April 7, 2026

‍

As reliance on digital platforms continues to expand and mobile device usage has become nearly universal, public concern regarding the collection, use, and dissemination of personal information online has intensified. Large technology companies collect and monetize personal user data through targeted advertising. In response to these types of practices and growing consumer awareness, state legislators are prioritizing regulation of the collection and processing of personal data.

Over the past several years, many states have enacted comprehensive consumer data privacy laws designed to help protect consumer rights over personal data. To date, twenty states have passed such legislation,¹ and fifteen states currently have active consumer privacy bills in their legislatures.² These statutes share common structural elements and requirements, but the laws can vary in scope and restrictiveness. Among the most expansive and influential data privacy laws in the country are the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).³

‍

State Law Applicability Requirements

Nonprofit organizations assessing whether a state data privacy law applies to them should evaluate several common threshold requirements.

1. Processing Personal Information

A nonprofit organization should first consider whether they collect or process “personal information” or “personal data” of any kind. The term “personal information” could be defined broadly in a statute and may include information such as names, email addresses, credit card information, or government identifiers (e.g., social security numbers). Many statutes exclude publicly available information from the definition.

If a nonprofit organization does not collect or process personal data as defined by the applicable statute, it is unlikely to fall within the law’s scope. However, most organizations do maintain at least some qualifying information, such as donor records, employee data, or mailing lists, making further analysis necessary.

2. Conducting Business in the State

Most state privacy statutes apply only to entities that “conduct business” in the relevant state. The meaning of this phrase varies by jurisdiction but may include maintaining a physical office, employing personnel, entering into contracts, or deriving a significant, recurring revenue stream from residents of that state. Organizations that are required to foreign qualify in a state are often considered to be conducting business there.

Certain states adopt different or broader applicability standards. For example, Colorado offers an alternative applicability standard that applies its data privacy law to legal entities that produce or deliver commercial products or services that are intentionally targeted to Colorado residents.⁴ Similarly, Texas employs an expansive test, applying its statute to businesses that produce a product or service that is consumed by a Texas resident, even if the entity would not qualify as “conducting business” in the state.⁵

3. Data Volume Thresholds

Most state privacy laws include numerical thresholds tied to the volume of personal data processed. These thresholds may be based on the number of state residents whose data is controlled or processed annually. Each state establishes their own varying criteria, making it essential to review each state’s specific statutory language. In some jurisdictions, applicability may also depend on whether the organization derives a certain percentage of gross revenue from the sale of personal data.

‍

Nonprofit Specific Considerations

Several states do provide exemptions for certain nonprofit organizations. However, these exemptions are not uniform. Some statutes categorically exempt nonprofit entities,⁶ while others limit exemptions to specific types of nonprofits, such as entities that are dedicated to preventing insurance fraud.⁷

Accordingly, a nonprofit organization that processes personal data relating to a significant number of individuals within a state should carefully review that state’s statutory exemptions before concluding that it is outside the law’s scope.

‍

Common Compliance Obligations

State data privacy laws typically grant consumers specific rights regarding their personal data. These commonly include:

• The right to access personal data maintained by the organization;

• The right to request correction of inaccurate information;

• The right to request deletion of personal data;

• The right to opt out of certain data processing activities, including the sale or targeted advertising use of personal data.

Certain statutes also impose heightened requirements for the processing of “sensitive” personal data⁸ and may require businesses to provide clear privacy notices outlining data practices.⁹ Additionally, organizations could be required to establish mechanisms for receiving and responding to consumer rights requests.

If your organization determines that it is subject to a state data privacy law, it should consider implementing a comprehensive data privacy compliance program. Such a program could include adopting formal privacy policies, conducting data mapping exercises, training personnel, and establishing procedures for responding to consumer inquiries.

Careful analysis of applicability thresholds and statutory exemptions is essential. Once an organization determines that a state data privacy law applies, it must ensure that it fully understands and complies with the substantive obligations imposed by that statute.

To learn more about state-specific resources, see Napa Legal’s Multi-State Compliance Matrix.

‍

‍

-----------------------------

¹ The states that have adopted comprehensive data privacy laws are: California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, New Hampshire, Nebraska, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah and Virginia. Bloomberg Law, State Privacy Legislation Tracker, https://pro.bloomberglaw.com/insights/privacy/state-privacy-legislation-tracker/ (last visited Mar. 4, 2026).

² The states that currently have active comprehensive data privacy laws in their legislatures are: Alabama, Arkansas, Georgia, Illinois, Maine, Massachusetts, New York, North Carolina, Ohio, Oklahoma, Pennsylvania, South Carolina, Vermont, West Virginia and Wisconsin. Bloomberg Law, State Privacy Legislation Tracker, supra note 1.

³ Cal. Civ. Code §§ 1798.100–.199 (West 2026).

⁴ Colo. Rev. Stat. § 6-1-1304 (2021).

⁵ Tex. Bus. & Com. Code § 541.002 (West 2026).

⁶ Id. at § 541.002(b)(4).

⁷ Venable LLP, What Nonprofits Need to Know About State Data Privacy Laws (Oct. 2023), https://www.venable.com/insights/publications/2023/10/what-nonprofits-need-to-know-about-state (last visited Mar. 4, 2026).

⁸ Cal. Civ. Code § 1798.140(ae).

⁹ Tex. Bus. & Com. Code § 541.102.