As nonprofit professionals, we’re in the business of honoring the rights of our communities and meeting them with empathy, care, and respect. That commitment doesn’t stop at programming or communications. It includes how we handle data, how we respect privacy, and how we make decisions about the tools we use to power our missions.

Yes, we have to be practical. We need to reach people to raise awareness and funds. We need to use the tools available to extend our impact. But we also need to be honest with ourselves about where the world is headed -- and be bold enough to lead, even before it's required. That means not waiting for every state to catch up on privacy legislation before we take action.

Privacy Implementation Scenarios

If you're not deep in the weeds, there are essentially three choices you can make regarding how you implement basic data privacy requirements in the U.S. at this moment in time:

1. You can take a state-by-state approach, in which you only implement infrastructure (i.e. your cookie consent banner, honoring constituent rights to view/modify/delete their data, etc) in the states in which it's currently legally mandated.
2. You implement a more universal approach that doesn't necessarily force you into an exclusively opt-in model via elements like your lead gen forms, but does apply some of the tactics I just named broadly across all of the states. I call this option GDPR-lite. 
3. You could go all-in on an opt-in only model, which would put you in the realm of being fully compliant even with the likes of the EU's GDPR. A great move for human rights! Also one that tends to scare revenue drivers.

There is business and legal risk in each of the options above, so I help coach organizations on where they should land based on their specific set of dependencies. But I want to say the quiet part loud: There are moral implications to each of the above as well.

When we geo-target by state with respect to privacy, we’re doing two things that don’t sit well with the values we claim to uphold:

1. We’re saying that it’s okay for some of our audience to have fewer rights than others, based solely on where they live.

2. We’re robbing ourselves of the chance to get ahead of the learning curve.

This creates a two-tier system of rights, one in which a donor or patient in California gets protections that someone in Missouri doesn’t. That’s not aligned with the spirit of our work.

And from a data perspective, it’s also shortsighted. Preserving your Google Analytics data is not a compelling reason to avoid universal consent banners. It just isn't. GA data is already noisy and unreliable. Preserving your ability to retarget people through paid advertising might still be justifiable -- for now -- but it’s not a foundation we can bank on in the years ahead.

Let’s Look at the Numbers

In 2020, just one state (California) had a comprehensive consumer privacy law.

As of 2025, 21 states have joined the club, including Colorado, Virginia, Texas, Florida, New Jersey, and Oregon, among others.

That’s a 2000% increase in just five years.

Now imagine where we’ll be in 2030.

The odds of privacy regulation expanding further, both in terms of geography and restrictiveness, are high. And if our operations are only compliant state-by-state, we’re increasing our surface area for risk. We're also exponentially increasing our costs based on the operational complication involved to track legislation on a state level and to ask our colleagues to properly update infrastructure every time a new legal requirement occurs.

Running the Cost-Benefit Analysis

Let’s not base our privacy strategy solely on fear. Instead, we can start with a simple, pragmatic question:

Does the revenue we generate from cookie-based advertising and analytics outweigh the potential cost of litigation or reputational damage if we get this wrong? Does it outweigh the staff time to track legislation in this way?

Here’s what to look at:

• Ad Revenue from Retargeting: What are we currently making from advertising strategies that rely on third-party data?

• Operational Complexity: What’s the cost -- in labor, tech, and accuracy -- of trying to manage compliance on a state-by-state basis?

• Legal and Reputational Risk: If our current approach fails in even one state, what could it cost us in penalties, staff time, or constituent trust?

We don’t have to go all in overnight. But we also can’t cling to a system that’s on its way out.

What It Means to Lead

As mission-first organizations, we’re often the first to push for justice and equity in the world around us. We should be willing to do the same in how we handle data, even if that means getting uncomfortable or changing long-held practices.

This isn’t just a legal or technical decision. It’s a values decision. One that says: we believe in equal rights for everyone, including when it comes to how we handle their data. And we’re willing to balance what’s practical with what’s right to build a better, more future-ready nonprofit sector.

--

If you're ready for support in bridging cross-team conversations about your approach to risk definition and mitigation on this topic, let's talk.