Resources

Resources - US privacy law

This is the downloadables page for my white paper on privacy law in the United States and how-to's for tackling donor data privacy challenges. You'll also find loads of links to useful websites and news articles. The resources are free to download and don't require giving me your email. They may be shared with colleagues with proper attribution to me. Distribution without permission, commercial copying and lending are prohibited. These resources do not constitute legal advice and you must seek guidance specific to your organisation when making changes to your data and processes. Any questions on this or if you need my help, drop me a line.

White paper

Quick Guides

Quick Guides: RE

PresentationS & WEBINARS

Useful LINKS

News ARTICLES

White paper

White paper on GDPR-like privacy law in the US (PDF 14.6MB); lower resolution version (PDF 700KB). If you need to print, skip the section dividers to save ink (pages 4, 7, 12, 17, 20, 24, 27).

Just the case study (PDF 1.4MB). The Kennesaw case study from pages 21-23 of the white paper.

Key points (PDF 117KB). A very brief summary of the white paper's key points.

Quick guides

Updated! Tracking state privacy law (PDF 150KB): A list of enacted bills, highlighting those that do NOT exempt nonprofits, notes on their record thresholds and links to more info. Last updated July 2025.

Letting Data Go (PDF 120KB): A quick guide to making data minimization your friend.

The Traffic Light Data Entry System: a simple method for managing information accuracy in your database (PDF 192KB). Handout from panel session at the 2023 AASP Summit from a data entry method I devised with Aldera Chisholm and Bill Connors.

Unlocking potential: contacting European constituents under GDPR (PDF 173KB) addresses questions I was asked on GDPR at my 2023 AASP Summit presentation on privacy law.

The Colorado precedent (PDF 166KB): What you can learn from the CPA even if it doesn't apply to your organization .

Anticipating AI regulation: a few thoughts (PDF 172KB). A response to questions I was asked at 2023 AASP Summit and takeaways from the 2023 Executive Order on AI (this order was reversed in January 2025. See this article from Caitlin Andrews at the IAPP for an overview of the situation. AI regulation won't be going away though: expect a lot of activity at state level).

Sharing Donor Names (PDF 113KB): Asking if this can be done securely, this quick guide considers a safe approach for sharing info with memorial fundraisers. (PDF 113KB)

Annual Reports and Honor Walls (PDF 112KB): This quick guide looks at the difficult issue of whether you can securely share donor names in annual reports and on honor walls and considers the safest approach.

New! Semi-anonymity: Can you keep inferred information? (PDF 114KB) considers whether you should store inferred information about anonymous donors and email subscribers.

Quick guides - Raiser's Edge

Consents in The Raiser’s Edge (PDF 144KB): Considerations and shortcomings of this feature.

Consents in The Raiser’s Edge (PDF 149KB): Sample setup of consents.

Updated! Raiser's Edge NXT Email: Pros and Cons of this feature (PDF 127KB). Some thoughts on web view email and considerations for privacy law compliance. Updated July 2025.

Info Source Options in The Raiser’s Edge (PDF 127KB): Places to track sources of information in RE to help compliance with privacy law.

Presentations & webinars

Slides from Raiser's Edge Facebook User Group webinar January 20, 2023: Donor data privacy: Why the Colorado DPA sets a precedent and what you can do about it (PDF 366KB)
Slides from Raiser's Edge Facebook User Group webinar May 25, 2023: Donor data privacy: What's new in privacy law and what you can do about it (PDF 438KB). Recording of webinar May 25, 2023: OneDrive (MP4 282MB or ZIP 148MB).
Slides from AASP Summit presentation September 28, 2023: Privacy First: Anticipating future legislation and the Impact on your operations (PDF 2.1MB).
Slides from Raiser's Edge Facebook User Group webinar March 15, 2024: Privacy Law & Donor Data (PDF 520KB). Edited Q&A: Privacy Law & Donor Data Zoom Chat Questions (PDF 140KB).
Recording of AASP panel webinar, Data Maximalism to Data Minimalism, with Necie Liggeons and Bill Connors, June 11, 2024 (recording is free to AASP members if you log in).
Slides from webinar October 11, 2024: Privacy Law & Donor Data (PDF 400KB). Edited Q&A: Privacy Law & Donor Data Zoom Chat Questions (PDF 120KB). Recording of webinar October 11, 2024: OneDrive (MP4 414MB or ZIP 315MB).
Coming up: I'll be speaking at the AASP Summit 2025.

Links: useful websites and thought leaders to follow

I'm not responsible for the security and content of these links.

