Resources - US privacy law
This is the downloadables page for my white paper on privacy law in the United States and how-to's for tackling donor data privacy challenges. You'll also find loads of links to useful websites and news articles. The resources are free to download and don't require giving me your email. They may be shared with colleagues with proper attribution to me. Distribution without permission, commercial copying and lending are prohibited. These resources do not constitute legal advice and you must seek guidance specific to your organisation when making changes to your data and processes. Any questions, drop me a line.
White paper
GDPR-like Privacy Law in the United States (PDF 14.6MB) Lower resolution version (PDF 700KB)
If you need to print, skip the section dividers to save ink (pages 4, 7, 12, 17, 20, 24, 27).
Short version
GDPR-like Privacy Law in the US - Key Points (PDF 117KB)
A very brief summary of the paper's key points.
Just the case study
Future-proofing data handling at KSU (PDF 1.4MB)
The Kennesaw case study from pages 21-23 of the white paper.
GDPR-like Privacy Law in the United States (PDF 14.6MB) Lower resolution version (PDF 700KB)
If you need to print, skip the section dividers to save ink (pages 4, 7, 12, 17, 20, 24, 27).
Short version
GDPR-like Privacy Law in the US - Key Points (PDF 117KB)
A very brief summary of the paper's key points.
Just the case study
Future-proofing data handling at KSU (PDF 1.4MB)
The Kennesaw case study from pages 21-23 of the white paper.
Quick guides
Tracking state privacy law: a very simple list of enacted bills, highlighting those that do NOT exempt nonprofits last updated July 2024 (PDF 298KB)
Letting Data Go: Making data minimization your friend (PDF 120KB)
The Traffic Light Data Entry System: a simple method for managing information accuracy in your database (PDF 192KB) handout from AASP Summit panel session September 27, 2023. A data entry method devised with Aldera Chisholm and Bill Connors.
Unlocking potential: contacting European constituents under GDPR (PDF 173KB) addresses questions I was asked around GDPR at my AASP Summit 2023 presentation.
Anticipating AI regulation: a few thoughts (PDF 172KB) a response to questions I was asked at AASP Summit 2023 and some takeaways from the 2023 White House Executive Order on AI. (This exec order was reversed by Trump in January 2025. See this article from Caitlin Andrews at the IAPP for an overview of the situation. AI regulation won't be going away though: expect activity at state level).
The Colorado precedent: What you can learn from the CPA even if it doesn't apply to your organization (PDF 166KB)
Annual Reports and Honor Walls: Can donors be listed securely? (PDF 112KB)
Sharing Donor Names: Can it be done securely? (PDF 113KB)
Quick guides - Raiser's Edge
Consents in The Raiser’s Edge: Considerations and shortcomings of this feature (PDF 144KB)
Consents in The Raiser’s Edge: Sample setup (PDF 149KB)
Info Source Options in The Raiser’s Edge: Tracking sources of information (PDF 127KB)
Raiser's Edge NXT Email: Pros and Cons of this feature (PDF 127KB)
Tracking state privacy law: a very simple list of enacted bills, highlighting those that do NOT exempt nonprofits last updated July 2024 (PDF 298KB)
Letting Data Go: Making data minimization your friend (PDF 120KB)
The Traffic Light Data Entry System: a simple method for managing information accuracy in your database (PDF 192KB) handout from AASP Summit panel session September 27, 2023. A data entry method devised with Aldera Chisholm and Bill Connors.
Unlocking potential: contacting European constituents under GDPR (PDF 173KB) addresses questions I was asked around GDPR at my AASP Summit 2023 presentation.
Anticipating AI regulation: a few thoughts (PDF 172KB) a response to questions I was asked at AASP Summit 2023 and some takeaways from the 2023 White House Executive Order on AI. (This exec order was reversed by Trump in January 2025. See this article from Caitlin Andrews at the IAPP for an overview of the situation. AI regulation won't be going away though: expect activity at state level).
The Colorado precedent: What you can learn from the CPA even if it doesn't apply to your organization (PDF 166KB)
Annual Reports and Honor Walls: Can donors be listed securely? (PDF 112KB)
Sharing Donor Names: Can it be done securely? (PDF 113KB)
Quick guides - Raiser's Edge
Consents in The Raiser’s Edge: Considerations and shortcomings of this feature (PDF 144KB)
Consents in The Raiser’s Edge: Sample setup (PDF 149KB)
Info Source Options in The Raiser’s Edge: Tracking sources of information (PDF 127KB)
Raiser's Edge NXT Email: Pros and Cons of this feature (PDF 127KB)
Presentations & webinars
- Slides from Raiser's Edge Facebook User Group webinar January 20, 2023: Donor data privacy: Why the Colorado DPA sets a precedent and what you can do about it (PDF 366KB)
- Slides from Raiser's Edge Facebook User Group webinar May 25, 2023: Donor data privacy: What's new in privacy law and what you can do about it (PDF 438KB). Recording of webinar May 25, 2023: OneDrive (MP4 282MB or ZIP 148MB).
