Key topics covered in this article:

• • Nonprofits may be subject to a growing mix of international, state, and federal data protection requirements based on the type of personal data they collect, how they use it, and where the individuals involved are located.
  • Laws such as GDPR, PIPEDA, LGPD, CCPA, VCDPA, and MODPA illustrate how privacy obligations vary across jurisdictions, while all states maintain breach notification laws that can also apply to nonprofits.
  • To manage risk, nonprofits should understand what data they collect, where it is stored, how it is used and shared, and whether third-party vendors or multistate operations create additional compliance exposure.

Many nonprofit leaders assume privacy laws are aimed at large corporations. In reality, nonprofits can be subject to data protection requirements depending on what information they collect, how they use it, and where the individuals involved are located. 

 Nonprofits rely on donor records, employee files, program data, and online engagement to operate. That reliance creates privacy risk. There is no single federal law that governs nonprofit data. Instead, obligations come from a mix of international laws, state statutes, and federal enforcement. It’s up to nonprofit leaders to understand which laws apply today and where exposure may exist in the near future. 

Data Privacy Rules Continue to Expand

Data privacy requirements are expanding, with international laws already in place and additional requirements emerging across jurisdictions. Nonprofits that collect donor, employee, or program data may be subject to these laws depending on where individuals are located and how information is used. 

The U.S. has not adopted a comprehensive federal data privacy law. In its place, states continue to pass their own laws, creating a patchwork of requirements that can apply differently across organizations and activities. This means nonprofits cannot assume a single standard will apply across all operations. 

At the same time, the Federal Trade Commission (FTC) is actively enforcing data privacy by pursuing cases involving misleading disclosures and inadequate data security. This enforcement applies broadly and can affect nonprofits even when a specific state law does not. 

 Organizations like the The Nonprofit Alliance have called for a robust federal law to replace existing state laws.  

How Data Privacy Laws Are Taking Shape

Several laws illustrate how data protection requirements are developing and how they may apply to nonprofit organizations. 

International Data Privacy Laws

International laws can apply to nonprofits based on where individuals are located and how data is collected or used. 

European Union’s General Data Protection Regulation (GDPR) — The law went into effect in 2018 and has had a global impact. It applies to organizations that offer goods or services to individuals in the EU or monitor their behavior, regardless of whether the organization is for-profit or nonprofit. This includes nonprofits that accept donations from or communicate with individuals located in the EU. 

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) — This law governs how personal information is collected, used, and disclosed in the course of commercial activities. It does not usually apply to nonprofit activities but may apply when a nonprofit engages in revenue-generating activities or handles personal data in a commercial context involving individuals in Canada. 

Brazil’s General Data Protection Law (LGPD) — This law establishes requirements for how personal data is processed in Brazil. It applies to organizations that process personal data in Brazil or offer goods or services to individuals located there, regardless of organizational type. Nonprofits may be subject to the law based on their data activities and geographic reach. 

Domestic Data Privacy Laws

In the U.S., data privacy requirements are shaped by state laws and regulatory enforcement rather than a single federal framework. Relevant examples include:  

California Consumer Privacy Act (CCPA) — Under this law, effective in 2020, California residents have the right to know what personal information is collected, request deletion or correction, and opt out of the sale or sharing of that information. It applies to businesses above certain revenue thresholds. Nonprofits may be affected if they are affiliated with or provide services to those for-profit organizations. 

Virginia Consumer Data Protection Act (VCDPA) — Starting in 2023, Virginia residents have the right to access, correct, or delete their personal data. They may also choose to opt out of the sale of personal data, targeted advertising, and certain types of profiling. Nonprofits are explicitly exempt but may still be affected through vendors or multi-state operations. 

Maryland Online Data Privacy Act (MODPA) — This law went into effect in late 2025, and it’s similar to CCPA and VCDPA. A major difference is that nonprofits may be subject to this law depending on size and data activities. It includes requirements around data minimization, consumer rights, and limits on how personal data can be used. 

Note: All states have data breach notification laws, and those laws apply to nonprofits. If certain personal information, such as Social Security numbers, financial account information, or login credentials, is accessed or exposed, the organization may be required to notify affected individuals and, in some cases, regulators. 

How Nonprofits Can Respond

Most nonprofits look at where their donors, employees, and program participants are located, identify the most stringent requirements that apply, and then apply that standard across the organization. 

In practice, this often starts with documenting what data is collected, where it is stored, how it is used, and who it is shared with. Many organizations already have core controls in place, such as secure systems, limited access based on job responsibilities, and a plan for responding to a breach. 

Newer laws place more emphasis on transparency and control. Individuals may have the right to opt out of certain uses, request deletion, or correct their information. This can include limits on targeted advertising or automated decision-making tools that rely on personal data to evaluate or segment individuals. These requirements also extend to third-party vendors. Nonprofits that rely on fundraising platforms, CRMs, or cloud-based tools need to understand how those vendors handle personal data and what protections are in place. 

Nonprofits can move from general awareness to action by working through a few risk-based questions. The answers help determine which laws apply and what changes may be needed:

• What types of personal data is collected? 
• How is data collected? 
• How is the data used after it is collected? 
• Where are donors, employees, or program participants located? 
• Is data shared with third-party vendors? 

Data Oversight Is Becoming a Core Responsibility

Data protection requirements are not defined by nonprofit status. They are driven by how data is collected, where individuals are located, and how that information is used across operations.  

Enforcement activity and data incidents have made this a visible risk area. Regulatory action, along with the potential loss of donor trust following a breach or misuse of data, can have a direct impact on operations and funding. 

Organizations that take action now are better positioned to manage risk and build trust with donors and stakeholders. For more information, contact PBMares Not-for-Profit Partner Bo Garner and Cybersecurity & Risk Advisory Services Partner Antonia McAvoy.