PREEMPTING THE STATES AND PROTECTING THE CHARITIES: A CASE FOR NONPROFIT-EXEMPTING FEDERAL ACTION IN CONSUMER DATA PRIVACY.

• Author: Fisher, Sarah

TABLE OF CONTENTS INTRODUCTION 230 1.501(c)(3) Data Use Background 235 II. COMPLEXITY OF EXISTING PATCHWORK SYSTEM 237 A. Existing Comprehensive Consumer Privacy Measures 238 1. European Union General Data Protection Regulation 238 2. California Consumer Privacy Act 241 3. Virginia Consumer Data Protection Act 244 4. Colorado Privacy Act 246 B. Federal Preemption Attempts 249 III. A CASE FOR FEDERAL PREEMPTORY ACTION THAT EXEMPTS 501(C)(3)S 251 A. Commerce Clause Power Permits Congressional Action 251 B. Scope of Measure Would Ensure Constitutionality 253 C. Normative Concerns Support Federal Preemptory Action 255 1. Public Policy Favors Survival of 501(c)(3) Organizations 256 2. Constraints on (c)(3) Activities Strengthen Case 258 3. Balance of Individual Right vs. Nonprofit Existence 259 IV. STATES DO NOT KNOW BEST 260 CONCLUSION 262 INTRODUCTION

Imagine the following: residents of Smalltown, Virginia, a community transitioning away from coal production and toward green fuels, become interested in educating their neighboring cities and counties about the environmental benefits of sustainable energy production. (1) Familiar with national nonprofit groups founded to educate the public on environmental causes and green energy, Smalltowners run a quick internet search and discover that no such organizations exist in their corner of the Commonwealth. (2) Thus, at a local government meeting, the Smalltowners decide to create their own educational, charitable organization to teach their peers about the environmental benefits of sustainable fuels and to raise funds for those impacted by coal-related health conditions.

Pro bono Smalltown Lawyer recommends that the Smalltowners create an entity under Virginia law and has Smalltown Paralegal file articles of incorporation to form a nonstock corporation. (3) After official formation of the new organization, Smalltown Charity applies for and receives federal tax-exempt status from the Internal Revenue Service under section 501(c)(3) by virtue of the group's charitable and educational mission. (4) Smalltown Charity promptly begins soliciting and receiving donations from Virginians and soon produces a series of environmental education videos that go viral online with a creative hashtag. (5) Smalltown Charity receives a tidal wave of interested donors from Virginia who are beyond eager to support the group's cause. Unconvinced that Smalltown Charity's popularity will continue and unable to purchase expensive recordkeeping systems, the Smalltowners' cause remains an all-volunteer operation with donation information recorded in basic software. (6)

One year after the viral campaign, Smalltown Charity receives an email from Bigtown Donor demanding that Charity delete any information it has on file about him and alleging that Charity has failed to gain his consent for using his information in targeted educational mailing materials. (7) Donor claims that a new Virginia data privacy law gives him rights to these actions and requires Charity to set up sophisticated processing systems to constantly monitor donor information. (8) Smalltown Charity finds the new law online and rushes to contact Smalltown Lawyer to interpret the statute. Lawyer declines to provide additional pro bono services, leaving Charity's volunteers to interpret the legalese of a 6,000-word statute on their own. (9)

Through the volunteers' informal research, Charity discovers that new, similar data privacy measures have also been passed in California, Colorado, and the European Union. (10) Smalltown volunteers skim the Charity's records and discover that the Charity has received donations from donors in all three of these jurisdictions. Mistakenly believing that the receipt of a singular donation is a sufficient trigger for requiring compliance with each of these measures, Smalltown Charity scrambles to upgrade its software and takes out loans to retain a data protection firm and a privacy attorney from neighboring Bigtown. Eventually, Smalltown Charity is forced into bankruptcy, driven out of operation by the sky-high compliance costs incurred by an inaccurate reading of complex privacy statutes. (11)

