Privacy Law

Resources: Privacy Law | Privacy Law White Paper | Raiser's Edge | Data Minimization

Resources - Privacy Law

This is the downloadables page for my resources on privacy law in the United States. You'll also find loads of links to useful websites and news articles. The resources are free to download and don't require giving me your email. They may be shared with colleagues with proper attribution to me. Distribution without permission, commercial copying and lending are prohibited. These resources do not constitute legal advice and you must seek guidance specific to your organisation when making changes to your data and processes. Any questions on this or if you need my help, drop me a line.

Topic Guides

PresentationS & WEBINARS

Links: Useful websites

Links: News articles

Topic guides

Updated! Tracking State privacy law (PDF 150KB): A list of enacted bills, highlighting those that do NOT exempt nonprofits, state funded higher ed exemptions, compliance thresholds and links to more info. Updated April 24, 2026.

New! Elements of a good Privacy Policy (PDF 233KB) lists what I think makes a good policy along with examples of what makes a bad one.

Updated! Sharing Donor Names (PDF 199KB): Asking if this can ever be done securely, this short guide considers a safe approach for sharing info with memorial fundraisers. Updated April 2026.

Updated! Annual Reports and Honor Walls (PDF 198KB): This short guide looks at the difficult issue of whether you can securely share donor names in annual reports and on honor walls and considers the safest approach. Updated April 2026.

New! Comparing GDPR lessons learned with US state privacy law implementation (PDF 237KB) looks at 9 lessons from UK GDPR in 2018 and how state privacy law compares.

Updated! Unlocking potential: contacting European constituents under GDPR (PDF 272KB) addresses questions I was asked on GDPR at my 2023 AASP Summit presentation on privacy law and argues that you should not ignore your overseas constituents because of GDPR fears. Updated April 2026.

Anticipating AI regulation: a few thoughts (PDF 172KB). A response to questions I was asked at 2023 AASP Summit and takeaways from the 2023 Executive Order on AI (this order was reversed in January 2025. See this article from Caitlin Andrews at the IAPP for an overview of the situation. AI regulation won't be going away though: there is a lot of activity at state level).

The Colorado precedent (PDF 166KB): What you can learn from the CPA even if it doesn't apply to your organization .

Presentations & webinars

Slides from Raiser's Edge Facebook User Group webinar January 20, 2023: Donor data privacy: Why the Colorado DPA sets a precedent and what you can do about it (PDF 366KB)
Slides from Raiser's Edge Facebook User Group webinar May 25, 2023: Donor data privacy: What's new in privacy law and what you can do about it (PDF 438KB). Recording of webinar May 25, 2023: OneDrive (MP4 282MB or ZIP 148MB).
Slides from AASP Summit presentation September 28, 2023: Privacy First: Anticipating future legislation and the Impact on your operations (PDF 2.1MB).
Slides from Raiser's Edge Facebook User Group webinar March 15, 2024: Privacy Law & Donor Data (PDF 520KB). Edited Q&A: Privacy Law & Donor Data Zoom Chat Questions (PDF 140KB).
Recording of AASP panel webinar June 11 2024, Data Maximalism to Data Minimalism, with Necie Liggeons and Bill Connors (recording is free to AASP members if you log in).
Slides from Raiser's Edge Facebook User Group webinar October 11, 2024: Privacy Law & Donor Data (PDF 400KB). Edited Q&A: Privacy Law & Donor Data Zoom Chat Questions (PDF 120KB). Recording of webinar October 11, 2024: OneDrive (MP4 414MB or ZIP 315MB).
Slides from AASP Summit presentation September 12, 2025: Privacy law is here: What's new in privacy law, what enforcement looks like and what you can do about it (PDF 2.8 MB). Edited Q&A: Privacy law is here Q&A (PDF 120KB).

