FundSvcs Community

Anita, a super presentation on this was made here (Chapel Hill) recently (February) at UNC's Festival of Legal Learning. The attached is a PDF of the presentation. Midway through you will find some really straight-forward language on what must be done to accommodate the law. You will also see nearing the end some details on exceptions to the law. John John H. Taylor Principal, John H. Taylor Consulting 2604 Sevier St. Durham, NC 27705 johntaylorconsulting@gmail.com 919.816.5903 (cell/text) Serving the Advancement Community Since 1987 On Tue, Mar 12, 2019 at 7:23 PM Anita Lawson <ALawson@laphil.org> wrote: > Hello Fundsvcs Colleagues, > > > > We are wondering if anyone has yet put in place a policy or protocol to > comply with donor requests to delete any personal information. This law > goes into effect 1/1/20 and hoping to learn from other orgs. > > > > Also, are any CA orgs applying different business rules to GDPR and this > CA Privacy Act? > > > > I did read the aasp Best Practices, which were quite helpful, and now I’d > like to know what has been implemented elsewhere. > > > > Any and all feedback would be most appreciated. > > > > > > *Anita Lawson* > > *Director, Development Operations* > > > > Los Angeles Philharmonic Association > > Walt Disney Concert Hall • Hollywood Bowl > > 151 South Grand Avenue, Los Angeles, CA 90012 > > alawson@laphil.org <sreardon@laphil.org> • T 213 972 0731 > > laphil.com • hollywoodbowl.com > > [image: cid:image001.jpg@01D44C10.63044940] > > > > > *Disclaimer* > > The information contained in this communication from the sender is > confidential. It is intended solely for use by the recipient and others > authorized to receive it. If you are not the recipient, you are hereby > notified that any disclosure, copying, distribution or taking action in > relation of the contents of this information is strictly prohibited and may > be unlawful. > > This email has been scanned for viruses and malware, and may have been > automatically archived by *Mimecast Ltd*, an innovator in Software as a > Service (SaaS) for business. Providing a *safer* and *more useful* place > for your human generated data. Specializing in; Security, archiving and > compliance. To find out more Click Here > <http://www.mimecast.com/products/>. >

Hello Fundsvcs Colleagues, We are wondering if anyone has yet put in place a policy or protocol to comply with donor requests to delete any personal information. This law goes into effect 1/1/20 and hoping to learn from other orgs. Also, are any CA orgs applying different business rules to GDPR and this CA Privacy Act? I did read the aasp Best Practices, which were quite helpful, and now I'd like to know what has been implemented elsewhere. Any and all feedback would be most appreciated. Anita Lawson Director, Development Operations Los Angeles Philharmonic Association Walt Disney Concert Hall * Hollywood Bowl 151 South Grand Avenue, Los Angeles, CA 90012 alawson@laphil.org<mailto:sreardon@laphil.org> * T 213 972 0731 laphil.com * hollywoodbowl.com [cid:image001.jpg@01D44C10.63044940] Disclaimer The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful. This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast Ltd, an innovator in Software as a Service (SaaS) for business. Providing a safer and more useful place for your human generated data. Specializing in; Security, archiving and compliance. To find out more visit the Mimecast website.

