Protecting Your Purpose: How Nonprofits Can Navigate Privacy Laws, Data Risks, and Limited Resources
Over the past five years, the privacy landscape has changed radically for U.S. nonprofit organizations. Funding is down, regulatory grace periods are off, and cybersecurity attacks are on the rise. We connected with nonprofit privacy leaders in our community to understand what’s keeping them up at night—and how they’re staying resilient.
Nonprofits are not exempt from U.S. privacy regulations
When the first U.S. state privacy laws emerged, many nonprofits were excluded from enforcement. That’s changing quickly. Starting with the Colorado Privacy Act (effective 2023), some states have held all or many nonprofits to the same expectations. Delaware, Maryland, Minnesota, New Jersey, and Oregon are among the states that hold certain nonprofits to the same or similar standards as for-profit organizations.
Nonprofits are not exempt from enforcement, either. In September 2025, AARP agreed to a $12.5 million class action settlement regarding user information allegedly shared via the Meta Pixel tool.
Nonprofit communities can be more vulnerable to sensitive data leaks
While some nonprofit compliance teams may be reasonably worried about new privacy regulation, privacy law enforcement should not be their only motivator. Time reports that data breaches have increased by 70% since 2021, and incidents are only expected to rise as AI unlocks new opportunities to hack at scale.
A data breach isn’t just an email notice or regulatory fine for a nonprofit. Depending on the data accessed and how vulnerable the nonprofit’s population may be, a single data breach could threaten lives and shutter programs.
John Cavanaugh, Founder and Executive Director at the Plunk Foundation, explains, “If regulation exempts you, that’s not a pass—it’s a responsibility. Your constituents are at even greater risk if their sensitive data is leaked, and if that happens, your community loses trust in you forever. It’s one of the biggest catastrophes that could happen.”
For example, if your nonprofit services survivors of domestic violence, current participant location data is extremely sensitive and dangerous. For-profit ventures like the Tea Dating Advice app have already provided a case study in this playbook. Tea was marketed to users as a safety solution, offering women a means to screen potential intimate partners for histories dangerous or simply hurtful behaviors. As shared on BBC, a data breach led to 33,000 women’s addresses getting collected on a convenient map created by misogynist internet groups to dox and humiliate Tea users.
A similar event at a nonprofit could seriously endanger the very community members the nonprofit attempts to serve. Even a photo can reveal more than intended through metadata.
Nonprofit funding cutbacks limit resources to address the problem
Meanwhile, nonprofit budgets have tightened. In 2023, NonProfit PRO reported the first downward trend in donation dollars in over ten years, and AFP Global observed continued declines in 2024. At the start of 2025, the United States announced significant cuts to federal grants, further increasing pressure on nonprofit budgets. Fundraising can’t make up the difference: Financial Times reports that some philanthropists have responded by pausing their own donations.
The result? Nonprofits have less resources to properly protect their highly sensitive data.
“Most nonprofits don’t have any IT or security team,” John Cavanaugh expands. “They’re piecing together donation tools, newsletters, AI notetakers, volunteer apps—none of which were designed for least-privilege, consent-first use.”
On the other end of this spectrum are international non-governmental organizations (INGOs). With a global reach, having dedicated business technology solutions and data protection teams is essential.
Take global humanitarian organization Save the Children—which has been working for over 100 years across more than 100 countries. When Jeff Benitez became the Data Protection Manager for Save The Children U.S. in 2021, the organization was preparing for upcoming regulation and identified a critical need to operationalize donor data privacy at scale. Jeff’s background in cybersecurity gave him a strong start, but he had a learning curve ahead in navigating data privacy within a nonprofit context.
When it came time to select privacy management solution, choosing the right partner was key to maximizing the investment. “We don’t have funds to waste on the wrong partner,” Jeff explained.
Nonprofits need collaborators to survive
Jeff didn’t just need a tool, he needed a dependable partner. “Everyone at DataGrail feels like an extension of our team. Together, we’ve automated compliance workflows and streamlined our processes, reducing risk and further reassuring our community that we take the greatest care with their data,” he added.
We’re proud to partner with Jeff and Save the Children, but tech partners aren’t the only place nonprofit privacy enthusiasts can look to for support.
It’s less likely a small nonprofit will have the means to hire a dedicated privacy professional, but technical leaders at these organizations can help protect marginalized groups everywhere by stepping forward and bravely sharing their own best practices and tips. Once they understand the power of their data, nonprofit organizers can be extremely motivated on data privacy.
“Nonprofits need collaboration in areas they’re not experts,” remarked John Cavanaugh. John’s nonprofit The Plunk Foundation helps fellow nonprofits improve their privacy practice. He explains, “Plunk focuses on small, safe moves: connect what you already use, show a limited view to the right person, and push back a tiny, auditable task instead of moving raw data around.”
John makes it a personal mission to provide that support to fellow nonprofit leaders, whether through his own organization or his personal LinkedIn page. His work has transformed the privacy practice of hundreds of nonprofits already, evidenced by his many peer nominations in the 2025 Data Privacy Hero Awards.
Collaboration isn’t passive. Leaders like John and Jeff take risks, speak up, and try new things to help the community move forward. To get through the increasing financial strain on nonprofits without endangering the populations they serve, privacy leaders can cultivate mentorship and educational opportunities.
If you’re looking to find a community, join Privacy Basecamp, our Slack community supporting 1,400+ experienced privacy practitioners. They’re not all from the nonprofit sector, but they’re happy to lend a hand and help track down resources when they’re needed most.
