Frequently Asked Questions about Data Privacy 

Do I need to care about privacy if my organization is exempt in certain states or countries?

Short answer: Yes!

Even when nonprofits are legally exempt from certain state or country-specific privacy laws, they still operate in an environment shaped by rising expectations around transparency, consent, and responsible data use. In addition, the number of U.S. states that do not exempt nonprofits is growing quickly.

Constituents don’t experience privacy through statutes. They experience it through how organizations collect, explain, and use their data.

In practice, many nonprofit privacy decisions are driven by platform requirements, vendor contracts, donor expectations, and reputational considerations, not just legal thresholds.

Organizations that rely solely on exemptions often find themselves reacting later, when a platform changes its rules or a constituent asks questions the organization isn’t prepared to answer consistently.

Caring about privacy best practices early gives organizations more control. It allows teams to define acceptable data use on their own terms, rather than being forced into rushed decisions by external pressure. This has a directly positive impact on your revenue.
[Related service: Data Autonomy Framework™]

Which U.S. data privacy laws apply to nonprofits?

There is no federal U.S. privacy law. Instead, organizations must navigate a growing patchwork of state-level privacy laws, many of which treat nonprofits differently or ambiguously. Some states explicitly exempt nonprofits, others include them partially, and some apply based on activity rather than organizational type.

Nonprofits are specifically covered under and required to comply with: Oregon Consumer Privacy Act, Colorado Privacy Act, Montana's Consumer Data Privacy Act, Delaware Personal Data Privacy Act, Connecticut Data Privacy Act (for consumer health data), Maryland Online Data Privacy Act, Minnesota Consumer Data Privacy Act, New Jersey Data Protection Act. (Be advised that this list changes frequently. If you need specific guidance, please contact us.)

National organizations are rarely operating in just one jurisdiction. Data collected through websites, email programs, fundraising platforms, and digital campaigns flows across state lines, platforms, and vendors.

As a result, many organizations focus less on strict applicability and more on whether their practices are defensible, explainable, and consistent across audiences.

[Related services: 1) Enterprise Privacy & Technology Roadmapping 2) Data Privacy Monitoring Service]

How does state-level privacy legislation affect national or international organizations?

State-level privacy laws affect organizations based on where their constituents live — not where the organization is headquartered.

For national and international nonprofits, this makes state-by-state compliance impractical. Data collected online is rarely cleanly segmented by geography, and attempting to customize practices at that level often introduces inconsistency.

Many organizations respond by adopting a single, defensible standard that can hold up across jurisdictions. This approach simplifies operations and positions teams to adapt as laws continue to evolve. Agility Lab can help you craft the approach that's right for you.

How fast have data privacy laws evolved in the U.S.?

In early 2020, only one U.S. state had a data privacy law. By the end of 2025, 19 states had privacy laws.

U.S. data privacy laws have expanded rapidly at the state level, with new definitions, enforcement mechanisms, and expectations emerging regularly. Even after passing initial legislation, many states have revisited and amended their laws to make them tighter.

For organizations, it's important to track emerging legislation as requirements become more advanced. However, teams with shared decision frameworks tend to absorb legal change with far less disruption.

How does U.S. data privacy law differ from GDPR?

GDPR is a single, comprehensive framework with clear definitions and enforcement mechanisms across the EU. U.S. privacy law is fragmented, state-driven, and varies significantly by jurisdiction.

For nonprofits, this often means U.S. compliance feels ambiguous. Many organizations adopt GDPR-inspired principles — such as transparency, purpose limitation, and data minimization — as a practical baseline even when not legally required.

This approach supports consistency and reduces internal confusion.

How does data privacy support compliance with GDPR?

Privacy practices that emphasize transparency, consent, and defined purpose naturally support GDPR compliance.

Organizations that already understand how data is collected, why it’s used, and how consent is honored are better positioned to respond to GDPR-like obligations, even if GDPR compliance isn’t their primary focus.

What is first-party data, and why does it matter for nonprofits?

First-party data is information individuals share directly with an organization, such as email signups, donation history, or stated preferences.

For nonprofits, first-party data is more transparent, more defensible from a privacy standpoint, and more resilient as third-party tracking becomes less reliable. As reliance on first-party data grows, so does the importance of clear consent and appropriate use. Agility Lab regularly consults on practical first-party data-building strategies.

What does “governance” mean in the context of data privacy?

With respect to data privacy, governance refers to the structures and decision rules that guide how data-related choices are made across teams.

