The Privacy Precipice: Nonprofits on the Edge

The issue of marketing data privacy is taking an increasingly vocal role in the American conversation. It’s easy to see why.

Algorithms predict our buying behaviors and move us along computer-controlled paths of persuasion. Data profiles predict our likelihood to carry credit or default, and our capacity (or limits) for wealth. Technology moves us ever closer to dependence on artificial intelligence.

These conditions, coupled with recent evidence of perceived malfeasance on the part of large-scale data owners (like Facebook and Google), have sharpened public concern around the misuse of personal data for marketing purposes. This, in turn, has driven legislators to enact regulatory statutes in a hurry.

The rush to consumer protection

In the European Union, lawmakers enacted the General Data Protection Regulation (GDPR) in 2018 and, in their zeal to protect consumer privacy, made it much more costly for data companies to do business in the EU.

“One unintended consequence of GDPR has been that many small data firms, faced with the onerous cost of doing business there, have simply pulled out of the EU markets entirely. This has left the field open to the big data companies who can afford the investment, among which are the very giants, ironically (again, Facebook and Google), who created the furor in the first place,” said Kory Christianson, Executive Director of Development at St. Joseph’s Indian School.

Here in the U.S., California state legislators passed the California Consumer Privacy Act (CCPA) in 2018. This is a hastily drawn statute that does a poor job of defining what exactly comprises consumer data (described vaguely as “personal information”) and gives consumers broad rights to dictate its use without the benefit of understanding the mechanics of data security and integrity. In fact, some consumer data security and integrity will actually be eroded in order for companies to be compliant to the letter of the law (or risk class action lawsuits). It becomes effective on January 1, 2020.

Several states are already lining up behind California, crafting their own entirely unique state-level regulations, and it is highly likely even more will follow suit.

Privacy in the nonprofit sector

Nonprofit organizations generally rely on third-party data providers to furnish the fuel for their growth. These third-party data providers have an established history of sharing non-sensitive data within the nonprofit sector, data that supports efficient and effective fundraising with very little risk, and returns great benefit to society.

Acquisition lists, predictive donor models, email matchbacks, and many more data sources and tactics rely on the responsible use of, and open access to, non-sensitive data.

“Nonprofits do not share — and very often do not even store — the kind of highly sensitive data that has been the deserved focus of attention and concern,” said Lane Brooks, COO/CFO, Food & Water Watch.

Brooks went on to say, “In fact, all reputable organizations already offer donors both the opportunity and mechanism to restrict an organization’s use of their data, including removing their data from exchange or sharing, because donor trust is foundational to our work.”

The risks to nonprofits

Although the California statute exempts nonprofits from regulatory compliance, it does NOT exempt the third-party data partners who serve those organizations.

What would happen if these data partners are forced to cease doing business in California, as happened in the EU?

“Considering the fact that 12% of the U.S. population and 20% of all U.S. contributions come from California, the threat to a nonprofit’s ability to acquire new donors in this state alone cannot be overstated,” said Britt Vatne, President, ALC.

Then consider what would happen if numerous states each enacted their own data privacy statutes.

“Data providers would have to navigate a patchwork quilt of regulation and compliance, costing millions of dollars, much of which would have to be passed on to their nonprofit clients. Those are millions of dollars that, ultimately, would otherwise stay with the organizations to be put to use pursuing their missions,” said Bryn Weaver, General Counsel and Chief Data Ethics Officer at Wiland.

Nonprofits respond

Although still a fledgling industry group, The Nonprofit Alliance has quickly taken a proactive leadership position in this critical arena, contending that the nonprofit industry holds a unique position in American marketing, one that directly and economically impacts the greater social good.

“The process toward enactment of a comprehensive, bipartisan national privacy statute has already begun,” said Mark Micali, Government Affairs Advisor for The Nonprofit Alliance.

On February 26, the House Energy & Commerce Subcommittee on Consumer Protection and Commerce held a hearing on national privacy policy. The following day on February 27, the Senate Commerce Committee held a similar hearing on privacy policy. The Nonprofit Alliance held two subsequent briefings, one in the House and one in the Senate, to specifically discuss the need for responsible reform, regulations that don’t unnecessarily impede a nonprofit’s ability to engage donors, volunteers, and potential service beneficiaries.

“Our position is clear. Caring about people by protecting their sensitive information fits perfectly with who we are,” Micali said. “We support new federal law that defines how personal data must be protected. But it must also preserve the legitimate use of non-sensitive data for fundraising and marketing purposes, allowing nonprofits to accomplish their missions.

Two keys to the strategy

A central aspect of the legislation that The Nonprofit Alliance is suggesting to lawmakers concerns the idea of preemption.

“First, this law should preempt the California Privacy Statute, as well as any future privacy statutes enacted by the states, thus allowing for one clear, national standard for everyone to follow,” said Shannon McCracken, CEO of The Nonprofit Alliance.

“Second, time is of the essence,” she continued. “California’s statute goes into effect on January 1, 2020, and subsequent state-level regulations will not be far behind as other legislatures begin framing their own laws. A nonprofit organization in Illinois should not be burdened to meet different regulations in three states, in the event that their donors in New York contribute to help people in New Mexico.” 

At the core of The Nonprofit Alliance’s position on privacy is a commitment to clarity, transparency, and balance.

“There should be no confusion about how data is used and protected,” said McCracken, “nor should one donor’s right to access and update their information be different from another donor who is contributing to the same organization.”

Where it stands today

The Nonprofit Alliance has mobilized a team of nonprofit executives, agency and partner representatives (including TrueSense Marketing executives), and data experts who continue to meet with key senators on the Commerce Committee. The team is urging bipartisan support for this critical legislation. Further legislative activity has been scheduled and additional nonprofit voices are being sought to add volume to the unified message that the Alliance is sharing with key lawmakers on Capitol Hill, on behalf of the entire industry.

Want to get involved? Contact Shannon McCracken, CEO of The Nonprofit Alliance.