Thanks very much, John. This will be helpful. I would still appreciate hearing from anyone in CA who has created a policy or protocols for compliance. Cheers! Anita Anita Lawson Director, Development Operations Los Angeles Philharmonic Association Walt Disney Concert Hall • Hollywood Bowl 151 South Grand Avenue, Los Angeles, CA 90012 alawson@laphil.org<mailto:sreardon@laphil.org> • T 213 972 0731 laphil.com • hollywoodbowl.com [cid:image001.jpg@01D44C10.63044940] From: Advancement Services Discussion List <FUNDSVCS@LISTSERV.FUNDSVCS.ORG> On Behalf Of John Taylor Sent: Tuesday, March 12, 2019 4:33 PM To: FUNDSVCS@LISTSERV.FUNDSVCS.ORG Subject: Re: [FUNDSVCS] SB-1121 California Consumer Privacy Act of 2018 Anita, a super presentation on this was made here (Chapel Hill) recently (February) at UNC's Festival of Legal Learning. The attached is a PDF of the presentation. Midway through you will find some really straight-forward language on what must be done to accommodate the law. You will also see nearing the end some details on exceptions to the law. John John H. Taylor Principal, John H. Taylor Consulting 2604 Sevier St. Durham, NC 27705 johntaylorconsulting@gmail.com<mailto:johntaylorconsulting@gmail.com> 919.816.5903 (cell/text) Serving the Advancement Community Since 1987 On Tue, Mar 12, 2019 at 7:23 PM Anita Lawson <ALawson@laphil.org<mailto:ALawson@laphil.org>> wrote: Hello Fundsvcs Colleagues, We are wondering if anyone has yet put in place a policy or protocol to comply with donor requests to delete any personal information. This law goes into effect 1/1/20 and hoping to learn from other orgs. Also, are any CA orgs applying different business rules to GDPR and this CA Privacy Act? I did read the aasp Best Practices, which were quite helpful, and now I’d like to know what has been implemented elsewhere. Any and all feedback would be most appreciated. Anita Lawson Director, Development Operations Los Angeles Philharmonic Association Walt Disney Concert Hall • Hollywood Bowl 151 South Grand Avenue, Los Angeles, CA 90012 alawson@laphil.org<mailto:sreardon@laphil.org> • T 213 972 0731 laphil.com<http://laphil.com> • hollywoodbowl.com<http://hollywoodbowl.com> [cid:image001.jpg@01D44C10.63044940] Disclaimer The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful. This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast Ltd, an innovator in Software as a Service (SaaS) for business. Providing a safer and more useful place for your human generated data. Specializing in; Security, archiving and compliance. To find out more Click Here<http://www.mimecast.com/products/>. Disclaimer The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful. This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast Ltd, an innovator in Software as a Service (SaaS) for business. Providing a safer and more useful place for your human generated data. Specializing in; Security, archiving and compliance. To find out more visit the Mimecast website.

Good morning! I’m not a lawyer, but my understanding is that it could. Amendments and additional bills are ongoing (like trying to nail jello to a wall…), but this much is clear so far (from an excellent blog post on the subject: https://www.jdsupra.com/legalnews/20-questions-and-short-answers-on-the-39585/): “CCPA applies to you if you are a for-profit business that collects California consumers’ personal information, determines the purposes and means of processing California consumers’ personal information, does business in the state of California, AND meets or exceeds any one of the following thresholds: (a) $25,000,000 in annual gross revenues (b) buy, sell, share, and/or receive the personal information of at least 50,000 California consumers, households or devices, per year (c) 50 percent of annual revenue comes from selling California consumers’ personal information CCPA also applies to you if you control or are controlled by an entity that meets or exceeds one of the above criteria and shares common branding. Nonprofits are not required to comply with the CCPA. However, if you are a non-profit organization that controls or is controlled by a for-profit entity that qualifies as a “business” and share common branding, or if you receive personal information from a business via a “sale” – you could be subject to CCPA.” So, I think universities (unless for-profit) will be off the hook for now, but I’m presuming by this point all universities have put measures and policies in place to handle GDPR, and many