards.
  • Implement Privacy Policies: Nonprofits should ensure their privacy policies are clear, up-to-date, and accurately reflect their data collection and processing practices. These policies should be easily understandable and accessible to individuals, outlining the organization's data management and sharing practices.
  • Invest in Secure Data Storage and Management Systems: With stringent data security measures mandated by state laws, nonprofits must evaluate their data storage and management systems. Investing in secure and compliant systems protects sensitive data and reduces the risk of data breaches.
  • Prepare for Possible Breaches: Nonprofits should anticipate potential data breaches and have comprehensive data breach response plans. They should also regularly train their staff and volunteers on data privacy and applicable compliance requirements to foster a culture of compliance and security.
  • Conduct Regular Audits: Regular audits of organizational data handling are crucial for nonprofits to maintain compliance and identify areas for improvement. Engaging professionals specializing in data privacy regulations can provide valuable insights and guidance.

By proactively adopting these compliance measures, nonprofits can enhance their data security, maintain donor trust, and reduce legal risks. It is essential to stay informed about evolving privacy laws and work closely with legal counsel to ensure compliance with the specific requirements applicable to the organization's structure and operations.

lawshun

Nonprofit obligations under HIPAA

Nonprofit organisations often wonder whether they need to be HIPAA compliant. The answer depends on the type of nonprofit organisation. If a nonprofit organisation works with protected health information (PHI) in any capacity, it is required to be HIPAA compliant.

PHI is any piece of information in an individual’s medical record that was created, used, or disclosed during the course of diagnosis or treatment and can be used to personally identify them. The Department of Health and Human Services (HHS) categorises PHI into 18 HIPAA identifiers, including address, dates of admission or discharge, Social Security number, medical record number, biometric identifiers such as fingerprints or voice prints, and vehicle identifiers, serial numbers, or license plate numbers.

HIPAA applies to "covered entities" and "business associates". A covered entity is defined as a health plan, health care clearing house, or a health care provider that transmits health information in an electronic form. A health plan is an individual or group plan that provides or pays the cost of medical care. A health care clearing house is an entity that sends, receives, and processes health information, typically for billing purposes. A business associate is a person or entity that arranges, creates, receives, maintains, or transmits PHI on behalf of a covered entity for the purpose of conducting an activity that is regulated by HIPAA.

Nonprofit organisations can be covered entities, but this depends on several factors. Many nonprofits provide health care services, meaning they fall under HIPAA’s definition of a health care provider. However, not all health care providers are considered covered entities under HIPAA. To be considered a covered entity, a health care provider must electronically transmit PHI for the purpose of specific transactions such as billing/claims for health care benefits, encounters, payments, eligibility requirements, referrals, or other financial transactions related to health care. Therefore, if a nonprofit transmits PHI electronically for payment, it will be considered a covered entity and will be subject to HIPAA. For example, if a nonprofit receives grant funding but also bills insurers electronically for some health services, it is considered a covered entity and is bound by HIPAA.

Covered entities must comply with the HIPAA Privacy, Security Rules, and Breach Notification Rules. Nonprofits that are business associates must also comply with many of the requirements of the Privacy, Security, and Breach Notification Rules. Under the Privacy Rule, covered entities are required to provide individuals with access to their own PHI, such as medical records and billing records. The Rule allows individuals to inspect or obtain a copy of their PHI, or have it sent to a third party. Additionally, unless an exception applies, the Privacy Rule prohibits covered entities from disclosing an individual’s PHI to third parties, unless all personal identifiers have been removed. The Security Rule protects PHI that is stored or transferred electronically. The Security Rule places safeguards on the disclosure and use of electronic PHI. The Breach Notification Rule requires entities covered by HIPAA to notify affected patients, HHS, and in some cases, the media, when a “breach” of PHI occurs.

lawshun

Nonprofit privacy and security standards

Overview

The U.S. data privacy regulatory framework is complex and ever-changing. Nonprofit organizations (NPOs) must stay up to date with the latest privacy laws to ensure ethical data handling and compliance with state and federal regulations. This is especially important as NPOs often handle sensitive donor and consumer data. While some federal laws provide broad guidelines, specific state laws can vary greatly and may contain exemptions for NPOs. Therefore, NPOs should be diligent in understanding and adhering to the privacy standards outlined by the relevant authorities.

