Privacy Compliance for US Tax-Exempt Organizations Under the New General Data Protection Regulation (GDPR) of the European Union and UK Companion Law

Charitable organizations in the United States that allow access to their website by persons in Europe or collect data from European citizens, will find themselves potentially subject to GDPR.

GDPR is new legislation on data protection and e-privacy which goes into effect on May 25, 2018.  Charities in the United States (and elsewhere) will be subject to the law if:

  • They have people in the EU or UK on their email list or donor database;

  • They have signup forms that allow users to specify they’re from another country or enter a non-US address; or

  • They have donation forms that allow people to donate from another country or in a European currency.

If your organization meets any of these and determines it is worthwhile to keep in contact with EU and UK supporters, you may need to implement changes to your policies and website as soon as practical to come into compliance.  We can assist with more details – but in the meantime, following is some basic background as to why you need to become familiar with the Regulation.

Collecting Cookies and Email addresses requires AFFIRMATIVE OPT-IN (Consent)

GDPR requires “explicit” consent to use personal data (including contacting them) which must be “freely given, specific, informed, and unambiguous.” Users of your website will need to actively opt in to your collecting/accepting cookies that are other than necessary/essential to the operation of the site or to receive email communications from you (e.g. by ticking a checkbox or clicking on a button) — so no more pre-ticked opt outs or “By signing this you consent to email” disclaimers and no more cookies without some initial opt-in by the user at the time they access the site.

Explicit consent is required for all the different ways your organization is going to use the individual’s data. Organizations must now allow EU users to individually consent to each use of their data — i.e. separate checkboxes for email, SMS, advertising, cookies, etc.

For US charities:

  1. Opt-in is not necessary for US citizens but is for EU citizens. An organization may not want reduced opt-in rates on forms for US citizens by forcing them to go through GDPR-compliant opt-ins. On the other hand, it may be too difficult or costly to rebuild the organization’s forms so that US and EU citizens receive different opt-in asks (this could be done automatically using the IP address, for example.)

  2. Organizations may need to opt-in EU supporters as soon as possible if they were not opted-in before. By the time you read this article, it may be too late to accomplish that. Once GDPR comes into force, you will only be able to contact EU citizens on your list who have given you consent in a GDPR-compliant format. Absent that, organizations will need to unsubscribe anyone who hasn’t given consent to contact them.

  3. Data Storage and Security. GDPR sets new requirements for how data should be stored and consent recorded for purposes of demonstrating that the organization met the requirements of explicit consent. Check what your web-service plans for GDPR are.

This article is not intended as legal advice.  It is designed to make you aware of a new privacy law directive from the EU/UK.  Consult legal counsel for additional questions and/or specific legal counsel in ensuring your practices are compliant with the EU’s new data privacy law.  Copyright 2018, Copilevitz & Canter, LLC.