are labeling CCPA as “GDPR lite.” So, in theory, Emory should be well prepared. But, the CCPA also includes technology providers, regardless of the type of customer. So, for example, a university’s learning management system collects a massive volume of personal information on a university’s student body. I’ve read the suggestion (and I agree) that universities and nonprofits should inquire of their vendors whether or not they are compliant with CCPA and ask for proof of such compliance. In advancement, this should also be a requirement for any cloud services (SaaS products) you utilize. Again, not a lawyer, L Lori Hood Lawson CEO, Co-Founder WorkingPhilanthropy.com LLC 850.294.0602 <mailto:Lori@WorkingPhilanthropy.com> Lori@WorkingPhilanthropy.com <http://www.linkedin.com/in/hoodlawson> http://www.linkedin.com/in/hoodlawson <http://twitter.com/WorkingLori> http://twitter.com/WorkingLori <http://www.workingphilanthropy.com/> Confidentiality Statement: The information contained in this message may be privileged and/or confidential and protected from disclosure. If the reader of this message is not the intended recipient, you are hereby notified any dissemination, distribution, or copy of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to this message and deleting the material from any computer, tablet, smart phone, or other device. Thank you! From: Advancement Services Discussion List <FUNDSVCS@LISTSERV.FUNDSVCS.ORG> On Behalf Of Greenbaum, Josh S Sent: Wednesday, March 20, 2019 9:00 AM To: FUNDSVCS@LISTSERV.FUNDSVCS.ORG Subject: Re: [FUNDSVCS] SB-1121 California Consumer Privacy Act of 2018 I’m back from a few days off and catching up. In speaking with our Director of Privacy, I learned that she isn’t as concerned about this since we are a not for profit entity. My boss and I aren’t so convinced, especially when I see so much chatter here. Is anyone else getting ambivalent responses from inside counsel? -jsg _____________________ Joshua S. Greenbaum 09B, Executive Director Advancement Information Services Emory University, Advancement & Alumni Engagement 1762 Clifton Road, Office 1456, Atlanta, GA 30322 Office: (404) 712-2020, Fax: (404) 727-4876 josh.greenbaum@emory.edu <mailto:josh.greenbaum@emory.edu> From: Advancement Services Discussion List <FUNDSVCS@LISTSERV.FUNDSVCS.ORG <mailto:FUNDSVCS@LISTSERV.FUNDSVCS.ORG> > On Behalf Of John Taylor Sent: Tuesday, March 12, 2019 7:33 PM To: FUNDSVCS@LISTSERV.FUNDSVCS.ORG <mailto:FUNDSVCS@LISTSERV.FUNDSVCS.ORG> Subject: Re: [FUNDSVCS] SB-1121 California Consumer Privacy Act of 2018 Anita, a super presentation on this was made here (Chapel Hill) recently (February) at UNC's Festival of Legal Learning. The attached is a PDF of the presentation. Midway through you will find some really straight-forward language on what must be done to accommodate the law. You will also see nearing the end some details on exceptions to the law. John John H. Taylor Principal, John H. Taylor Consulting 2604 Sevier St. Durham, NC 27705 johntaylorconsulting@gmail.com <mailto:johntaylorconsulting@gmail.com> 919.816.5903 (cell/text) Serving the Advancement Community Since 1987 On Tue, Mar 12, 2019 at 7:23 PM Anita Lawson <ALawson@laphil.org <mailto:ALawson@laphil.org> > wrote: Hello Fundsvcs Colleagues, We are wondering if anyone has yet put in place a policy or protocol to comply with donor requests to delete any personal information. This law goes into effect 1/1/20 and hoping to learn from other orgs. Also, are any CA orgs applying different business rules to GDPR and this CA Privacy Act? I did read the aasp Best Practices, which were quite helpful, and now I’d like to know what has been implemented elsewhere. Any and all feedback would be most appreciated. Anita Lawson Director, Development Operations Los Angeles Philharmonic Association Walt Disney Concert Hall • Hollywood Bowl 151 South Grand Avenue, Los Angeles, CA 90012 alawson@laphil.org <mailto:sreardon@laphil.org> • T 213 972 0731 laphil.com <http://laphil.com> • hollywoodbowl.com <http://hollywoodbowl.com> Disclaimer The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful. This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast Ltd, an innovator in Software as a Service (SaaS) for business. Providing a safer and more useful place for your human generated data. Specializing in; Security, archiving and compliance. To find out more Click Here <http://www.mimecast.com/products/> . _____ This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments).