Understanding the Applicable Privacy Laws

To ensure compliance with privacy regulations, NPOs must first identify which laws apply to their organization. This involves understanding the specific definitions, obligations, and rights outlined in each law. At the federal level, there are several sectoral laws and regulations that address the use and disclosure of personal data. One notable example is the Health Insurance Portability and Accountability Act (HIPAA), which establishes national standards for the protection of health information. NPOs that process protected health information (PHI) must be aware of their obligations under HIPAA, including the requirement to conduct regular audits and provide individuals with specific rights related to their PHI.

In addition to federal laws, NPOs should also pay close attention to state privacy laws, as these can have a significant impact on their operations. As of 2024, 14 states have enacted comprehensive privacy legislation, and this number is expected to grow. Each state's privacy law differs in its approach to NPOs, with some providing exemptions while others do not. For example, the California Consumer Privacy Act (CCPA) broadly exempts NPOs, while the Colorado Privacy Act does not include a specific exemption. Therefore, NPOs must carefully review the laws in the states in which they operate to determine their specific obligations.

Implementing Privacy Policies and Procedures

Once NPOs have identified the applicable privacy laws, they should take several steps to ensure compliance. This includes implementing comprehensive privacy policies that are clear, up-to-date, and reflective of the organization's actual practices. NPOs should also invest in secure data storage and management systems to protect the personal data they collect. Regular staff training is crucial to ensure that employees and volunteers understand the importance of data privacy and are aware of the relevant compliance requirements.

Additionally, NPOs should prepare for possible data breaches by establishing well-defined breach response protocols and conducting regular audits to identify vulnerabilities and ensure ongoing compliance. By proactively adopting these measures, NPOs can enhance their data security and maintain the trust of their donors and stakeholders.

Key Takeaways

  • The U.S. data privacy regulatory framework is complex and constantly evolving, requiring NPOs to stay vigilant.
  • NPOs must understand and comply with both federal and state privacy laws, as these can vary significantly.
  • Federal laws such as HIPAA establish national standards for the protection of health information, with specific obligations for NPOs that process PHI.
  • State privacy laws can have a significant impact on NPOs, and exemptions for NPOs vary from state to state.
  • NPOs should implement robust privacy policies, invest in secure data systems, and provide regular staff training to ensure compliance and enhance data security.

Frequently asked questions

In the US, there is a complex patchwork of federal and state privacy laws that apply to nonprofits. At the federal level, nonprofits are subject to the FTC Act, GLBA, HIPAA, COPPA, CAN-SPAM, and TCPA. At the state level, privacy laws vary and nonprofits should assess their obligations on a state-by-state basis. Some states, like California, broadly exempt nonprofits, while others, like Colorado, do not.

Privacy laws can impact nonprofit operations, including their websites, and the handling of personally identifiable information (PII) such as donor information, employee data, and beneficiary details. Nonprofits may need to implement new processes to facilitate compliance with consumer data rights and data governance requirements.

Nonprofits should determine which privacy laws apply to them and assess the impact of those laws on their operations. They should then implement measures to ensure compliance, such as creating processes to handle consumer requests, updating privacy policies, and investing in secure data storage systems. Regular staff training and audits are also important to maintain compliance.

Nonprofits that do not comply with applicable privacy laws may face enforcement actions from state attorneys general or other relevant authorities. This can result in fines, legal action, and damage to the organization's reputation and trust with stakeholders.

Written by
Reviewed by
Share this post
Print
Did this article help you?

Leave a comment