For years, the standard compliance advice for nonprofits participating in co-op data exchanges, list rental, or behavioral targeting has been straightforward: disclose it in your privacy policy and give people a way to opt out. In most states, that guidance still holds. But a growing number of states are asking a harder question — and Maryland's Online Data Privacy Act is the clearest example of where this is heading.

The question isn't whether you disclosed a data use. It's whether that use was necessary in the first place.

Two Different Data Minimization Standards

Most state privacy laws operate on a purpose disclosure model. Data collection and sharing is permissible as long as you've told constituents what you're doing and given them a mechanism to opt out. Under that framework, a privacy policy update is a legitimate compliance step. It's why the advice has circulated so widely, and why it remains accurate for most of the states where your constituents live.

But Maryland's Online Data Privacy Act (MODPA), now in enforcement as of April 2026, uses a different standard entirely. Controllers must limit data collection and use to what is "reasonably necessary and proportionate to provide or maintain the specific product or service requested by the consumer."

The operative word across both standards is requested. Not disclosed. Not consented to. Requested — meaning the specific transaction the constituent chose to enter into with your organization.

That's a meaningful shift. A donor who gave to support your mission requested a transaction around that mission. Whether contributing their data to a co-op prospecting pool, appending their record with third-party attributes, or using their giving history to build a behavioral targeting segment is necessary to fulfill that transaction is a much narrower question than whether you disclosed it.

In most cases, the answer is no.

It's also worth noting that a lean data approach — collecting less, retaining less — is often cited as the solution to data minimization requirements. It's a meaningful step, but not the complete answer. MODPA's standard isn't just about volume. Data you've legitimately collected for one reason can still create a compliance problem if it's being used, shared, or sold beyond what the constituent originally requested. Collection and use are two separate questions under this law.

Why This Matters Beyond Maryland

Maryland isn't an outlier so much as an early indicator. The "reasonably necessary" standard it applies to general personal data is already present in several other state laws. What Maryland did was anchor that standard to the consumer's requested transaction rather than the organization's disclosed purposes. That's a distinction that sounds technical but has significant operational implications.

The framing is gaining traction. As more states weigh comprehensive privacy legislation, the debate is increasingly not whether to require data minimization, but how strictly to define what "necessary" means.

The disclosure model — tell them what you're doing, let them opt out — is being supplemented, and in some jurisdictions replaced, by a necessity model that starts from what the constituent actually asked for.

For nonprofits, this is particularly consequential. Nonprofits are not exempt under MODPA. 

And some practices central to nonprofit direct response fundraising — co-op exchanges, behavioral targeting, list enrichment — are exactly the practices the necessity standard most directly challenges. The compliance question is no longer just "did we disclose this?" It's "can we justify this relative to what our constituents asked us to do?"

What "Just Update Your Policy" Was Always Solving For

It's worth being precise about this: the privacy policy update advice was never wrong. It's still not for compliance in most states. That advice was solving for the laws that existed.

In a disclosure-based framework, disclosure is the compliance mechanism. The practitioners giving that advice weren't cutting corners — they were applying the right standard to the laws on the books.

What's changing is the laws. Maryland has introduced a necessity-based standard that a policy update doesn't satisfy. If more states move in that direction — and the legislative trend suggests they will — the compliance infrastructure most nonprofits have built around disclosure will need to expand to address justification.

That doesn't require burning down your acquisition program. It requires starting to ask a different question: not just "did we tell them?" but "can we justify this relative to what they asked us to do?"

Four Data Privacy Practices to Adopt Now

Run a DPIA on your co-op and vendor data relationships. A data protection impact assessment forces the necessity question explicitly — what data are we contributing, to whom, for what purpose, and can we justify it? Most nonprofits haven't applied this lens to co-op participation. It's the right first step regardless of which states your constituents live in.

Audit whether Maryland constituents are in your contributed data — and consider geo-filtering. If Maryland residents are in your co-op pool or appended data flows, you have a near-term exposure. Excluding them is a short-term mitigation similar to how organizations handled GDPR by geo-excluding EU residents. Be clear-eyed that this is a stopgap — as more states adopt necessity-forward frameworks, the exclusion list will grow until geo-filtering is no longer workable on its own. Broadly, Agility Lab does not encourage state-specific privacy strategies given their obvious scalability issues.

Push the first-party data conversation internally. Consent-based list growth and first-party modeling have longer payback periods than co-op prospecting. That's a real constraint. But it's the direction of durable acquisition, and even beginning the internal conversation about less co-op-dependent growth is meaningful progress.

Bring legal and fundraising to the same table. The "just update your policy" advice often travels through fundraising operations without reaching legal counsel. Whether your data sharing practices can be justified under a necessity standard — in Maryland today, and potentially in other states tomorrow — is a legal and operational question, not just a marketing one.

The Disclosure Model Isn't Gone — But It's No Longer Sufficient Everywhere

In most states, a well-maintained privacy policy that accurately reflects your data practices remains a cornerstone of compliance. That's still true. What Maryland demonstrates is that disclosure alone is increasingly not the ceiling but rather, the floor. The organizations that understand that distinction now will be better positioned as the legislative landscape continues to shift.

The question data minimization is really asking is one the sector hasn't had to answer directly before: was this data use necessary to fulfill what our constituents asked us to do? Getting comfortable with that question — and being able to answer it — is the work ahead.

Questions about how data minimization principles affect your organization's practices? Need help assessing your gaps in privacy strategy more broadly? That's exactly the work Agility Lab supports. Book a discovery call.