Yesterday, I testified before the Vermont state legislature in support of the current version of their consumer privacy bill. The context behind why that testimony was necessary is something every nonprofit practitioner should understand, whether or not you have any connection to Vermont.

To say the quiet part loud: the resistance to strong privacy law is Republican- and lobbyist-led. And we play a role in how it happens.

Who Is Actually Fighting Against Nonprofit Privacy Protection

The reason we don't have a federal privacy law in the U.S. can be boiled down to the fact that Republicans aim to establish the law as the ceiling, not the floor — meaning they advocate that individuals largely can't seek their own recourse for violations, and they want to prohibit states' ability to set stronger terms. Democrats tend to seek the opposite, advocating for fewer exemptions, a private right of action, and the ability for states to go beyond the federal law.

When we hear advocacy and membership groups speaking "on behalf" of nonprofits, listen to what they're saying. When they're advocating against nonprofits having to comply with the law and encouraging federal regulation that supersedes state action, it's important that we understand what's happening — and that we agree with the actions our membership dues are funding.

In my 20 years working in and alongside nonprofits, I have never once heard a nonprofit itself ask for an exemption. You know the data you're holding — I know you know it, too. What you might not know is the risk that comes with that: to your nonprofit, to your constituents, and sometimes, in the cases of orgs subject to FOIA, to yourself. What I do hear consistently is lobbying and advocacy groups making the argument for exemption on your behalf, without disclosing the full scope of whose interests they're protecting and how much of their funding informs their perspective.

What blanket exemptions actually do is remove any obligation to examine how data is collected, used, shared, or sold, regardless of what an organization actually does with constituent information. This works against you, because it removes the business case for governance, tooling, and vendor agreements that help you use data better and in a way that honors donor trust. That doesn't help you. Who it helps is the vendors, brokers, and platforms that profit from data flowing freely through the nonprofit ecosystem to inform the likes of Big Tech, big business, and all the intermediaries who profit along the way.

This is not an accident. It is a strategy. And Vermont is where we can watch it play out in real time.

Meet the Architect

Many of you are advocates and activists first. You got into this work because you care about people. That's exactly why you should know the name Andrew Kingman.

He is the counsel for the State Privacy and Security Coalition, whose members include Amazon, Google, Meta, Target, and General Motors. Since 2018, Kingman has worked to shape — and in many cases weaken — data privacy legislation throughout the states. His approach is sophisticated: rather than opposing bills outright, he positions himself as a problem-solver, rallies local business groups to carry his messaging, and steers lawmakers toward business-friendly compromises that his clients can live with.

Politico profiled him in depth in September 2024. It's a worthwhile read.

What Does Vermont's Privacy Law Have to Do With Us?

Vermont's fight for privacy law is instructive. When Vermont's House and Senate both passed what would have been the strongest privacy law in the country in May 2024, Kingman coordinated a sweeping campaign against it. As a result, a Republican governor vetoed the bill, citing pressure from local businesses.

Much of that is because of the tired thinking that privacy is good for humans but bad for business. The data doesn't support that the latter is true, but the narrative is easy. It's easy to fall into the trap of believing that targeted advertising reliant on Big Tech and data brokers is an inevitability. Every year, we spend more on more data without questioning why the vendors pointing us in that direction are doing it — and yet we continue to see donor acquisition and retention counts decline.

Dumping money into data collection and digital ads is no longer the solve it once was. And if all of the people who declined to be tracked in 2021 when Apple rolled out its App Transparency mandate are any indication, our audiences didn't like what was happening to them — and we suffered the revenue loss that came from overreliance on these methods.

So why do we stay trapped in this thinking? Is it possible it's because the vendors powering our tools and our advertising have a stake in it?

Fortunately, there is a path out.

What Strong Privacy Law Actually Does — and What Vermont's Current Bill Gets Right

It's not lost on me that efficiency pressure coming from the C Suite and nonprofit watchdogs like Charity Navigator inform a lot of the reason innovation stalls at nonprofits. But privacy law can help you help them.

Most state privacy laws exempt nonprofits by tax status, which means organizational category — not data practice — determines accountability. Vermont's current bill takes a different approach, tying exemptions to what an organization actually does with data. That's the structure that creates real incentive to ask the right questions: what are we collecting, sharing, and storing, and why?

It also includes layered advertising definitions that remove barriers to first-party and contextual advertising — the consent-forward practices that build durable donor relationships — while regulating the targeted advertising practices that drive fraud, waste budget, and turn nonprofits into data-collection pawns for platforms that profit from their audiences.