Governance answers questions like who can approve new data collection or uses, how consent should be interpreted downstream, and how disagreements are resolved. Without governance, decisions still happen, but they happen inconsistently or under pressure.

[Related service: Data Autonomy Framework™]

What’s the difference between data privacy and data security?

Data security focuses on protecting data from unauthorized access or breaches. Data privacy focuses on how data is collected, used, shared, and explained, even when systems are secure. 

An organization can have strong security controls and still create privacy risk if data is used in ways audiences don’t expect. 

While there are many areas of overlap, security and privacy are different areas of expertise. Agility Lab consults around privacy best practices.

Who is typically responsible for data privacy within an organization?

Data privacy rarely sits cleanly with one team.

Legal interprets laws, marketing activates data, IT manages systems, analytics defines measurement, and leadership is accountable for outcomes. Problems arise when privacy is treated as someone else’s responsibility.

Organizations that manage privacy well assign leadership accountability while creating shared decision frameworks across teams. A first stop in many Agility Lab engagements is to help you determine which team members should be part of your cross-organizational governance working group. We also often discuss whether hiring is necessary to fulfill your internal obligations.
[Related services: 1) Data Autonomy Framework, 2) Privacy Product Management]

How do organizations balance privacy with fundraising and growth goals?

Privacy and growth are often framed as competing priorities, but they don’t have to be.

Organizations that are clear about how and why they use data tend to build stronger, longer-term relationships with their audiences. That trust supports sustainable growth rather than short-term optimization. In addition, many third-party tools and vendor partnerships that support your revenue growth now require privacy compliance, making it foundational to your continued growth.

How is strategic privacy support different from legal advice?

Legal advice focuses on interpreting laws and managing exposure. Strategic privacy support focuses on providing guidance on how decisions are made and implemented across teams.

Agility Lab acts as a partner across your teams and is not a replacement for legal counsel. I help teams understand operational gaps and their associated risks and work across your teams to determine priority ranking of what to address first and how. Your internal team is the ultimate decider of tolerance levels.

[Related service: Privacy Product Management]

What are the risks of not implementing privacy best practices?

The most common risks are operational rather than regulatory.

Organizations often experience inconsistent answers, data ambiguity, internal disagreement, or last-minute scrambles when tools or platforms change. Over time, these breakdowns can create reputational risk, especially when teams are unable to honor audience rights in a timely way, answer questions from leadership or the board, or confidently explain how data is being used.

In practice, privacy risk shows up in many forms. This can include unconsented data being transferred via tracking pixels, sensitive information being exposed in a contact report, or data flowing to third parties in ways the organization didn’t intend.

Privacy gaps tend to surface during audits, vendor reviews, or moments of public scrutiny when organizations are asked to explain or defend practices they haven’t had to articulate clearly before. While legal penalties do occur, they are typically assessed by states and are often only one part of a broader impact that includes operational disruption and loss of trust.

How do privacy gaps usually surface inside organizations?

Privacy gaps typically show up as friction: conflicting guidance between teams, stalled initiatives, or uncertainty about whether data can be used for a particular purpose.

Often, it’s a third-party that brings these gaps to the surface. This might look like a board member asking difficult questions, a major donor raising concerns, or a vendor requiring formal compliance before moving forward with a partnership.

These moments aren’t unusual, but they do put organizations in a reactive position. Rather than reflecting bad intent, privacy gaps usually reveal a lack of shared assumptions and documented decision-making across teams.

At Agility Lab, this is why we start with a structured assessment of current practices to help organizations clearly see where gaps exist, where opportunities lie, and which decisions would benefit most from shared clarity.

How do privacy best practices support long-term growth and sustainability?

Privacy best practices support growth by creating trust, resilience, and flexibility.

Organizations that respect data expectations are better positioned to adapt as platforms and laws change, respond confidently to new questions, and invest in emerging technologies without hesitation or rework.

Over time, this clarity reduces friction, strengthens relationships with donors and constituents, and allows teams to move forward with confidence knowing their data practices can support both mission and growth.

How do we ensure consent signals carry across our tech stack?

Consent signals don’t usually fail because tools are broken; they usually fail because expectations aren’t aligned.

Ensuring consent carries properly requires understanding where data enters the ecosystem, how it flows across systems, and how consent should be interpreted downstream. Agility Lab includes this step as part of our services below.

[Related services: Enterprise Privacy & Technology Roadmapping]

Do tools like consent banners actually make us compliant?

Consent banners are important, but they are not a complete solution.

Compliance depends on how consent signals are honored across platforms, vendors, and downstream use. The platforms you choose are only as good as the governance decisions you make upstream to guide them.

