Skip to Main Content

CCPA Compliance for Nonprofits

5 min read
November 25, 2019
Allison Smith headshot
Allison Smith
Content Marketing Coordinator, Neon One

What is the CCPA?

The California Consumer Privacy Act (CCPA) is a consumer protection regulation, focused on data privacy rights for residents of California. Similar to Europe’s GDPR, the CCPA guarantees the protection of personal data by requiring organizations collecting this data to properly disclose how data is used. Under the CCPA, individuals can easily revoke consent for the storage and usage of their data.

The current version of the CCPA was passed in California in September 2018, and its rules go into effect on January 1, 2020.

What Does CCPA Mean for My Nonprofit?

Who Does CCPA Apply to?

Generally, CCPA only applies to for-profit businesses. The law is fairly explicit on the topic of what types of organizations fall under its rules, unlike the European GDPR, which broadly defines any entity that collects data as being subject to its rules.

CCPA applies to any organization (“business“) that:

  1. is for-profit
  2. collects consumers’ personal information, or on the behalf of which such information is collected;
  3. determines the purposes and means of the processing of consumers’ personal information;
  4. does business in California (physically or remotely); and
  5. meets any of the following thresholds:
    • has annual gross revenue in excess of $25 million;
    • alone or in combination, annually buys, receives for the business’s commercial purposes, sells or shares for commercial purposes the personal nformation of 50,000 or more consumers, households, or devices; or
    • derives 50% or more of its annual revenues from selling consumers’ personal information

If you are a nonprofit entity owned by a for-profit business that any of the former applies to, you may be subject to its rules and regulations.

Where Does CCPA Apply?

CCPA applies to any organization doing business in the state of California. This includes the handling of any personal data of a California resident, even if your organization has no physical presence in the state.

What is “Personal Data” Under CCPA?

CCPA provides specific categories of information that can be considered “personal information”. These include, but are not limited to:

  • identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, social security number, driver’s license number, passport number, or similar identifiers;
  • commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
  • biometric informeration;
  • internet or other electronic network activvity information, that includes browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement;
  • geolocation data;
  • audioelectronicvisualthermalolfactory, or similar information;
  • professional or employment related information;
  • education information, provided that it is not publicly available; and
  • inferences drawn from any of the information identified to create a profile about a consumer reflecting their preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

As with GDPR, CCPA also excludes anonymized or aggregated data from its definition of personal data.

What Uses of Personal Data are Covered Under CCPA?

CCPA broadly defines the usage of personal data to be:

  1. Collecting
  2. Selling
  3. Processing

It should therefore be assumed that any sort of handling of personal data is subject to CCPA, unless the organization properly anonymizes the data.

What Rights do Individuals have Under CCPA?

The rights guaranteed to individuals under CCPA are:

  1. Right to erasure (right to deletion) – The right to have one’s personal data removed by the data collector.
  2. Right to be informed – The right to be informed of how one’s personal data is being used.
  3. Right to object (right to opt-out) – The right to opt out of some or all uses of one’s personal data.
  4. Right of access – The right to access and review one’s collected personal data.
  5. Right not to be subject to discrimination for exercise of rights – The right to not be discriminated against for exercising any of the rights on this list.
  6. Right to data portability – The right to easily export one’s personal data in a format that allows for easy transmission to a third-party.

How can Neon Help Your Organization with CCPA Compliance?

NeonCRM makes it easy to track constituent consent, with GDPR-compliant account fields to manage consent over time.
NeonCRM makes it easy to track constituent consent, with GDPR-compliant account fields to manage consent over time.

Give Your Constituents More Control Over Their Data.

Give your constituents more control over their personal data, with a new consent section on all NeonCRM account pages. Track, manage, and report on constituent consent to ensure your data processing is CCPA-compliant. New fields include:

  • Consent Response. Was consent given?
  • Consent Scope. What type of data processing was consented?
  • Consent Change Log. When was consent given or revoked?
NeonCRM helps you comply with GDPR regulations by making it easy to add your consent fields and privacy policy to any online form.
NeonCRM helps you comply with GDPR regulations by making it easy to add your consent fields and privacy policy to any online form.

Create Transparent and Compliant Online Forms.

Make it easy for constituents to opt-in by including consent fields and privacy policy details on your online forms. You can add consent and privacy to all of your forms at once in system settings, instead of updating each form individually.

Other Neon Service Updates

  • Neon Websites will now include privacy policy statements with clear and explicit definitions of how personal data will be used and methods.
  • Neon will accommodate requests from clients’ constituents to execute any individual rights (i.e. requests to see, update, or remove personal data).
  • Documented data breach protocols. As part of the CCPA regulations, we have updated procedures for reporting data breaches. See our Terms of Service for more details.
  • Updated Privacy Policy. In compliance with CCPA, we have made updates to our Privacy Policy to ensure we are giving our users more control over their personal data.

Join the discussion in our Slack channel on connected fundraising

Looking to become a more connected nonprofit leader?

Join 73,000+ of your peers getting industry news, tips, and resources straight to their inbox.