Feedback from my AASP Summit 2025 presentation:
"Critical updates very pertinent to all, very practical awareness. Excellent!"
"We need to make sure we have a privacy presentation annually...The laws are changing and updates every year. I rely on Amy!"
"Best presentation of all. Content was well presented and thorough; lots of resources provided."
"Love, love, loved that there were so many resources included in the presentation and handouts, and enough was explained during the presentation to give us a good understanding of the information, but just enough to get us curious and then the resources to learn more. I greatly appreciate the work that went into pulling all of these resources together in an organized and digestible way. Thank you, Amy, for making the trek and sharing your knowledge with us!"
"Very informative. Please, AASP, offer more on how we can manage privacy & data retention & destruction."

Links: useful websites and thought leaders to follow

I'm not responsible for the security and content of these links.

IAPP State Legislation Tracker & Map: iapp.org/resources/article/us-state-privacy-legislation-tracker
IAPP Federal Legislation Tracker: iapp.org/resources/article/us-federal-privacy-legislation-tracker
IAPP State AI Governance Legislation Tracker & Map: iapp.org/resources/article/us-state-ai-governance-legislation-tracker
Oregon Department of Justice FAQs page for nonprofits: doj.state.or.us/consumer-protection/for-businesses/privacy-law-faqs-for-nonprofits/. This is a great place to start to understand how state privacy law may impact your nonprofit. It's the first state I've seen providing guidance specifically for our sector. If you read nothing else, read this!
iData blog - data management concepts and tips: blog.idatainc.com
National Institute of Standards and Technology blog - cybersecurity and privacy topics: nist.gov/cybersecurity-and-privacy
The Nonprofit Alliance has a well-written explainer on state laws which it regularly updates and a tracker of pending legislation which is easy to navigate: tnpa.org/get-involved/policy-in-the-states/
Cobun Zweifel-Keegan, JD of the IAPP posts regularly on LinkedIn: linkedin.com/in/cobun
Kirk Schmidt on LinkedIn - look out for his posts on predictive analytics and privacy in fundraising, an area to watch if you want to engage in advanced analytics using personal data: ca.linkedin.com/in/kirkschmidtcalgary
Nonprofits are Messy: blog.joangarry.com/nonprofits-are-messy-podcast. Joan Garry’s brilliant podcast covers a wide range of subjects. Look out for her sessions on boards and getting leadership to embrace change. I recommend episode 196 with Beth Kanter on AI: joangarry.com/podcast/ep-196-how-risky-is-ai-for-nonprofits-with-beth-kanter/.
Common data protection mistakes (and how to fix them), ICO: ico.org.uk/for-organisations/advice-for-small-organisations/getting-started-with-gdpr/common-data-protection-mistakes-and-how-to-fix-them/. A useful list from the Information Commissioner's Office in the UK. Although it applies to UK orgs the lessons are transferable. This one in particular is key: "The more personal data you hold, the more storage space and security measures you need to keep it safe – which will cost you time, as well as money...Have a reason to keep information, rather than a reason to get rid of it. If you’re required to keep information for a certain length of time, such as financial, medical or legal records, record your reasons in a retention policy...You should sort through your data on a regular basis and destroy personal data securely when you no longer need it."
Privacy notice/privacy policy tools, ICO: ico.org.uk/for-organisations/advice-for-small-organisations/privacy-notices-and-cookies/. Useful advice on how to do privacy and cookie notices including a privacy notice generator tool.
Privacy Officer Toolkit & Policy examples, NYC Office of Information Privacy: nyc.gov/content/oti/pages/information-privacy. The NYC OIP freely shares their excellent toolkit and policies & protocols document. These are intended for local government partners but are a great place to start if you need an example of privacy documentation done well.
Understanding global opt-outs/universal opt out mechanisms: the GPC website is a good place to start: globalprivacycontrol.org/#faq
Privacy sessions at 2026 conferences: I was pleased to see privacy starting to appear as a topic on schedules of major conferences this year. Look out for these sessions (search "privacy"): NTEN 2026 Kim Snyder, Eliza Slone et al; AFP ICON David Tinker April 27 8.30am.

Links: news articles

Scroll down for most recent. I'm not responsible for the security and content of these links.

