Hallett Philanthropy
Serving Clients Full Circle

Writings by Randall

Government Privacy Laws Catching-Up to Non-Profits

If you're not paying attention, you could get caught by a state government directing organizations regarding their data privacy. And possibly in conflict with federal law. Just look at what's happening in Colorado.

Two years ago, the legislature in Colorado, with the governor’s signature, enacted legislation to protect individuals’ privacy as it pertains to data. The state did give two years advance warning, which means the law and its effects begin this July 1st, 2023. Specifically, organizations that deal in larger amounts of data will have additional requirements including how they process data, allowing people to opt out of that processing, how they notify individuals of the data, etcetera. This legislation follows Virginia and California, which were the first two states to enact such laws.

So why do we mention Colorado? Because up to this point, it's the only one with no exceptions for nonprofits. So here are just a few questions I don't have answers to, and I don't think anybody else does either...

  • How does this pertain to healthcare and HIPAA, which allows data to be processed in six major areas for philanthropic purposes without an authorization?

  • If you are a data company, but not housed or incorporated in Colorado, like a third-party vendor, does this law apply to you?

  • What type of affirmative responsibility does a nonprofit have to utilize someone's data in communicating with them, even if not soliciting?

While the law only pertains to organizations that process of 100,000 or more individuals or exchange the personal data of 25,000 or more individuals, it leaves enormous holes in answers to the questions above, plus many more. What also is interesting is that there's no private right to action, meaning lawsuits can only be initiated by state officials or agencies, not private individuals. So how is enforcement going to be handled?

Several other states are also considering similar legislation. Connecticut, Utah, and Iowa have enacted data policy laws but won't be implemented until later dates.

Nonprofits use data. This means, by looking at these states and their actions, that both organizations and wider nonprofit associations are going to need to pay attention to the laws enacted and be ready to make adjustments to meet philanthropic and communication opportunities.

Randall Hallettdata, business, policy