IAPP State Legislation tracker: iapp.org/resources/article/us-state-privacy-legislation-tracker
IAPP Federal Legislation tracker: iapp.org/resources/article/us-federal-privacy-legislation-tracker
IAPP artificial intelligence hub: iapp.org/resources/topics/artificial-intelligence-1/
Center on Privacy & Technology at Georgetown Law: law.georgetown.edu/privacy-technology-center
iData blog - data management concepts and tips: blog.idatainc.com
IT Governance blog: itgovernanceusa.com/blog/category/data-protection
National Institute of Standards and Technology blog - cybersecurity and privacy topics: nist.gov/privacy-0
The Nonprofit Alliance has a well-written explainer on state laws which it regularly updates: tnpa.org/get-involved/policy-in-the-states/
Cobun Zweifel-Keegan, JD of the IAPP posts regularly on LinkedIn: linkedin.com/in/cobun
Kirk Schmidt on LinkedIn - look out for his posts on predictive analytics and privacy in fundraising, an area to watch if you want to engage in advanced analytics using personal data: ca.linkedin.com/in/kirkschmidtcalgary
Nonprofits are Messy: blog.joangarry.com/nonprofits-are-messy-podcast. Joan Garry’s brilliant podcast covers a wide range of subjects. Look out for her sessions on boards and getting leadership to embrace change. I recommend episode 196 with Beth Kanter on AI: joangarry.com/podcast/ep-196-how-risky-is-ai-for-nonprofits-with-beth-kanter/.
Common data protection mistakes (and how to fix them), ICO: ico.org.uk/for-organisations/sme-web-hub/common-data-protection-mistakes-and-how-to-fix-them/. A useful list from the Information Commissioner's Office in the UK. Although it applies to UK orgs the lessons are transferable. This one in particular is key: "The more personal data you hold, the more storage space and security measures you need to keep it safe – which will cost you time, as well as money...Have a reason to keep information, rather than a reason to get rid of it. If you’re required to keep information for a certain length of time, such as financial, medical or legal records, record your reasons in a retention policy...You should sort through your data on a regular basis and destroy personal data securely when you no longer need it."
Privacy notice/privacy policy generator, ICO: ico.org.uk/for-organisations/advice-for-small-organisations/create-your-own-privacy-notice/. A new tool from the Information Commissioner's Office in the UK that creates a privacy notice from scratch.
Privacy Officer Toolkit & Policy examples, NYC Office of Information Privacy: nyc.gov/content/oti/pages/information-privacy. The NYC OIP freely shares their excellent toolkit and policies & protocols document. These are intended for local government partners but are a great place to start if you need an example of privacy documentation done well,

Links: news articles

Scroll down for most recent. I'm not responsible for the security and content of these links.

