Legislative Outlook for 2022 – What’s Next in Data Privacy Regulation?

By: The Nonprofit Alliance Policy Team

As every DMFA member well knows, nonprofits use data provided by third-party commercial entities to aid program execution and to make fundraising more efficient. These providers are seeing their activities come under the gaze of an increasing number of state legislatures. California’s enactment of the California Consumer Privacy Act (CCPA) in 2018 was the tip of the spear, and a number of states slowed or paused their push for data regulation during the 2018 and 2019 rule-making period to see where the California chips would fall. In early 2020 there were clear signals that states were ready to move vigorously, some with bills that largely mirrored the California framework and others looking to create new precedent. The pandemic and economic shut-down largely slowed that progress as state legislatures prioritized other demands. But postponed is not abandoned.

This year both Virginia and Colorado enacted their own data privacy laws, Virginia’s to take effect January 2023, Colorado’s July 2023. The Virginia Consumer Data Protection Act, which was signed into law on March 2, grants consumers the right to confirm, correct, and delete personal data and opt-out of the use of data for advertising or sale. It includes an opt-in consent requirement for sensitive data. Nonprofits are largely exempt. Colorado’s new law, the Protect Personal Data Privacy Act, was signed into law on July 7. It enables a consumer to opt-out of the processing of their personal information and provides the right to correct inaccurate personal information and the right to have personal information deleted. Controllers are required to provide a “meaningful” privacy notice, confirm whether they are processing persona data, and provide a consumer access to that information.

Ongoing now, or coming to a legislature near you in 2022, there are privacy initiatives in Alaska, Massachusetts, Minnesota, New York, Ohio, Oklahoma, Pennsylvania, and Washington. We can certainly expect more.

Most fundraisers are acutely aware of the toll taken by overlapping, redundant regulation implemented by the states. Forty states have charitable solicitation laws. Compliance, including reporting, is mostly comparable and relatively straightforward. Yet a national fundraising organization incurs significant costs to comply. The cost for data provider compliance will be far steeper. Some have already ceased doing business in California because of the perceived risk of high compliance costs and severe sanctions.
The point is this: nonprofits will continue their need for reliable, reasonably priced data provided by third parties. But where will they get it if the proverbial “patchwork of state laws” limits or eliminates their providers? The answer couldn’t be simpler but, so far, remains elusive. We need a national data privacy law enacted by Congress, one which pre-empts state privacy laws. In short, one national “Rules of the Road” for the responsible collection and use of data.

The outlook for the 2021-2022 session is not good. TNPA has engaged on the issue and there are a few bright spots. But so far, there is no real movement in Congress. As of this writing, it remains to be seen whether the Republicans will re-take the House after the November 2022 mid-term elections, as is predicted. In that scenario, some of the obstacles encountered so far would be removed as the R’s have shown more interest in moving forward a federal pre-emptive solution than their D colleagues. If we continue to play out this scenario to forecast privacy legislation passing in the House, the Senate (regardless of its make-up) may have to address the issue in turn.
For more information on consumer data privacy legislation and other policy issues, please visit https://tnpa.org/policy/. You can reach TNPA’s VP, Government Affairs, Mark Micali, at mmicali@tnpa.org with any specific questions.