Nonprofits have less than three months left to comply with a Colorado data privacy law set to take effect July 1.
The statute was signed two years ago by Colorado Gov. Jared Polis. Colorado’s law follows similar legislation in California and Virginia. However, unlike the other legislation already on the books, the Colorado law contains no exemption for nonprofits and will apply to a broad swath of organizations that conduct fundraising or other business in Colorado, regardless of whether the organizations themselves are based there.
Nonprofits, data and list brokers, and others that process the personal data of 100,000 or more individuals in a calendar year or exchange the personal data of 25,000 or more individuals in a calendar year will be subject to its provisions. According to the Colorado Attorney General’s Office, “The law also applies to service providers, contractors, and vendors that manage, maintain, or provide services” on the organizations’ behalf. Those subject to the new law will be required to:
- Confirm whether or not they process individuals’ personal data and provide them access to that information.
- Enable individuals to opt out of the processing of their personal information.
- Provide individuals the right to correct inaccurate personal information.
- Provide individuals the right to have personal information deleted.
- Provide a meaningful privacy notice to individuals detailing their various rights.
The new law does not contain a private right of action, meaning any lawsuits stemming from violations could be initiated only by an official state agency responsible for enforcing it, as opposed to by a private individual, unless a court ruled otherwise. However, nonprofits are strongly advised to consult their legal counsel regarding compliance.
Three other states — Connecticut, Utah, and Iowa — have enacted data privacy laws of their own that will also take effect during the next two years, though none of them will apply to nonprofits. Connecticut’s law, like Colorado’s, takes effect July 1. The Utah legislation takes effect at the end of this year, and Virginia’s will take effect Jan. 1, 2025.
The spate of legislation comes on the heels of the even more stringent General Data Privacy Regulation (GDPR) adopted by the European Union two years ago. As many as two dozen other states are believed to be considering similar laws, which is raising concerns that complying with the patchwork of multiple state laws could make fundraising prohibitively burdensome and expensive. Nonprofits would bear the brunt as would data and list brokers, which inevitably would pass the costs along to their nonprofit clients.
“Over the next couple of years, there will likely be several more of these statutes that will be made law in other states,” said Mark Micali, vice president of government affairs at The Nonprofit Alliance in Washington, D.C. “Some of these laws are quite similar to each other, but they’re all slightly different as well. So, the patchwork quilt is going to get even broader, which is not a good thing, and the need for one national ‘rules of the road,’ one national standard, is going to get even stronger.”
Micali continues to advocate for one national standard but doesn’t anticipate Congress enacting one prior to the 2024 election given the political divide and other issues currently sucking the air out of the room. Further complicating matters is that getting legislation to the floor will require the support of the ranking Democrat and Republican on each of the House and Senate commerce committees. One of them, Sen. Maria Cantwell (D-WA), has thrown cold water on the idea so far.
“Her view is that any federal privacy bill should serve as a floor and then if the states want to have more rigorous regulation, they can do that, which really is not a national standard at all,” Micali said. “Given that Sen. Cantwell has such an important role to play on this issue, it seems very unlikely that anything will happen in this current two-year cycle.”