- Slides from AASP Summit presentation September 28, 2023: Privacy First: Anticipating future legislation and the Impact on your operations (PDF 2.1MB).
- Slides from Raiser's Edge Facebook User Group webinar March 15, 2024: Privacy Law & Donor Data (PDF 520KB). Edited Q&A: Privacy Law & Donor Data Zoom Chat Questions (PDF 140KB).
- Recording of AASP panel webinar, Data Maximalism to Data Minimalism, with Necie Liggeons and Bill Connors, June 11, 2024 (recording is free to AASP members if you log in).
- Slides from webinar October 11, 2024: Privacy Law & Donor Data (PDF 400KB). Edited Q&A: Privacy Law & Donor Data Zoom Chat Questions (PDF 120KB). Recording of webinar October 11, 2024: OneDrive (MP4 414MB or ZIP 315MB).
Links: useful websites and thought leaders to follow
I'm not responsible for the security and content of these links.
I'm not responsible for the security and content of these links.
- IAPP State Legislation tracker: iapp.org/resources/article/us-state-privacy-legislation-tracker
- IAPP Federal Legislation tracker: iapp.org/resources/article/us-federal-privacy-legislation-tracker
- IAPP artificial intelligence hub: iapp.org/resources/topics/artificial-intelligence-1/
- Center on Privacy & Technology at Georgetown Law: law.georgetown.edu/privacy-technology-center
- iData blog - data management concepts and tips: blog.idatainc.com
- IT Governance blog: itgovernanceusa.com/blog/category/data-protection
- National Institute of Standards and Technology blog - cybersecurity and privacy topics: nist.gov/privacy-0
- The Nonprofit Alliance has a well-written explainer on state laws which it regularly updates: tnpa.org/get-involved/policy-in-the-states/
- Cobun Zweifel-Keegan, JD of the IAPP posts regularly on LinkedIn: linkedin.com/in/cobun
- Kirk Schmidt on LinkedIn - look out for his posts on predictive analytics and privacy in fundraising, an area to watch if you want to engage in advanced analytics using personal data: ca.linkedin.com/in/kirkschmidtcalgary
- Nonprofits are Messy: blog.joangarry.com/nonprofits-are-messy-podcast. Joan Garry’s brilliant podcast covers a wide range of subjects. Look out for her sessions on boards and getting leadership to embrace change. I recommend episode 196 with Beth Kanter on AI: joangarry.com/podcast/ep-196-how-risky-is-ai-for-nonprofits-with-beth-kanter/.
- Common data protection mistakes (and how to fix them), ICO: ico.org.uk/for-organisations/sme-web-hub/common-data-protection-mistakes-and-how-to-fix-them/. A useful list from the Information Commissioner's Office in the UK. Although it applies to UK orgs the lessons are transferable. This one in particular is key: "The more personal data you hold, the more storage space and security measures you need to keep it safe – which will cost you time, as well as money...Have a reason to keep information, rather than a reason to get rid of it. If you’re required to keep information for a certain length of time, such as financial, medical or legal records, record your reasons in a retention policy...You should sort through your data on a regular basis and destroy personal data securely when you no longer need it."
- Privacy notice/privacy policy generator, ICO: ico.org.uk/for-organisations/advice-for-small-organisations/create-your-own-privacy-notice/. A new tool from the Information Commissioner's Office in the UK that creates a privacy notice from scratch.
Links: news articles (scroll down for most recent)
I'm not responsible for the security and content of these links.
I'm not responsible for the security and content of these links.
- Grant Fritchey, "GDPR in the USA", Redgate Hub, March 28, 2019: red-gate.com/simple-talk/devops/data-privacy-and-protection/gdpr-in-the-usa
- Ian De Freitas and Henry Sainty, "GDPR: two years in – What’s next?", Farrer & Co LLP, October 7, 2020. farrer.co.uk/news-and-insights/gdpr-two-years-in--whats-next/ An interesting review of remaining issues in the UK two years after GDPR was implemented. Use this to imagine what the future might hold in the aftermath of new state/federal privacy law.
- Joshua Mooney, "A cheat sheet for Colorado’s forthcoming new privacy act", Kennedys Law LLP, June 23, 2021. kennedyslaw.com/thought-leadership/article/a-cheat-sheet-for-colorado-s-forthcoming-new-privacy-act/
- Thorin Klosowski, "The State of Consumer Data Privacy Laws in the US (And Why It Matters)", New York Times, September 6, 2021: nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/amp
- Bryn Weaver, "How Nonprofits Can Prepare for the Colorado Privacy Act", Wiland Blog, December 2, 2021: wiland.com/blog/how-nonprofits-can-prepare-colorado-privacy-act/
- Tyler Thompson, Greenberg Traurig LLP, "Complying with the new Colorado Privacy Act will impact nonprofits", Denver Business Journal, January 27, 2022: bizjournals.com/denver/news/2022/01/27/complying-new-colorado-privacy-act.html
- Cobun Zweifel-Keegan, "A view from DC: Is purpose-built privacy possible?", IAPP, September 23, 2022. iapp.org/news/a/a-view-from-dc-is-purpose-built-privacy-possible/. The problems of data minimisation and consent purpose. Designing privacy-first tools as a solution to navigating future legislation.