Grant Fritchey, "GDPR in the USA", Redgate Hub, March 28, 2019: red-gate.com/simple-talk/devops/data-privacy-and-protection/gdpr-in-the-usa
Ian De Freitas and Henry Sainty, "GDPR: two years in – What’s next?", Farrer & Co LLP, October 7, 2020. farrer.co.uk/news-and-insights/gdpr-two-years-in--whats-next/ An interesting review of remaining issues in the UK two years after GDPR was implemented. Use this to imagine what the future might hold in the aftermath of new state/federal privacy law.
Joshua Mooney, "A cheat sheet for Colorado’s forthcoming new privacy act", Kennedys Law LLP, June 23, 2021. kennedyslaw.com/thought-leadership/article/a-cheat-sheet-for-colorado-s-forthcoming-new-privacy-act/
Thorin Klosowski, "The State of Consumer Data Privacy Laws in the US (And Why It Matters)", New York Times, September 6, 2021: nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/amp
Bryn Weaver, "How Nonprofits Can Prepare for the Colorado Privacy Act", Wiland Blog, December 2, 2021: wiland.com/blog/how-nonprofits-can-prepare-colorado-privacy-act/
Tyler Thompson, Greenberg Traurig LLP, "Complying with the new Colorado Privacy Act will impact nonprofits", Denver Business Journal, January 27, 2022: bizjournals.com/denver/news/2022/01/27/complying-new-colorado-privacy-act.html
Cobun Zweifel-Keegan, "A view from DC: Is purpose-built privacy possible?", IAPP, September 23, 2022. iapp.org/news/a/a-view-from-dc-is-purpose-built-privacy-possible/. The problems of data minimisation and consent purpose. Designing privacy-first tools as a solution to navigating future legislation.
Stephen Almond, "Generative AI: eight questions that developers and users need to ask", ICO, April 3, 2023. ico.org.uk/about-the-ico/media-centre/blog-generative-ai-eight-questions-that-developers-and-users-need-to-ask/
James Sullivan, Hayley Curry and Matt Dhaiti, "Oregon enacts latest comprehensive consumer data privacy law", DLA Piper, July 2023. dlapiper.com/en-us/insights/publications/2023/07/oregon-enacts-latest-comprehensive-consumer-data-privacy-law. Like the Colorado Privacy Act, the Oregon Consumer Privacy Act does NOT exempt nonprofits.
Meghan K. Farmer, John M. Brigagliano and Zain Haq, "Secondary Uses of Personal Data Should Still be Your Primary Concern: Consent Requirements under U.S. State Privacy Laws", Lexology, August 16, 2023. lexology.com/library/detail.aspx?g=54ab9ef0-3bae-46b1-8f67-8d0dcfa02158. "Secondary use" is using consent for a secondary purpose and is a topic you'll want to keep an eye on. This article has a useful comparison chart of the treatment of secondary use in state laws to date.
Elliot R. Golding and Allison McSorley Tassel, "State Regulators Step Up Enforcement of New Privacy Laws", National Law Review, September 5, 2023. natlawreview.com/article/state-regulators-step-enforcement-new-privacy-laws. State privacy laws have teeth: Colorado's attorney general took action within days of the CPA becoming law.
Michael T. Borgia, Benjamin Robbins, and Patrick J. Austin, "Delaware's New Personal Data Privacy Act", Davis Wright Tremaine LLP, September 13, 2023. dwt.com/blogs/privacy--security-law-blog/2023/09/delaware-personal-data-privacy-act-enacted
Joseph Duball, "Nuances highlight New Jersey's comprehensive privacy bill", IAPP, January 10, 2024. iapp.org/news/a/nuances-highlight-new-jerseys-comprehensive-privacy-bill/. Differences to the norm in New Jersey's new law.
Jennifer J. Hennessy and Alexander Misakian, "New Jersey Passes Comprehensive Privacy Law to Lead the 2024 Wave of State Privacy Laws", Foley & Lardner LLP, January 24, 2024. foley.com/insights/publications/2024/01/new-jersey-passes-comprehensive-privacy-law-2024/.
