(Note: Updated Nov. 5 with news of CPRA’s approval.)
Just months after the dust settled from the California Consumer Privacy Act (CCPA) going into effect, all eyes were back on California as they headed to the polls to determine the future of the data privacy law.
And, while it won’t be implemented until 2023, there are still a few changes to data privacy regulations to note. Read on to learn more about CPRA, what this means for nonprofits and the key provisions to keep an eye on.
What is CPRA?
CPRA originated as a ballot initiative sponsored by Californians for Consumer Privacy. Once it received the necessary 600k resident signatures, it qualified for the Nov. 3 ballot.
Building on CCPA’s framework, CPRA significantly strengthens many of the provisions CCPA put into place on Jan. 1, 2020.
These tightened regulations will go into effect Jan. 1, 2023.
What does this mean for nonprofits?
Although nonprofits are exempt from the provisions, it’s clear that when it comes to user data, there is a growing expectation that nonprofits must act as responsible stewards of their donor’s information.
Nonprofits must respect donor intentions and privacy when requested. They must also be aware of agency, vendor and other supplier policies regarding donor data management.
Key provisions to be aware of
What changes can you expect under CPRA? We talked to The Nonprofit Alliance CEO Shannon McCracken, who shared the key provisions we should be aware of:
1. “Sensitive personal information”
This is stricter than the former definition of “personal information.” In addition to the traditional points that normally fall under this description, like SSN or financial information, it also includes precise geolocation, race/ethnicity, religion and more.
2. Expanded consumer rights
Under CCPA, California consumers gained the right to know and delete their personal information. CPRA will now give them the right to correct personal information, too.
3. Formation of the California Privacy Protection Agency
When CCPA was introduced and implemented, there was concern that there was not enough budget or manpower to fully enforce compliance. The formation of this agency will address that concern and will be funded in part by penalties assessed for noncompliance.
4. Extended moratorium on employee data
CPRA extends the moratorium on employee data until at least 1/1/23. Under CCPA, it could expire as soon as 1/1/21.
5. Expanded liability for data breaches
Under CPRA, private right of action is expanded to include breaches that provide unauthorized access or disclosure of an email address and password or security question.
Growing data privacy concerns
Data regulation and consumer privacy concerns are gaining steam across the globe and will continue to be a hot topic.
These regulations have been slow-moving at the federal level, but it’s likely we can see them in the near future. In the meantime, many other states are making moves to introduce their own legislation.
Because of this, it’s critical that nonprofits proactively maintain quality data records, evaluate vendor partnerships and stay knowledgeable on the latest legislation.
Note: The above content is informative in nature and is not intended as legal advice. As a company that provides professional fundraising consulting services, we retain counsel to ensure compliance with fundraising laws in each applicable state. Questions related to the California Privacy Rights Act of 2020 (CPRA) for U.S.-based nonprofit should be directed to counsel that is competent to address such matters.