- Stephen Almond, "Generative AI: eight questions that developers and users need to ask", ICO, April 3, 2023. ico.org.uk/about-the-ico/media-centre/blog-generative-ai-eight-questions-that-developers-and-users-need-to-ask/
- James Sullivan, Hayley Curry and Matt Dhaiti, "Oregon enacts latest comprehensive consumer data privacy law", DLA Piper, July 2023. dlapiper.com/en-us/insights/publications/2023/07/oregon-enacts-latest-comprehensive-consumer-data-privacy-law. Like the Colorado Privacy Act, the Oregon Consumer Privacy Act does NOT exempt nonprofits.
- Meghan K. Farmer, John M. Brigagliano and Zain Haq, "Secondary Uses of Personal Data Should Still be Your Primary Concern: Consent Requirements under U.S. State Privacy Laws", Lexology, August 16, 2023. lexology.com/library/detail.aspx?g=54ab9ef0-3bae-46b1-8f67-8d0dcfa02158. "Secondary use" is using consent for a secondary purpose and is a topic you'll want to keep an eye on. This article has a useful comparison chart of the treatment of secondary use in state laws to date.
- Elliot R. Golding and Allison McSorley Tassel, "State Regulators Step Up Enforcement of New Privacy Laws", National Law Review, September 5, 2023. natlawreview.com/article/state-regulators-step-enforcement-new-privacy-laws. State privacy laws have teeth: Colorado's attorney general took action within days of the CPA becoming law.
- Michael T. Borgia, Benjamin Robbins, and Patrick J. Austin, "Delaware's New Personal Data Privacy Act", Davis Wright Tremaine LLP, September 13, 2023. dwt.com/blogs/privacy--security-law-blog/2023/09/delaware-personal-data-privacy-act-enacted
- Joseph Duball, "Nuances highlight New Jersey's comprehensive privacy bill", IAPP, January 10, 2024. iapp.org/news/a/nuances-highlight-new-jerseys-comprehensive-privacy-bill/. Differences to the norm in New Jersey's new law.
- Jennifer J. Hennessy and Alexander Misakian, "New Jersey Passes Comprehensive Privacy Law to Lead the 2024 Wave of State Privacy Laws", Foley & Lardner LLP, January 24, 2024. foley.com/insights/publications/2024/01/new-jersey-passes-comprehensive-privacy-law-2024/.
- Tech Horizons Report, ICO, March 2024: ico.org.uk/about-the-ico/research-reports-impact-and-evaluation/research-and-reports/technology-and-innovation/tech-horizons-report/. An interesting primer to future technology developments that the ICO is following and how they could impact consumer privacy. Look in particular at sections on personalised AI and next-generation search.
- Ethan Dewitt, "A guide to New Hampshire’s new data privacy rights", New Hampshire Bulletin, March 12, 2024. newhampshirebulletin.com/2024/03/12/a-guide-to-new-hampshires-new-data-privacy-rights/. NH has a strikingly low threshold for compliance, setting a precedent that other states could follow.
- Nancy Libin, Apurva Dharia, and Donara Aghajani, "Maryland Creates a New Paradigm for Data Privacy", Davis Wright Tremaine LLP, May 15, 2024. dwt.com/blogs/privacy--security-law-blog/2024/05/maryland-online-data-privacy-act-signed
- David P. Saunders and James S. Mann, "The Gopher State Goes for It: Minnesota Passes Consumer Data Privacy Law", McDermott Will & Emery, May 22, 2024. mwe.com/insights/the-gopher-state-goes-for-it-minnesota-passes-consumer-data-privacy-law/
- Keir Lamont, "Five Big Questions (and Zero Predictions) for the U.S. State Privacy Landscape in 2025", Future of Privacy Forum, December 17, 2024. fpf.org/blog/five-big-questions-and-zero-predictions-for-the-u-s-state-privacy-landscape-in-2025/
- Sam Castic, "10 areas for US-based privacy programs to focus in 2025", January 14, 2025. iapp.org/news/a/10-areas-for-privacy-programs-to-focus-in-2025
- Ron De Jesus, "Prioritizing privacy in the absence of clear federal guidelines", IAPP, January 24, 2025. iapp.org/news/a/prioritizing-privacy-in-the-absence-of-clear-federal-guidelines