How do tracking, pixels, and server-side data collection affect privacy?

Tracking technologies shape data collection in ways that are often invisible to non-technical teams but highly consequential for privacy, consent, and trust.

Client-side tracking, server-side data collection, and third-party pixels each play different roles in how data is gathered and transmitted. None of these approaches are inherently “good” or “bad.” What matters is how they are implemented, governed, and explained.

Client-side tracking typically relies on scripts running in a user’s browser. This is where consent banners most visibly operate, and where many organizations focus their privacy efforts. However, client-side controls are only one layer. Data collected here is often passed downstream to analytics platforms, ad networks, and other vendors.

Server-side tracking can offer greater control and performance benefits, but it also introduces new responsibility. Because data is routed through an organization’s own infrastructure, assumptions about consent, purpose, and acceptable use must be explicitly defined. Without shared clarity, server-side setups can unintentionally bypass or override user preferences.

Third-party pixels introduce another layer of complexity. These tools often collect data automatically once deployed, and “piggybacking” can occur when additional vendors receive data without clear awareness or approval. This is one of the most common ways organizations expose themselves to privacy risk without realizing it.

The privacy challenge isn’t the technology itself — it’s the lack of shared decision-making around:

• when and why tracking is used,

• how consent signals are interpreted and transferred,

• and which teams are accountable for ongoing oversight.

Organizations that manage this well treat tracking as a strategic choice that honors their constituent's wishes rather than a technical afterthought. They ensure non-technical stakeholders understand how data flows, and they revisit decisions as tools, platforms, and expectations evolve.

This is where privacy governance becomes essential: not to restrict capability, but to make sure tracking practices align with consent, values, and long-term trust.

[Related services: Privacy Product Management]

How does data privacy affect AI readiness?

AI readiness depends far less on tools than on whether an organization understands and trusts its own data practices.

AI systems don’t create new information — they amplify whatever inputs they’re given. If an organization lacks clarity about how data was collected, what consent was given, or what uses are considered acceptable, AI adoption introduces real risk very quickly.

For nonprofits, this risk isn’t just technical or legal. It’s reputational. Constituents expect their data to be handled with care, especially as AI tools become more powerful and less transparent.

Organizations that are truly ready for AI tend to have:

• clear definitions of acceptable data use,
  
• shared understanding of consent and purpose limitations,
  
• and governance structures that support cross-team decision-making.
  

Without these foundations, AI adoption often stalls — or worse, moves forward in ways that are difficult to undo later.

[Related service: AI Readiness & Responsible Adoption]

What are the privacy risks of using generative AI in nonprofits?

Generative AI introduces privacy risks because it can combine data sources in unexpected ways, retain information longer than intended, and surface sensitive details without clear auditability.

In nonprofit contexts, common risks include:

• staff using donor or constituent data in tools without understanding how that data is stored or reused,
  
• models generating outputs that unintentionally reveal sensitive information,
  
• and blurred boundaries between internal experimentation and external exposure.
  

While regulatory risk is evolving, reputational risk is immediate. Once trust is eroded, it’s difficult to rebuild.

These risks are rarely the result of bad intent. More often, they stem from unclear expectations, informal experimentation, or assumptions that “this is just a draft” or “this data isn’t sensitive.”

Organizations that address these risks early focus less on banning tools and more on establishing shared rules of the road.

How should organizations set guardrails for AI experimentation?

Effective AI guardrails are principle-based, not tool-specific.

Because AI tools evolve quickly, guardrails anchored to individual platforms become outdated almost immediately. Instead, organizations benefit from agreeing on:

• what types of data should never be used in AI tools,
  
• what uses require additional review or approval,
  
• and what is appropriate for low-risk experimentation.
  

Clear guardrails reduce friction. Staff are less likely to experiment in secret, and leadership is better positioned to support innovation without sacrificing trust.

The goal isn’t to slow teams down. It’s to make sure experimentation aligns with organizational values, consent expectations, and accountability.

Does strong privacy governance make AI adoption easier or harder?

In practice, privacy governance makes AI adoption much easier.

Organizations with strong privacy governance can evaluate AI tools with confidence because they already understand:

• what data they have,
  
• how it can be used,
  
• and who needs to be involved in decisions.
  

Without governance, AI conversations tend to polarize. Teams either push forward too quickly or default to blanket bans out of caution. Both approaches limit learning and create frustration.

Privacy governance replaces uncertainty with shared understanding, allowing organizations to move forward deliberately rather than reactively.