No More Free Passes: Nonprofits’ New Privacy Compliance in 2025

by: Heather Nolan

2025 will be a big year for nonprofits navigating their privacy compliance.  Many states exempt a broad array of nonprofits from their comprehensive privacy laws. But, at least two laws coming into effect this year will apply to many nonprofits: Delaware (effective January 1, 2025) and Oregon (effective July 1, 2025 for nonprofits). 

Nonprofits in certain sectors may be exempt from complying.  For example, Delaware’s and Oregon’s requirements do not apply to nonprofits established to detect and prevent insurance fraud.  Oregon also exempts nonprofits that provide programming to radio or television networks. Delaware further carves out nonprofits that provide services to victims of or witnesses to certain crimes like domestic abuse.

Compliance may include requirements related to consumer data rights and data governance such as conducting privacy impact assessments, providing consumer notices, contracting, accessing and correcting consumer data, and opting out of targeted advertising or sales.

Nonprofits should also consider their other potential obligations under existing state laws.  For example, California generally does not consider nonprofits to be regulated business under its data protection law, but a nonprofit could fall under another definition (like "service providers," "contractors," or "third parties") and trigger particular requirements.

Now is the time for nonprofit organizations to assess whether each state law that may apply exempts all nonprofit entities, and, if not, (1) understand what type of tax-exempt organizations are covered by the law, and (2) whether the organization meets the state’s minimum data collection thresholds, if applicable.

Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.

Heather Nolan