State Privacy Laws for Nonprofits: Which Laws Apply to Your Organization in 2026

The Nonprofit Privacy Compliance Challenge

Many nonprofit organizations assume they are exempt from state consumer data privacy laws. This assumption can be dangerous. While a majority of state privacy laws do exempt some or all nonprofits, several states offer no exemption at all, and others have narrow exemptions that leave many nonprofits fully covered.

As of March 2026, 20 US states have enacted comprehensive consumer data privacy laws. If your nonprofit operates nationally, collects donor data, runs digital campaigns, or provides services to residents in multiple states, you may be subject to several of these laws. Use our Privacy Law Calculator to quickly assess which laws might apply to your organization.

States With No Nonprofit Exemption

The following state privacy laws apply to all qualifying entities, including nonprofit organizations, with no exemption based on tax-exempt status:

Colorado Privacy Act (CPA)

The Colorado Privacy Act contains no nonprofit exemption whatsoever. If your nonprofit processes personal data of 100,000+ Colorado residents annually, or processes data of 25,000+ residents and derives revenue from the sale of personal data, you must comply with the full CPA. Colorado’s law is notable because it was one of the first states to explicitly include nonprofits within scope.

New Jersey Data Privacy Act (NJDPA)

New Jersey’s privacy law similarly provides no exemption for nonprofits. Any entity — for-profit or nonprofit — that meets the processing thresholds must comply.

Delaware Personal Data Privacy Act

The Delaware law has a very narrow entity-level exemption that only covers nonprofits focused on insurance fraud prevention. Virtually all other nonprofits are within scope if they meet the data processing thresholds.

Maryland Online Data Privacy Act (MODPA)

The Maryland MODPA, which began enforcement on April 1, 2026, has limited nonprofit exemptions that only cover specific insurance-related nonprofit activities. Most nonprofits operating in Maryland are covered. MODPA also has some of the strictest data minimization requirements of any state — see our MODPA enforcement guide for details.

Oregon Consumer Privacy Act (OCPA)

The Oregon law exempts only nonprofits that exclusively focus on detecting and preventing insurance fraud. Standard charitable, educational, and advocacy organizations are not exempt.

Minnesota Consumer Data Privacy Act

Minnesota provides only a narrow exemption for nonprofits that are established to detect and prevent insurance fraud, leaving most nonprofits within scope.

States With Broad Nonprofit Exemptions

A majority of state privacy laws exempt nonprofits based on their federal tax-exempt status. These states generally follow the approach of the Virginia Consumer Data Protection Act (VCDPA), which exempts “any body, authority, board, bureau, commission, district, or agency of the Commonwealth or of any political subdivision of the Commonwealth” and nonprofit organizations.

States with broad nonprofit exemptions (based on IRC tax-exempt status) include:

Virginia (VCDPA) — exempts all nonprofit organizations
Connecticut (CTDPA) — exempts 501(c) organizations (note: SB 1295 amendments effective July 1, 2026 may narrow this)
Iowa (ICDPA) — exempts all nonprofits
Montana (MCDPA) — exempts all nonprofits
Nebraska (NDPA) — exempts all nonprofits
New Hampshire (NHPA) — exempts all nonprofits
Texas (TDPSA) — exempts all nonprofits
Tennessee (TIPA) — exempts all nonprofits
Utah (UCPA) — exempts all nonprofits

If your nonprofit operates exclusively in states with broad exemptions, your compliance obligations under comprehensive privacy laws are minimal. However, you should still follow privacy best practices for donor trust and COPPA compliance if you serve children.

States With Narrow or Conditional Exemptions

Several states have exemptions that cover some nonprofits but not others:

Indiana Consumer Data Protection Act (ICDPA)

Indiana limits its exemption to organizations exempt under IRC sections 501(c)(3), 501(c)(6) (business leagues), or 501(c)(19) (veterans’ organizations). Other types of tax-exempt organizations — such as 501(c)(4) social welfare organizations, 501(c)(7) social clubs, or 501(c)(13) cemetery companies — are not exempt.

Kentucky Consumer Data Protection Act (KCDPA)

Kentucky’s law, effective January 1, 2026, defines a “nonprofit organization” narrowly: the entity must (1) operate for religious, charitable, or educational purposes and (2) not provide net earnings to any officer, employee, or shareholder. This effectively limits the exemption to 501(c)(3) organizations and excludes other types of tax-exempt entities.

Rhode Island Data Transparency and Privacy Protection Act

Rhode Island’s exemption covers entities described under IRC 501(c)(3), but does not extend to all tax-exempt nonprofits.

