U.S. Privacy Alert

September 30, 2019      Roger Craver

I realize it’s rich in irony to be posting an alert on privacy to readers in an industry that routinely rents and exchanges its donors’ names and addresses to other nonprofits with little or no notice or permission whatsoever in order to create what many donors consider a nuisance.

But the time has come for nonprofit fundraisers, boards and CEOs in the US to tune in and begin paying serious attention to changes in law –and most importantly in public attitude—that will affect them sooner or later.

In fact, it’s likely your organization will be affected sooner rather than later.  In less that 90 days– on January 1, 2020—the California Consumer Privacy Act (CCPA) will take effect. This new law, along with an existing law in Vermont, and laws that are working their legislative way in other states, should have everyone’s attention.

Don’t think that because your organization isn’t based in California you’re not affected.  If you have a single California donor –and hundreds of nonprofits have thousands and thousands of California donors – you’ll likely be affected.

I’ll explain why in a minute.

BUT FIRST, I want to alert you to a FREE webinar titled Data Privacy. Are you ready? That will be held this Wednesday, October 2 from 1-2 PM (EDT).  Hosted by the DMFA, and promoted also by the DMAW and the Nonprofit Alliance the session features Shannon McCracken, CEO of the Nonprofit Alliance and Britt Vatne, President of Data Managemenet at ALC.    They’ll explain why we all need to get up to speed if for no other reason than to meet rising consumer expectations and maintain donor trust. Register FREE here.

WHY YOU SHOULD CARE.

Although Nonprofit organizations are exempt from the California Consumer Privacy Act and may be exempt from future state and even federal data legislation, unlike other regulations where business functions are fairly self-contained, fundraising has a heavy reliance on third party dataand third-party data providers.  AND…those data sources and their partners must comply.  Consequently, if you use third parties for acquisition data, wealth data, demographic, you name it, your organization is likely to be impacted by those companies’ compliance efforts and costs.

“Where did you get may name?”

I’m sure every direct response fundraiser has heard that question over and over.  Of course, how responsive organizations have been to that question varies widely from responding immediately to simply ignoring the question.

Well, those days are nearing an end.

As you’re no doubt aware consumer expectations and concern over privacy and the use of their personal data has changed and will continue to grow more pronounced.   This is not a Facebook or Google problem, it’s all of our problem –especially those in the nonprofit sector.  Nonprofits are built on the foundation of trust with our donors/investors.  Keeping up with transparency and accountability standards will reinforce our stakeholders’ trust. Failure to do so will diminish it.

So, in light of the new California law– and other laws in the pipeline–  you need to be prepared to promptly and explicitly answer those  “Where-did-you- get- my- name?”or “What- information- do- you-have-on- me -and-where-did-you-get-it? ” questions.  Failure to do so may be quite costly.

Our purpose with this post is to alert you to the fact that the clock is now ticking in the U.S.  And to urge you to get up to speed starting with the Wednesday Data Privacy. Are you ready? webinar. Again, it’s free and you can sign up here.

 

Getting Prepared for January and Beyond

Here at the Agitator we’ve opened a new category –PRIVACY—in our Archives and will begin to regularly share the research and experience of our colleagues at DonorVoice whose European team has been actively involved over the past year in the opportunities and challenges involving implementation of EU’s General Data Protection Regulation (GDPR)

The California law is structured around a few key questions that you should begin thinking about and which we’ll also cover and some of which is likely to be covered in Wednesday’s DMFA,DMAW, Nonprofit Alliance webinar.

  • What data are you collecting?…Why are you collecting it? How do you store it?
  • Nonprofits that prepared for GDPR compliance are in a good place to answer those questions and what were some of the discoveries they made along the way?
  • Effective immediately –or a soon as possible –what processes should be tightened up and what in your privacy policy should be updated?
  • Looking to the more distant future (in all probability not that distant given the public’s concern over privacy) what should you be doing to collect opt-in permission and documentation of that?  Future regulatory iteration my require you to have the proof of opt-in that will save you from having to purge valuable constituent information.
  • What steps should you be taking to train and empower frontline staff to confidently and accurately address donor questions about their data.  This is the opportunity to reinforce trust.  A donor services manager who says, “We aren’t required to comply with data privacy laws,” or “I have no idea what you’re talking about” … is not reinforcing trust.

I fully realize there will be many nonprofits that simply choose to ignore what’s coming.  That’s a shame–a costly shame– because –whether nonprofits are exempt from regulation or not—we have an opportunity to demonstrate a degree of trust-building transparency with our donors.  Transparency that research shows not only builds trust but increases revenue.

To that end I’m working with my colleagues over at TrueGivers and will be sharing thoughts and practical suggestions on why and how CRMs should be providing their clients and their clients’ donors with a Privacy Manager that gives donors complete access to all data fields and contact methods, providing visibility into the organization’s activities related to the donor. An answer to “How did you get my name?” and much, much more.

What steps are you taking to seize the privacy opportunities coming down the pike?

Roger