Thanks to technology and digital-all-the-things, nonprofits' mission fields have become extremely diverse and globalized. Although obviously important and beneficial, the primary downside is increased exposure to a wide variety of local/regional/national laws. As the locations of your donors, subscribers, program recipients, customers, etc. expand, so does your risks and liabilities when it comes to data. Regardless of an organization's physical presence, any digital interactions are subject to various laws based on that individual's residence.

It's a good thing!

At first glance, the checkboxes you have to solve seem burdensome. But to be clear, the concepts are an overall good thing! Embrace the regulations (I can't believe I just said that…)! For individuals, we frankly believe wholeheartedly that GDPR and CCPA are important and beneficial -- and we hope to see similar concepts rolled out to more areas in the near future. But even in the absence of laws, your donors are investing in your organization and others trust you with their information. These common-sense rules protect them and you!


The catalyst for many of these changes started with the European Union's General Data Protection Regulation (GDPR), which is now enforced as of May 2018. If your organization collects information from any individual living in an EU-member country, you're impacted by the regulations. There are no exceptions due to an organization's size or scope, meaning any nonprofit with an internet presence is affected.

In the following sections, we'll provide an overview of the regulations and necessary steps:

Jurisdiction & Enforcement

Personally Identifiable Information (PII)


Data Control Rights

Internal Controls


The California Consumer Privacy Act (CCPA) is in the same vein as GDPR, specifically focused on California residents. Enforcement began in January 2020. It shares many similarities to GDPR, but with a few primary differences.

CCPA has no "prior consent" concept like GDPR, instead leaning more heavily on transparency and strong opt-out requirements.

More important, nonprofits are exempt. For this reason, we're not diving into detail. However...

We firmly believe that similar laws will soon roll out to other states, possibly nation-wide. A lot hinges on FTC appointments, the 2020 election (both executive and legislative), etc. Further, CCPA always has the possibility of being amended.

For those reasons, we'd recommend using GDPR as a baseline, keeping an eye on CCPA, and being proactive now. Regardless of your current liability, it's better to be steps ahead than steps behind!

Typical Blind Spots

In our work with nonprofits, we've seen the same set of gaps come up repeatedly. And that's not to point fingers! You don't know what you don't know.

The following is a an overview of those areas:

The Wrong Answer

Unfortunately, we also see nonprofits (and businesses) moving forward with the "wrong answer". Although GDPR support seems insurmountable at first, it's perfectly doable with a handful of best practices! However, the alternative is attempting to prevent EU citizens from using your services, subscribing, and donating. That's obviously not ideal for your mission, especially if you feel called to serve Europe!

Even worse, shutting off that pipeline is extremely error prone. For example, it's difficult to reliably determine someone's location using an IP address or phone number. Even...worser?...both are fairly easy to circumvent using VPNs or digital phone services.

This isn't much of an option anyway now that CCPA is in the mix. It's hard enough to try and determine someone's country. It's impossible to reliably determine a state or region within the US.

Now what?

Hopefully all this is a helpful starting point for auditing your own organization and implementing some urgent changes. However, if you'd like help, we'd love to partner with you.