All of these pieces help nonprofits level the playing field with the private sector and get us to a place where we have a mandate to think differently.

Strong privacy law does this. Weak privacy law — by design — doesn't.

What Real Regulatory Support for Nonprofits Looks Like

The compliance burden concern is not entirely manufactured. Smaller organizations without legal counsel or technical staff face real implementation challenges, and those challenges deserve real solutions.

But real solutions look like scaled timelines based on budget or records held. Model contracts and templates. Plain-language guidance from the Attorney General's office. Enforcement discretion signals that protect good-faith compliance efforts. Not blanket exemptions that remove accountability entirely and leave constituents unprotected.

These are the things I asked Vermont's legislature for. They are the things any advocacy group genuinely representing nonprofit interests would be asking for.

When you hear that nonprofits oppose privacy law, ask yourself who is actually in the room making that argument, who funds them, and what they stand to gain from keeping the current system in place.

We don't know where Vermont will go next. It's entirely possible these lobbyists will win the day again. But the hope is in the long haul. I know I'm preaching to the converted on this as it relates to every social justice issue.

Let's Talk About What This Means for Your Organization

If this raises questions about your own data practices, vendor relationships, or how your organization is positioned on privacy, I welcome the conversation. This work is personal to me, and it should be personal to all of us.

Frequently Asked Privacy Questions

Do nonprofits oppose privacy law? In over 20 years working in and alongside the nonprofit sector, I have never once heard a nonprofit itself take a stand against privacy law or ask for an exemption from it. The opposition that gets attributed to nonprofits consistently originates from lobbying and advocacy groups — many of them funded in part by data brokers, ad tech platforms, and private equity-backed fundraising technology companies — making that argument on nonprofits' behalf, without being asked and without disclosing whose interests they're actually protecting.

What is a nonprofit privacy exemption? A nonprofit privacy exemption is a provision in a state or federal privacy law that excludes nonprofit organizations from having to comply with the law's requirements, based solely on their tax-exempt status. Rather than examining what an organization actually does with data — how it collects, shares, stores, or sells constituent information — an entity-level exemption removes accountability entirely by category. Most state privacy laws in the U.S. include some form of nonprofit exemption.

What makes a privacy law weak? A privacy law is generally considered weak when it limits individuals' ability to seek recourse for violations, contains broad exemptions that remove accountability for large categories of organizations, and prevents states from enacting stronger protections. Weak privacy laws tend to favor organizational convenience over constituent protection, lack a private right of action, and are structured to serve as a ceiling on future regulation rather than a floor from which stronger protections can be built.

Why doesn't the U.S. have a federal privacy law? The U.S. lacks a comprehensive federal privacy law in large part because of a persistent political disagreement over preemption and private right of action. Republicans have generally favored federal legislation that supersedes state law — preventing states like California from maintaining stronger protections — and that limits individuals' ability to sue companies directly for violations. Democrats have generally opposed preemption and supported a private right of action. That gap has blocked federal legislation for years, leaving states to fill the void one bill at a time.

Why is weak privacy law worse than no privacy law? Weak privacy law creates a false sense of protection while actively foreclosing stronger action. When a state passes a privacy law with broad exemptions, limited enforcement, and no private right of action, it becomes the ceiling — meaning it can prevent stronger state-level legislation from being enacted in the future and limit individuals' ability to seek recourse. No law at least leaves the door open. A weak law closes it by design, often locking in the conditions that benefit the data ecosystem rather than the people whose information moves through it.

Are most state privacy laws in the U.S. considered weak or strong? Most state privacy laws currently in effect are considered relatively weak compared to the European Union's GDPR or California's CCPA framework. The model most commonly replicated across states — often traced to Connecticut's 2022 law — includes broad exemptions, no private right of action, and enforcement limited to the state Attorney General. Privacy advocates have consistently argued that these laws contain significant loopholes that benefit industry over consumers, and that they were shaped in part by coordinated industry lobbying efforts.

What is the ceiling vs. floor argument in privacy law? The ceiling vs. floor debate is about whether a privacy law sets a minimum standard that states and individuals can build on, or a maximum standard that prevents stronger action. A floor approach allows states to enact stricter protections beyond the baseline and preserves individuals' ability to seek their own recourse. A ceiling approach — typically favored by industry-aligned legislators — establishes the law as the upper limit, preempting stronger state laws and limiting individual rights. The distinction matters enormously: a floor creates accountability that can grow stronger over time, while a ceiling locks in the conditions that currently exist.