[ ](https://www.facebook.com/sharer/sharer.php?u=https://www.skvare.com/markdownify/node/449&title=Privacy%20Laws%20for%20Organizations%3A%20EU%20and%20US%20State%20Compliance "Share to Facebook") [ ](https://www.linkedin.com/sharing/share-offsite/?url=https://www.skvare.com/markdownify/node/449 "Share to Linkedin") [ ](mailto:?subject=Privacy%20Laws%20for%20Organizations%3A%20EU%20and%20US%20State%20Compliance&body=https://www.skvare.com/markdownify/node/449 "Share to Email") # Privacy Laws for Organizations: EU and US State Compliance CiviCRM Drupal Client Success Map of the united states with 14 states highlighted in purple## Why Privacy Laws Matter to Your Organization Your donors, volunteers, and community members trust you with their contact information, donation history, and communication preferences. Data privacy laws exist to protect that trust and make organizations accountable when something goes wrong. The landscape has shifted. It's no longer enough to have a privacy policy buried on your website. Regulators are enforcing these laws. Organizations that mishandle personal data face fines, lawsuits, and damage to their reputation. The good news: privacy compliance is achievable. It starts with understanding which laws apply to you and what they actually require. ## What Privacy Laws Apply to Your Organization? Two laws matter most. If your nonprofit serves anyone in the EU, GDPR applies. If you serve anyone in California, CPRA applies. Many other states (Virginia, Colorado, Connecticut, Utah, Oregon, Delaware, Indiana, Kentucky, Rhode Island) have passed similar laws with comparable requirements. **It's about where your supporters live.** If you receive donations from California residents, CPRA applies to you. If you email anyone in the EU, GDPR applies to you. ### GDPR (General Data Protection Regulation) Applies to any organization processing data of EU residents. Effective May 25, 2018. Enforced across EU member states. ### CPRA (California Privacy Rights Act) California's comprehensive privacy law applies to businesses processing data of California residents. It's stricter than most state laws and serves as a model for other states. Additional enforcement mechanisms and cybersecurity requirements became operational January 1, 2026. ### Other State Laws Virginia, Colorado, Connecticut, Utah, Oregon, Delaware, Indiana, Kentucky, Rhode Island, Texas, and others have passed comprehensive privacy laws with similar core requirements (in effect or scheduled to go into effect as of June 2026). They differ in details, but a compliance program built for GDPR and CPRA will largely satisfy them all. ## What Do These Laws Actually Require? The specifics vary by law, but they share common themes. ### Core Requirements **Tell people what data you collect and why** - Privacy policy must be clear and accessible - You must explain your data practices in plain language - Cookie policies must disclose tracking tools **Get consent in the right way** - GDPR: Opt-in required (you must ask before collecting data) - CPRA and most US state laws: Opt-out allowed (you can collect unless someone says no) - Some laws grant consumers the right to honor Global Privacy Control signals **Honor data subject rights** - Right to access: People can ask to see their personal data - Right to delete: People can request their data be erased - Right to correct: People can ask you to fix inaccurate information - Right to portability: People can ask for their data in a portable format ## Two Tools to Help You Comply Installing these modules and extensions doesn't make your site fully compliant on its own. But they handle the technical heavy lifting. ### 1. Klaro Consent Manager **What it does:** - Displays a consent banner so visitors can approve or decline cookies and external services - Lets you group services by purpose (e.g., "Analytics," "Marketing," "Essential") - Blocks external resources (Google Analytics, Facebook Pixel, etc.) until consent is given - Stores consent decisions in a cookie so repeat visitors aren't re-prompted - Fully translatable and customizable - Widely used (19,000+ sites) and actively maintained popup with options to track personal data and cookies### 2. CiviCRM GDPR Extension **What it does:** - Tracks group subscription changes so you can see when people opted in or out - Provides a GDPR dashboard for administrators - Logs access to contact records (audit trail) - Supports future features like communication preferences by medium (e.g., "email OK, but no phone calls") CiviCRM contact for John Doe with the GDPR tab selected and summary of communication preferences and data policy acceptance## The Two-Step Anonymization Process If someone requests deletion, remember: **personal data lives in two places**. Drupal maintains user accounts. CiviCRM maintains contact records. You must handle both. **Step 1:** Delete or disable the Drupal user account **Step 2:** Anonymize the CiviCRM contact record (hide personal data, keep financial history) If you skip one step, personal data remains in your system. civicrm contact showing all data anonymizedPrivacy compliance is achievable with the right tools and a clear plan. The two tools above handle the technical heavy lifting, but the real work is in your Privacy Policy, Cookie Policy, and how you actually handle data. Make sure those match what your site is doing. If you want help building your compliance plan, [let us know](/lets-talk). - [CiviCRM](/tags/civicrm) - [Drupal](/tags/drupal) - [Client Success](/tags/client-success)