This scenario highlights the two most significant challenges posed by the emerging patchwork of consumer privacy and data protection statutes to nonprofit organizations. First, nonprofit organizations--particularly 501(c)(3) tax-exempt groups--uniquely rely on personal data in the form of donations to power their budgets and their programs and thus are uniquely overburdened by statutes that demand overhauls to internal personal data processing systems. (12) 501(c)(3) charitable and educational organizations are sustained by the dollars of their donors, dollars that are processed alongside personal information that is, in turn, used for targeted programming. (13) Second, the costs of compliance relative to income are higher for tax-exempt organizations by virtue of their limited budgets and personnel resources. (14) These costs are applicable to organizations that incorrectly conclude compliance is required as well as organizations that accurately assess their compliance obligations. (15)

Perhaps in recognition of these difficulties, select enacted data privacy protection measures explicitly exempt 501(c)(3) organizations from compliance. (16) The European Union's GDPR requires compliance from any entities that process the "personal data" of individuals located in the EU, with "personal data" broadly defined as "any information relating to an... identifiable natural person." (17) The GDPR does not distinguish between data captured for for-profit purposes versus data used in nonprofit ventures. (18) By contrast, California's CCPA generally applies only to for-profit entities but can capture nonprofits in the compliance net depending on the details of their business relationships with for-profit entities, such as sharing corporate branding. (19) Colorado's CPA measure mirrors the GDPR in failing to exempt any nonprofits from compliance, (20) while Virginia's VCDPA exempts only Virginia-formed nonstock corporations and Internal Revenue Service (IRS)-classified 501(c)(3) organizations. (21)

This confusing patchwork of state and international measures, coupled with the internet-age phenomenon of even tiny organizations processing data from donors around the globe, presents 501(c)(3) groups with a Morton's fork: either to risk bankruptcy by expending the massive monetary and temporal resources necessary to determine compliance and overhaul internal systems or to do nothing and risk disciplinary action for failure to comply with any one of these measures. (22) Both types of risk carry heightened societal consequences as both endanger organizational bankruptcy. As a public policy matter, 501 (c)(3) classification exists on the theory that (c)(3) organizations offer societal benefits so significant that the government is willing to subsidize said organizations' operations by virtue of federal tax-exemption. (23) Simultaneously, widespread compliance with some set of consumer data privacy standards is crucial for vindicating the individual privacy interest central to existing data privacy law. (24)

Preferably, then, the optimal consumer data privacy scheme is one that would balance the interests of individual consumers in controlling their personal information online against the collective, societal interest of 501(c)(3) organizations' continued operation. (23) The ideal arrangement would also eliminate the confusing patchwork system of disparate, single-jurisdiction measures currently in place in favor of a uniform, singular standard operative nationwide. (26)

How does such an ideal system emerge? This Note argues that Congress should use its Commerce Clause power to pass a consumer data privacy measure that (1) preempts state law and (2) explicitly exempts 501(c)(3) organizations from compliance. (27) Such preemptive action with a narrow 501(c)(3) carve-out would avoid the potential harm of exempting too broad a group of nonprofit entities while ensuring charitable organizations' continued existence, would be more protective of both the individual privacy right and 501(c)(3) existence than merely adjusting the revenue dollar threshold at which entities must comply, and would properly balance the individual right to control personal data with the societal good served by the existence of 501(c)(3) charitable organizations. (28)

Part I of this Note elaborates on the relationship between 501(c)(3) organizations and personal data and expands on the compliance difficulties faced by (and the collective societal good of) (c)(3) groups. Part II reviews the four major existing privacy law measures--the GDPR, the CCPA, the CPA, and the VCDPA -- and analyzes the scope of each measure's reach as it pertains to 501(c)(3) charities. Part III of this Note makes the case for federal pre-emptory action in a sweeping consumer privacy rights measure that trumps the existing patchwork of state law and exempts 501(c)(3) organizations from compliance. Finally, Part IV of this Note considers and responds to potential Tenth Amendment and state expertise counterarguments that could be raised in opposition to federal preemptory action in this arena.

1.501(c)(3) DATA USE BACKGROUND

An overview of the centrality of data to 501(c)(3) organizations' operations is necessary to ground the discussion in Parts II, III, and IV of this Note.

For-profit businesses, especially those with expansive online presences, often have entire revenue and expense streams dedicated to the purchase and sale of consumer data. (29) The rise of "big data" is no doubt a market-wide phenomenon, (30) yet 501(c)(3) organizations' use of and reliance on consumer data differs meaningfully from that of their for-profit counterparts. First, charitable organizations must collect personal data--often copious amounts of it--because they are funded predominantly by...