This week on The Intelligent Edge we welcome Director of Research Michele Borucki to share a brief history of data protection laws in the United States, where they are headed in the near future, and how they’ll impact our nonprofits. It’s a great foundational part one of two, because next week our colleague Jessica Woodbridge will take up the topic, providing lots of resources to help your nonprofit learn and stay compliant. Michele and Jessica will be sharing their knowledge on the topic at the upcoming NEDRA conference in New Haven, May 2-4 – hope to see you there! ~Helen
Michele Borucki
Here at the Helen Brown Group, we’ve talked a lot over the years about data privacy laws that have impacted our work in the prospect development field. We’ve published in-depth blog posts, continue to share up to date resources with our wonderful community, and many of us on the team have created and executed webinars and presentations on the topic.
The one thing we haven’t done yet here on the Intelligent Edge is share with you the nuts and bolts of how we as a firm protect not only our clients’ information, but that of the constituents that they entrust us with on a daily basis.
Next week, my colleague Jessica Woodbridge will be sharing some awesome tips and tricks that we use (and you can too!) to make sure your shop is compliant with data security and protection laws. Before we get into that, please indulge me in a brief history of data privacy, what laws we already have in place here in the US, and what’s on the horizon.
The most famous of the privacy laws, the General Data Protection Regulation or GDPR, has only been in existence since 2018, but its roots go back much further. Where did the idea of data privacy come from?
In 1890 two US lawyers, Samuel D. Warren and Louis Brandeis, (Yup! That Brandeis) wrote a Harvard Law Review article called The Right to Privacy, arguing for the “right to be left alone” and using the phrase as a definition of privacy. Obviously, the type of data has since changed from the 1800’s with the evolution of technology, but even back in 1948 when the Universal Declaration of Human Rights was adopted (including the 12th fundamental right, i.e. the Right to Privacy) lawmakers understood that all humans and their information have the right to be protected.
The US hasn’t adopted a universal consumer data privacy law yet. Many iterations have been drafted and proposed, even as recent as earlier this month with the bipartisan American Privacy Rights Act. So far, only 15 states have passed comprehensive consumer data privacy laws: California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia. Six of those states have laws that have gone into effect: California, Colorado, Connecticut, Florida, Virginia and Utah. And in 2024, we will see laws in Montana, Oregon, and Texas go into effect.
These laws are only applied to for-profit companies, but Colorado’s consumer data privacy law is the first to apply to nonprofits. Oregon and Delaware’s laws (both of which will go into effect in 2025) will also apply to nonprofits.
In the case of Colorado, “an organization must have personal data on 100,000 or more Coloradans; or receive revenue or discounts from the sale of data (e.g., list rental and exchange) and have data for 25,000 or more Coloradans”. Even if your state is not yet on this list, if you are a business or nonprofit with a certain number of consumers/constituents from Colorado (or any state that passes a privacy law including nonprofit data management) this applies to you.
One of the main commonalities among these laws is that they give individuals the power to control their own information. At the same time, companies and organizations are responsible for being good pillars of data collection. Across the board, the following themes exist for consumer rights:
- Right to access
- Right to correct
- Right to delete
- Right to opt out of certain processing
- Right to portability
- Right to opt out of sales
- Right to opt in for sensitive data processing
- Right against automated decision-making
- Private right of action
There are so many ways we can unintentionally do harm when it comes to data privacy. As nonprofits it’s important to understand what we can do to make sure that we are caring for our constituents’ personal information. Stay tuned for next week’s post and Jessica’s strategies for making sure your organization is on the right track and complying with current and future privacy laws.
