Questions I sometimes hear circulating in the nonprofit space go something like:

“We’re exempt in this state… so do we really need to worry about privacy expectations there?” or "If we see a federal law pass that exempts nonprofits, will I need to think about this anymore?"

Both are reasonable questions. And the answer is yes, but not because of technical exemptions.

Why exemption doesn't answer the questions that actually create risk

Most privacy decisions nonprofits face today aren't triggered by federal or state statutes. They're shaped by donor expectations, vendor contracts, platform requirements, the safety needs of people experiencing vulnerability, and internal accountability.

Constituents don't experience privacy through legal language. They experience it through how their data is collected, explained, and used, and whether that use protects or endangers them.

Organizations that treat exemption as permission to deprioritize often find themselves reacting later — not to regulators, but to operational and ethical pressure:

• Vendor requirements: CRM and email platforms are building privacy features as standard, often requiring documented consent practices regardless of your legal obligations
• Partner expectations: Funders, collaborators, and government agencies increasingly expect baseline privacy practices, and many are covered by regulations that affect how they work with you
• Platform changes: Analytics and tracking tools are restricting data collection in response to regulations that apply to their user base
• Internal misalignment: Teams disagreeing about whether a dataset can be reused, whether inferred attributes require consent, or who decides when something is legally allowed but mission-misaligned

None of these moments are resolved by pointing to an exemption.

The people you serve face heightened risks from privacy failures

Here's what federal or state exemption doesn't change: Nonprofits often work with people experiencing disproportionate harms from privacy failures.

For these populations, poor data practices don't just create compliance risk — they create real danger. 

An exemption doesn't make your organization less responsible for protecting people whose safety depends on how carefully you handle their information. If anything, it means lawmakers aren't going to force you to do it, which means you have to decide whether your mission requires it anyway.

For most nonprofits serving people in these circumstances, the answer should be clear.

Trust is your organizational asset, and exemption doesn't protect it

Most nonprofits depend fundamentally on trust from donors, beneficiaries, volunteers, and the communities they serve. Privacy practices directly affect this trust in ways no legal exemption can safeguard.

A data breach or misuse of sensitive information can irreparably damage the relationships that are central to mission fulfillment. The reputational cost of privacy failures may actually be higher for nonprofits than for-profit companies, because trust is often your primary currency.

Exemption protects you from regulatory enforcement. It doesn't protect you from losing the trust that makes your work possible.

Building capacity takes time

Privacy work isn't just about compliance. It's about building organizational capacity, culture, and systems that take years to develop well.

If nonprofits wait until they're required to act — whether through future legislation, partner demands, or incident response — they'll be playing catch-up under pressure rather than building thoughtful, mission-aligned practices.

What about preemption of state laws?

Let's say a U.S. federal privacy law is taken up in earnest, AND it gets enough bipartisan support to pass, AND that passed law includes preemption language that exempts nonprofits. (Note how many factors we're relying on in just that statement.) This could, hypothetically, override state comprehensive privacy laws in the areas it covers and eliminate some complexity.

But there are important nuances:

• Scope matters: Federal preemption is rarely total. The bill might preempt state comprehensive privacy laws but leave room for sector-specific state laws (health privacy, student data, biometric data, etc). The details will determine how much of the patchwork actually disappears.
• Exemptions may not align: If nonprofits are carved out federally but some existing state laws don't have that same carve-out, the preemption question gets complicated. Does the federal exemption preempt stricter state requirements on nonprofits, or does it leave that space open? This depends entirely on how preemption language is drafted.
• Timeline uncertainty: Even if a bill is prioritized and passes, there's often delay before it takes effect and before courts resolve what exactly is preempted. During that transition, organizations still face the existing landscape.

The preemption question matters for legal strategy. But it doesn't change the fundamental mission question: Do you need good privacy practices to serve your communities well and maintain their trust? For most nonprofits, that answer exists entirely independent of federal legislation.

Privacy as control, not constraint

Privacy best practices give organizations something exemptions don't. That's control.

Control over how decisions are made. Control over how tradeoffs are evaluated. Control over whether teams are reacting or acting intentionally.

For many nonprofits, this is where privacy becomes less about compliance and more about stewardship. It becomes a way to ensure that data use aligns with mission, values, and long-term trust, not just what's technically permissible.

What's next?

When the exemption question comes up internally, it's often a signal that shared clarity around acceptable data use hasn't been defined yet, and that the organization is looking for permission to deprioritize rather than grappling with what strong practices would actually require.

That's where structured governance work — like my Data Autonomy Framework™ — typically begins, alongside common leadership questions captured in the Privacy FAQ.

The exemption isn't the question. The question is: what does your mission require you to do with the trust people place in you?