Tech Horizons Report, ICO, March 2024: ico.org.uk/about-the-ico/research-reports-impact-and-evaluation/research-and-reports/technology-and-innovation/tech-horizons-report/. An interesting primer to future technology developments that the ICO is following and how they could impact consumer privacy. Look in particular at sections on personalised AI and next-generation search.
Ethan Dewitt, "A guide to New Hampshire’s new data privacy rights", New Hampshire Bulletin, March 12, 2024. newhampshirebulletin.com/2024/03/12/a-guide-to-new-hampshires-new-data-privacy-rights/. NH has a strikingly low threshold for compliance, setting a precedent that other states could follow.
Nancy Libin, Apurva Dharia, and Donara Aghajani, "Maryland Creates a New Paradigm for Data Privacy", Davis Wright Tremaine LLP, May 15, 2024. dwt.com/blogs/privacy--security-law-blog/2024/05/maryland-online-data-privacy-act-signed
David P. Saunders and James S. Mann, "The Gopher State Goes for It: Minnesota Passes Consumer Data Privacy Law", McDermott Will & Emery, May 22, 2024. mwe.com/insights/the-gopher-state-goes-for-it-minnesota-passes-consumer-data-privacy-law/
Tamara Chuang, "What’s Working: Colorado’s deadline for websites to add “Do not sell my data” detector is Monday", The Colorado Sun, June 29, 2024. coloradosun.com/2024/06/29/colorado-do-not-sell-my-data-consumer-privacy-law/
Keir Lamont, "Five Big Questions (and Zero Predictions) for the U.S. State Privacy Landscape in 2025", Future of Privacy Forum, December 17, 2024. fpf.org/blog/five-big-questions-and-zero-predictions-for-the-u-s-state-privacy-landscape-in-2025/
Sam Castic, "10 areas for US-based privacy programs to focus in 2025", January 14, 2025. iapp.org/news/a/10-areas-for-privacy-programs-to-focus-in-2025
Ron De Jesus, "Prioritizing privacy in the absence of clear federal guidelines", IAPP, January 24, 2025. iapp.org/news/a/prioritizing-privacy-in-the-absence-of-clear-federal-guidelines
Jordan Francis, "Amendments to the Montana Consumer Data Privacy Act Bring Big Changes to Big Sky Country", Future of Privacy Forum, May 12, 2025. fpf.org/blog/amendments-to-the-montana-consumer-data-privacy-act-bring-big-changes-to-big-sky-country/. This amendment saw the majority of nonprofits NOT exempted from Montana's privacy law and the threshold for compliance lowered to 25,000 records.
C. Kibby, "Emerging trends, insights from public enforcement of US state privacy laws", IAPP, June 30, 2025. iapp.org/news/a/emerging-trends-insights-from-public-enforcement-of-us-state-privacy-laws
"Major Data Privacy Bill Signed into Law; New law, effective 2027, gives Oklahomans greater control over personal information", March 23, 2026. okhouse.gov/posts/news-20260323_2. The 20th state privacy law exempts nonprofit 501(c)(3)'s but is worth reading about as it's been over a year since the last new bill. This is no longer fledgling law; commonalities have been well established and Oklahoma's bill is an example of repeating and cementing what other states have done.
Julia B. Jacobson, Alan L. Friel, Squire Patton Boggs (of Consumer Privacy World), "Oklahoma’s New Privacy Law Sweeps In", National Law Review, March 26, 2026. natlawreview.com/article/oklahomas-new-privacy-law-sweeps
Jason Koestenblatt, "Alabama Becomes 21st State to Pass Personal Data Protection Act", OneTrust, April 22, 2026. onetrust.com/blog/alabama-becomes-21st-state-to-pass-personal-data-protection-act/
Cobun Zweifel-Keegan, David Botero, "SECURE Data Act: Analysis of the new federal privacy bill", IAPP, April 22, 2026. iapp.org/news/a/secure-data-act-analysis-of-the-new-federal-privacy-bill