California (CCPA/CPRA): A Special Case

The California Consumer Privacy Act does not have a blanket nonprofit exemption, but its applicability thresholds effectively exclude most nonprofits. The CCPA applies to for-profit businesses that meet specific revenue or data processing thresholds. Because the law specifically targets “for-profit” entities, most nonprofits are outside its scope by definition — not through an exemption, but through the law’s fundamental applicability criteria.

However, nonprofits that operate for-profit subsidiaries, joint ventures, or commercial arms may have portions of their activities covered by the CCPA. See our CCPA exemptions guide for more detail.

Compliance Checklist for Nonprofits

If your nonprofit is covered by one or more state privacy laws, here are the key compliance steps:

1. Map Your Data Processing

Inventory all personal data you collect: donor information, volunteer data, beneficiary records, email lists, website analytics, event registration data
Identify where data is stored, who has access, and what third-party processors (CRM, email marketing, payment processors) receive it
Document the legal basis for each processing activity

2. Update Your Privacy Policy

Disclose the categories of personal data you collect, the purposes for processing, and with whom you share it
Include state-specific disclosures required by each applicable law
Our Privacy Policy Generator can help create a compliant privacy policy tailored to your applicable states

3. Implement Consumer Rights Processes

Set up systems to handle consumer data requests: access, deletion, correction, and opt-out
Ensure response timelines meet each state’s requirements — use our DSAR Request Manager to track deadlines
Train staff on how to verify and respond to requests

4. Address Data Minimization

Review whether you collect only the personal data reasonably necessary for your mission
This is especially critical under Maryland’s MODPA, which has the strictest data minimization requirements
Audit donor databases for excessive data collection practices

5. Manage Third-Party Relationships

Review contracts with data processors (CRMs, email platforms, analytics tools, payment processors)
Ensure data processing agreements are in place with appropriate privacy protections
Verify that third-party vendors respect opt-out signals and consumer rights requests

Practical Tips for Resource-Constrained Nonprofits

Nonprofits often have limited budgets for compliance. Here are practical approaches:

Prioritize by risk — focus first on states with no nonprofit exemption where you have the most constituents (Colorado, New Jersey, Delaware, Maryland, Oregon)
Leverage free tools — use our Privacy Law Calculator, GPC Checker, and Cookie Consent Checker to assess your compliance posture
Build once, comply many — a single robust privacy program that meets the strictest state’s requirements (Maryland MODPA) will satisfy other states as well
Start with your privacy policy — an updated, transparent privacy policy addresses a significant portion of compliance requirements across all states
Document your exemptions — if you rely on a nonprofit exemption in certain states, document your tax-exempt status and which state exemptions apply

Frequently Asked Questions

Are churches exempt from state privacy laws?

In states with broad nonprofit exemptions (Virginia, Texas, Tennessee, etc.), churches as 501(c)(3) organizations are generally exempt. In states like Colorado, New Jersey, and Oregon that have no nonprofit exemption, churches that meet the processing thresholds are covered. The CCPA does not apply because it targets for-profit businesses specifically.

Do privacy laws apply to nonprofit hospitals?

Nonprofit hospitals face a complex landscape. While they may qualify for nonprofit exemptions under some state privacy laws, most of their health data processing is governed by HIPAA. In states without nonprofit exemptions (Colorado, New Jersey, Maryland), the comprehensive privacy law applies to non-HIPAA data processing. See our privacy law vs. HIPAA comparison.

What about nonprofit universities?

Universities that hold tax-exempt status are exempt in states with broad nonprofit exemptions. However, in states like Colorado, Maryland, and Oregon, universities that meet the processing thresholds are covered for non-FERPA data. Student education records governed by FERPA are typically exempt, but other university data (alumni, donor, website visitor, athletic event attendee data) may not be. See our FERPA vs. COPPA guide.

Does our nonprofit need to honor GPC signals?

If your nonprofit is covered by a state privacy law that requires honoring universal opt-out mechanisms, then yes. Colorado, Connecticut (after July 2026), Montana, Oregon, and Maryland all require honoring opt-out preference signals like GPC. Check your obligations with our GPC Compliance Checker.

How many state privacy laws cover nonprofits?

As of March 2026, approximately 6–8 of the 20 enacted state privacy laws fully or substantially cover nonprofit organizations (Colorado, New Jersey, Delaware, Maryland, Oregon, Minnesota, plus Kentucky and Indiana with narrow exemptions). The remaining states broadly exempt nonprofits based on tax-exempt status.

Last updated: March 30, 2026.