Insights
Publications

Nonprofits and the California Consumer Privacy Act

June 20, 2019 Articles

The new California Consumer Privacy Act of 2018 (CCPA) will come into effect January 1, 2020. In most situations, nonprofits won’t be subject to the law—but in some cases they necessarily will be and/or will otherwise need to comply. By turning attention to the issue now, nonprofit organizations can ensure, if necessary, compliance with the new law without significant business disruption.

Are You Subject to the Law?

By its express provisions, the CCPA generally does not apply to nonprofit entities. That said, it would apply (or be otherwise directly relevant) to a nonprofit that

  • controls or is controlled by a for-profit entity subject to the act; 
  • operates under a brand name it shares with a for-profit entity (e.g., a co-branded corporate foundation);
  • enters a joint-venture with a for-profit subject to the act; or
  • contracts with an entity through an agreement that requires compliance with the CCPA.

If your nonprofit falls into any of these categories, you should pay close attention to the requirements of the act. But even if it doesn’t, the act codifies the general privacy principles individuals have come to expect from those collecting and using their data. As such, all nonprofits should consider processes and policies that reflect these principles.

What Does the Act Require?

The CCPA provides consumers with four basic rights relating to their personal information:

  • The Right to Know

Companies must inform consumers, usually through a privacy policy, what personal information is collected, where it was acquired (e.g., through cookies, by request, etc.), what the information is used for, whether it is being shared with third parties, and to whom it is shared with.

At least two methods for a consumer to request that the company identify the personal information in its possession must be provided, including, at a minimum, a toll-free number and a link on the company web site. Such a request will need to be fulfilled by the company without charge and within 45 days after receipt of the request (with the possibility of additional time where reasonably necessary and requested).

Similarly, the company must inform consumers of their “right to be forgotten,” discussed further below. While the law only requires this disclosure to be in a “form that is reasonably accessible,” the privacy policy is a natural location and will surely satisfy the requirement.

  • The Right to Opt Out

Companies that provide consumer personal information to third parties must enable consumers to “opt out” of having her/his information transferred. The opt-out/opt-in requirements are different for consumers under 16. In short, companies may not sell personal information of consumers age 13 to 16 without express “opt in,” and for consumers under age 13, the company may not sell her/his personal information without “opt in” from the consumer’s parent or guardian.

The privacy policy posted on the site must provide information on how to opt out as discussed above, and additionally must include a link labeled “Do Not Sell My Personal Information” on the home page.

  • The Right to Control and Be Forgotten

As noted above, consumers must be able to request the deletion of their personal information. This latter right to be forgotten, however, is not a blanket right and has limitation. Personal information need not be deleted, even after a request for such deletion by a consumer, when the information is, among other things, required to comply with a legal obligation or applicable laws (e.g., tax laws).

Note that where a company has a need to hold personal information, it may only hold and use that data for that specific purpose. If, for example, the company needs to hold the data for evidence of a tax-deductible donation, it may not be used to provide marketing materials to the donor or any other purpose outside of storage for legal compliance.

  • The Right to Exercise Privacy Rights Without Prejudice

Companies may not discriminate against consumers who exercise their rights under the CCPA. That is, a company may not deny customers services, provide different goods or services, or charge customers different prices depending on whether they opt-out or otherwise take advantage of their rights under the CCPA. That said, the law nonetheless permits loyalty programs and other financial incentives that benefit those who don’t opt out.

What to Do to Get Ready?

January is coming. While the CCPA will not be directly applicable to many nonprofit organizations, each organization should be determining applicability and, in any event, considering the evolving privacy principles. Organizations should be discussing the issues with stakeholders within the company, primarily those interested in collecting and using the information (usually the marketing and donor relations departments) and those that control the technical collection of data (IT). It is important that both stakeholders provide input and understand the issues as it is common for systems to collect information that, for example, marketers were not actually looking to collect.

Once the organization’s data collection is understood, the privacy policy and required disclosures are posted, and the company has a plan and process to respond to consumer and regulator requests concerning personal information, January 1, 2020 will present only the chance to toast the opportunities of the new year rather than worry about the effective date of the CCPA.

Nate Garhart is special counsel at Farella Braun + Martel. He counsels clients on internet issues, online privacy policies, and customer communication compliance with current laws such as the European Union’s GDPR and the California Consumer Privacy Act. Mr. Garhart’s practice also focuses on maximizing the value of trademark and copyright properties. He can be reached at (415) 954-4425.

Firm Highlights

News

Farella Braun + Martel Attorneys Named to 2021 Northern California Super Lawyers and Rising Stars

Thirty-seven Farella Braun + Martel lawyers were named to the Super Lawyers and Rising Stars lists of top attorneys in Northern California for 2021. 2021 Farella Northern California Super Lawyers: George Argyris – Estate...

Read More
News

Farella Braun + Martel Earns 2022 U.S. News – Best Lawyers® "Best Law Firms" Rankings

SAN FRANCISCO, November 5, 2021: Northern California legal powerhouse Farella Braun + Martel earned national and regional rankings across several practice areas in the 2022 edition of U.S. News – Best Lawyers ® "Best...

Read More
News

51 Farella Lawyers Listed in The Best Lawyers in America© 2022 and Best Lawyers: Ones to Watch

Forty-six Farella Braun + Martel lawyers were selected by their peers for inclusion in the 2022 edition of The Best Lawyers in America © .  Five Farella lawyers were named to Best Lawyers: Ones to...

Read More
Publication

Investigations, Audits, Subpoenas, Oh My!

Our Nonprofit Education Series speakers Cynthia Rowland, Aviva Gilbert and guest speaker, Stephanie Fauerbach from FTI Consulting, discuss "Investigations, Audits, Subpoenas, Oh My!" Nonprofit entities can be just as prone to misconduct (theft, embezzlement, accounting snafus...

Read More
Publication

Pushing for Diversity in Philanthropy

Farella's Wendy Hernandez and guest speaker, Afshan Paarlberg, assistant visiting professor at Indiana University Lilly Family School of Philanthropy, for the nonprofit industry program "Pushing for Diversity in Philanthropy." A pressing question for many...

Read More
Publication

Insurance for Nonprofits: Managing Risk in Risky Times

Mary McCutcheon, Cynthia Rowland and guest speaker, Joan Dove from Gallagher, discuss "Insurance for Nonprofits: Managing Risk in Risky Times" at the April Nonprofit Education Series. Nonprofit organizations—and their directors and staff—are not immune to...

Read More
Publication

New Round of PPP Loans: What Nonprofits Need to Know

Matt Lewis and Julie Treppa discuss "New Round of PPP Loans: What Nonprofits Need to Know."  The Paycheck Protection Program (PPP) is a lifeline for nonprofits and other businesses that are struggling to survive during...

Read More
News

Farella Braun + Martel Ranked in Legal 500 United States 2021

Read More
Publication

Eviction Moratorium Updates for Nonprofits

Tony Schoenberg discussing "Eviction Moratorium Updates for Nonprofits" at the March Nonprofit Education Series. As an owner or tenant, dealing with real estate has been one of the most significant challenges facing nonprofits during...

Read More
News

Farella Braun + Martel Recognized in 2021 Chambers High Net Worth Guide

Farella Braun + Martel’s Private Client Industry Group earned recognition in the 2021 Chambers High Net Worth (HNW) guide as a leading firm in the Private Wealth Law category for Northern California. A publication...

Read More