Understanding data privacy compliance is essential for nonprofit organizations, as most will handle sensitive information about donors, beneficiaries, volunteers, and other individuals. It is important to determine which privacy laws, if any, apply to your nonprofit, as the penalties for noncompliance can be severe, including hefty fines and lawsuits. Unfortunately, small teams and lean budgets can make it difficult for nonprofits to manage compliance and keep up to date with the shifting regulatory landscape.
As of May 2025, comprehensive data privacy laws are in force in 13 states: California, Colorado, Connecticut, Delaware, Iowa, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Texas, Utah, and Virginia. Additionally, privacy laws in Tennessee, Minnesota, and Maryland will take effect on July 1, July 31, and October 1, 2025, respectively.
Although most state laws provide some kind of exemption for nonprofits, the scope of these exemptions varies significantly. Some state laws provide broad exemptions, others narrow, and a few do not exempt nonprofits at all. However, setting aside nonprofit status, these laws generally apply only to organizations that meet certain thresholds—typically based on the volume of personal data processed, revenue, or business activities. So, even if your nonprofit does not qualify for a specific nonprofit exemption, it may still be out of scope if it does not meet the law’s general applicability criteria.
Applicability of State Laws
The following table summarizes the treatment of nonprofit organizations under the privacy laws of the 13 states mentioned above:
| State | Nonprofit Exemption | Scope of Exemption |
| California | Yes | Broad |
| Colorado | No | |
| Connecticut | Yes | Broad |
| Delaware | Yes | Narrow |
| Iowa | Yes | Broad |
| Montana | Yes | Broad |
| Nebraska | Yes | Broad |
| New Hampshire | Yes | Broad |
| New Jersey | No | |
| Oregon | Yes | Narrow |
| Texas | Yes | Broad |
| Utah | Yes | Broad |
| Virginia | Yes | Broad |
Let’s examine the different types of exemptions and what they mean for nonprofits.
No Exemptions
The data privacy laws of Colorado and New Jersey do not offer any specific nonprofit exemptions. Nonprofits in these states must evaluate whether the applicability criteria place them within the scope of these laws. The Colorado Privacy Act (CPA), grants consumers rights over their personal data and applies to entities that do business in Colorado or deliver commercial products or services targeted to residents of Colorado, and process the personal data of more than 100,000 Colorado residents in a calendar year or derive revenue or receive discounts on goods or services in exchange for the sale of personal data of at least 25,000 Colorado residents. Similarly, the New Jersey Data Privacy Act (NJDPL) applies to organizations doing business in or targeting New Jersey residents and meeting the same thresholds.
Narrow Exemptions
The data privacy laws of Delaware and Oregon do offer specific nonprofit exemptions, but the exemptions apply only to nonprofits operating within a narrow scope of activities.
- In Delaware, only nonprofits dedicated to preventing and addressing insurance fraud or providing services to victims of or witnesses to certain crimes are exempted. Other nonprofits need to check whether they fall within the scope of the Delaware Personal Data Privacy Act (DPDPA), which applies to organizations doing business in Delaware or targeting its residents that either process the personal data of at least 35,000 consumers or process data of 10,000 consumers while deriving over 20% of their revenue from the sale of personal data.
- In Oregon, the exemption applies only to nonprofits established to detect and prevent fraudulent acts in connection with insurance, and the non-commercial activity of nonprofits that provide programming to radio or television networks. In other cases, compliance is required if an organization processes data of over 100,000 consumers or 25,000 consumers with 25% or more of revenue from selling personal data.
Broad Exemptions
The nonprofit exemptions offered by the other states are much broader in scope, as they are not limited to a narrow set of activities.
- Under the data privacy laws of Connecticut, Iowa, Montana, Nebraska, New Hampshire, Texas, and Virginia, nonprofits are exempt based on their tax-exempt status under the U.S. Internal Revenue Code (and some of these states also have additional grounds of exemption).
- In California, only for-profit businesses (and entities controlled by for-profit businesses) are potentially subject to the California Consumer Privacy Act.
- In Utah, nonprofits incorporated under Utah’s nonprofit laws are exempt from the Utah Consumer Privacy Act.
Even if your nonprofit is exempt, data privacy should not be overlooked. Data privacy compliance is a best practice, offers significant benefits, and is supported by compelling reasons.
Compliance Requirements and Tips
Privacy compliance requirements differ across the various laws and depend on each state, but many share common themes. To move toward broad compliance, your nonprofit should consider implementing a comprehensive data privacy framework that includes policies and procedures designed to address key issues such as:
- Notice: Provide clear and accessible notice to the consumer, including details like what type of personal data is being collected, the purpose of collection, whether the data is shared or sold, information about the consumer’s rights, and your organization’s contact details.
- Opt-Out: Honor the consumer’s right to opt out of certain activities, like sales and targeted advertising. Providing straightforward opt-out options promotes transparency and respects individual preferences.
- Consent: Where required, seek consent prior to processing sensitive personal data, or when processing of other personal data requires it under applicable law. To be valid, consent needs to be informed, specific, unambiguous, freely given, and easily withdrawable.
- Access: Support consumers’ ability to access, review, and obtain copies of their personal data, as well as request corrections or deletion where appropriate. Establish clear, user-friendly processes to handle such requests promptly and transparently, even if not explicitly required by law.
- Data Minimization: Limit the collection and retention of personal data to what is necessary, in connection with a specific purpose.
- Security: Implement reasonable security measures to protect personal data in your organization’s possession.
- Vendor Management: Ensure contracts with service providers include clear privacy and security obligations when they process personal data on your organization’s behalf.
Benefits of Data Privacy Compliance
Whether or not your nonprofit is subject to a specific data privacy law, there are several benefits to adopting good data privacy compliance practices, including:
- Trust and Credibility: By demonstrating a commitment to protecting personal data, you can build trust and credibility with donors and stakeholders.
- Data Security: Adhering to good data privacy principles can help prevent or mitigate the risk of data breaches and the associated legal and financial consequences.
- Operational Efficiency: Effective data privacy practices and procedures can streamline your data management processes, freeing up more time to focus on your core mission. Even if not legally mandated, data mapping can help uncover duplicate vendors, outdated systems, and inefficiencies in how data is handled.
- Changing Legal Landscape: More and more states will soon be adopting data privacy laws. Your nonprofit can get ahead of the game and be prepared for future legal requirements.
- Adaptability: As your nonprofit grows and expands its reach, its activities might bring it into the scope of data privacy laws that didn’t apply previously. If you apply good data privacy governance early on, you will be ready if that happens.
By implementing good data privacy practices, your nonprofit can build trust, promote adaptability, improve efficiency, and mitigate risk. Managing this process can be challenging, especially when you are focused on your core mission. This is where professional support can make all the difference.
VeraSafe helps nonprofit organizations navigate every aspect of data privacy compliance. Whether you need help understanding your obligations or implementing a compliance program, VeraSafe provides practical support and integrates privacy best practices seamlessly into your organization. Contact us today to learn how we can support your compliance journey.
You may also like:
COPPA Compliance 2025: What Organizations Need to Know
Key Privacy Laws Taking Effect in 2025
The American Privacy Rights Act: Key Provisions
Related topics: U.S. Privacy Laws, Privacy News