Grant Fritchey, "GDPR in the USA", Redgate Hub, March 28, 2019: red-gate.com/simple-talk/devops/data-privacy-and-protection/gdpr-in-the-usa
Ian De Freitas and Henry Sainty, "GDPR: two years in – What’s next?", Farrer & Co LLP, October 7, 2020. farrer.co.uk/news-and-insights/gdpr-two-years-in--whats-next/ An interesting review of remaining issues in the UK two years after GDPR was implemented. Use this to imagine what the future might hold in the aftermath of new state/federal privacy law.
Joshua Mooney, "A cheat sheet for Colorado’s forthcoming new privacy act", Kennedys Law LLP, June 23, 2021. kennedyslaw.com/thought-leadership/article/a-cheat-sheet-for-colorado-s-forthcoming-new-privacy-act/
Thorin Klosowski, "The State of Consumer Data Privacy Laws in the US (And Why It Matters)", New York Times, September 6, 2021: nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/amp
Bryn Weaver, "How Nonprofits Can Prepare for the Colorado Privacy Act", Wiland Blog, December 2, 2021: wiland.com/blog/how-nonprofits-can-prepare-colorado-privacy-act/
Tyler Thompson, Greenberg Traurig LLP, "Complying with the new Colorado Privacy Act will impact nonprofits", Denver Business Journal, January 27, 2022: bizjournals.com/denver/news/2022/01/27/complying-new-colorado-privacy-act.html
Cobun Zweifel-Keegan, "A view from DC: Is purpose-built privacy possible?", IAPP, September 23, 2022. iapp.org/news/a/a-view-from-dc-is-purpose-built-privacy-possible/. The problems of data minimisation and consent purpose. Designing privacy-first tools as a solution to navigating future legislation.
Stephen Almond, "Generative AI: eight questions that developers and users need to ask", ICO, April 3, 2023. ico.org.uk/about-the-ico/media-centre/blog-generative-ai-eight-questions-that-developers-and-users-need-to-ask/
James Sullivan, Hayley Curry and Matt Dhaiti, "Oregon enacts latest comprehensive consumer data privacy law", DLA Piper, July 2023. dlapiper.com/en-us/insights/publications/2023/07/oregon-enacts-latest-comprehensive-consumer-data-privacy-law. Like the Colorado Privacy Act, the Oregon Consumer Privacy Act does NOT exempt nonprofits.
Meghan K. Farmer, John M. Brigagliano and Zain Haq, "Secondary Uses of Personal Data Should Still be Your Primary Concern: Consent Requirements under U.S. State Privacy Laws", Lexology, August 16, 2023. lexology.com/library/detail.aspx?g=54ab9ef0-3bae-46b1-8f67-8d0dcfa02158. "Secondary use" is using consent for a secondary purpose and is a topic you'll want to keep an eye on. This article has a useful comparison chart of the treatment of secondary use in state laws to date.
Elliot R. Golding and Allison McSorley Tassel, "State Regulators Step Up Enforcement of New Privacy Laws", National Law Review, September 5, 2023. natlawreview.com/article/state-regulators-step-enforcement-new-privacy-laws. State privacy laws have teeth: Colorado's attorney general took action within days of the CPA becoming law.
Michael T. Borgia, Benjamin Robbins, and Patrick J. Austin, "Delaware's New Personal Data Privacy Act", Davis Wright Tremaine LLP, September 13, 2023. dwt.com/blogs/privacy--security-law-blog/2023/09/delaware-personal-data-privacy-act-enacted
Joseph Duball, "Nuances highlight New Jersey's comprehensive privacy bill", IAPP, January 10, 2024. iapp.org/news/a/nuances-highlight-new-jerseys-comprehensive-privacy-bill/. Differences to the norm in New Jersey's new law.
Jennifer J. Hennessy and Alexander Misakian, "New Jersey Passes Comprehensive Privacy Law to Lead the 2024 Wave of State Privacy Laws", Foley & Lardner LLP, January 24, 2024. foley.com/insights/publications/2024/01/new-jersey-passes-comprehensive-privacy-law-2024/.
Tech Horizons Report, ICO, March 2024: ico.org.uk/about-the-ico/research-reports-impact-and-evaluation/research-and-reports/technology-and-innovation/tech-horizons-report/. An interesting primer to future technology developments that the ICO is following and how they could impact consumer privacy. Look in particular at sections on personalised AI and next-generation search.
Ethan Dewitt, "A guide to New Hampshire’s new data privacy rights", New Hampshire Bulletin, March 12, 2024. newhampshirebulletin.com/2024/03/12/a-guide-to-new-hampshires-new-data-privacy-rights/. NH has a strikingly low threshold for compliance, setting a precedent that other states could follow.
Nancy Libin, Apurva Dharia, and Donara Aghajani, "Maryland Creates a New Paradigm for Data Privacy", Davis Wright Tremaine LLP, May 15, 2024. dwt.com/blogs/privacy--security-law-blog/2024/05/maryland-online-data-privacy-act-signed
David P. Saunders and James S. Mann, "The Gopher State Goes for It: Minnesota Passes Consumer Data Privacy Law", McDermott Will & Emery, May 22, 2024. mwe.com/insights/the-gopher-state-goes-for-it-minnesota-passes-consumer-data-privacy-law/
Tamara Chuang, "What’s Working: Colorado’s deadline for websites to add “Do not sell my data” detector is Monday", The Colorado Sun, June 29, 2024. coloradosun.com/2024/06/29/colorado-do-not-sell-my-data-consumer-privacy-law/
Keir Lamont, "Five Big Questions (and Zero Predictions) for the U.S. State Privacy Landscape in 2025", Future of Privacy Forum, December 17, 2024. fpf.org/blog/five-big-questions-and-zero-predictions-for-the-u-s-state-privacy-landscape-in-2025/
Sam Castic, "10 areas for US-based privacy programs to focus in 2025", January 14, 2025. iapp.org/news/a/10-areas-for-privacy-programs-to-focus-in-2025
Ron De Jesus, "Prioritizing privacy in the absence of clear federal guidelines", IAPP, January 24, 2025. iapp.org/news/a/prioritizing-privacy-in-the-absence-of-clear-federal-guidelines
Jordan Francis, "Amendments to the Montana Consumer Data Privacy Act Bring Big Changes to Big Sky Country", Future of Privacy Forum, May 12, 2025. fpf.org/blog/amendments-to-the-montana-consumer-data-privacy-act-bring-big-changes-to-big-sky-country/. This amendment will see the majority of nonprofits NOT exempted from Montana's privacy law and the threshold for compliance lowered to 25,000 records.
C. Kibby, "Emerging trends, insights from public enforcement of US state privacy laws", IAPP, June 30, 2025. iapp.org/news/a/emerging-trends-insights-from-public-enforcement-of-us-state-privacy-laws