I’m back from a few days off and catching up. In speaking with our Director of Privacy, I learned that she isn’t as concerned about this since we are a not for profit entity. My boss and I aren’t so convinced, especially when I see so much chatter here. Is anyone else getting ambivalent responses from inside counsel? -jsg _____________________ Joshua S. Greenbaum 09B, Executive Director Advancement Information Services Emory University, Advancement & Alumni Engagement 1762 Clifton Road, Office 1456, Atlanta, GA 30322 Office: (404) 712-2020, Fax: (404) 727-4876 josh.greenbaum@emory.edu<mailto:josh.greenbaum@emory.edu> From: Advancement Services Discussion List <FUNDSVCS@LISTSERV.FUNDSVCS.ORG> On Behalf Of John Taylor Sent: Tuesday, March 12, 2019 7:33 PM To: FUNDSVCS@LISTSERV.FUNDSVCS.ORG Subject: Re: [FUNDSVCS] SB-1121 California Consumer Privacy Act of 2018 Anita, a super presentation on this was made here (Chapel Hill) recently (February) at UNC's Festival of Legal Learning. The attached is a PDF of the presentation. Midway through you will find some really straight-forward language on what must be done to accommodate the law. You will also see nearing the end some details on exceptions to the law. John John H. Taylor Principal, John H. Taylor Consulting 2604 Sevier St. Durham, NC 27705 johntaylorconsulting@gmail.com<mailto:johntaylorconsulting@gmail.com> 919.816.5903 (cell/text) Serving the Advancement Community Since 1987 On Tue, Mar 12, 2019 at 7:23 PM Anita Lawson <ALawson@laphil.org<mailto:ALawson@laphil.org>> wrote: Hello Fundsvcs Colleagues, We are wondering if anyone has yet put in place a policy or protocol to comply with donor requests to delete any personal information. This law goes into effect 1/1/20 and hoping to learn from other orgs. Also, are any CA orgs applying different business rules to GDPR and this CA Privacy Act? I did read the aasp Best Practices, which were quite helpful, and now I’d like to know what has been implemented elsewhere. Any and all feedback would be most appreciated. Anita Lawson Director, Development Operations Los Angeles Philharmonic Association Walt Disney Concert Hall • Hollywood Bowl 151 South Grand Avenue, Los Angeles, CA 90012 alawson@laphil.org<mailto:sreardon@laphil.org> • T 213 972 0731 laphil.com<http://laphil.com> • hollywoodbowl.com<http://hollywoodbowl.com> [cid:image001.jpg@01D44C10.63044940] Disclaimer The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful. This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast Ltd, an innovator in Software as a Service (SaaS) for business. Providing a safer and more useful place for your human generated data. Specializing in; Security, archiving and compliance. To find out more Click Here<http://www.mimecast.com/products/>. ________________________________ This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments).

All feedback about how these privacy laws are being interpreted is certainly appreciated. I would still appreciate specific insight into actual policy documents regarding compliance, particularly regarding requests to forget. Thanks again! Anita Anita Lawson Director, Development Operations Los Angeles Philharmonic Association Walt Disney Concert Hall • Hollywood Bowl 151 South Grand Avenue, Los Angeles, CA 90012 alawson@laphil.org<mailto:sreardon@laphil.org> • T 213 972 0731 laphil.com • hollywoodbowl.com [cid:image001.jpg@01D44C10.63044940] From: Advancement Services Discussion List <FUNDSVCS@LISTSERV.FUNDSVCS.ORG> On Behalf Of Lori Hood Lawson Sent: Wednesday, March 20, 2019 6:31 AM To: FUNDSVCS@LISTSERV.FUNDSVCS.ORG Subject: Re: [FUNDSVCS] SB-1121 California Consumer Privacy Act of 2018 Good morning! I’m not a lawyer, but my understanding is that it could. Amendments and additional bills are ongoing (like trying to nail jello to a wall…), but this much is clear so far (from an excellent blog post on the subject: https://www.jdsupra.com/legalnews/20-questions-and-short-answers-on-the-39585/<https://www.jdsupra.com/legalnews/20-questions-and-short-answers-on-the-39585/>): “CCPA applies to you if you are a for-profit business that collects California consumers’ personal information, determines the purposes and means of processing California consumers’ personal information, does business in the state of California, AND meets or exceeds any one of the following thresholds: (a) $25,000,000 in annual gross revenues (b) buy, sell, share, and/or receive the personal information of at least 50,000 California consumers, households or devices, per year (c) 50 percent of annual revenue comes from selling California consumers’ personal information CCPA also applies to you if you control or are controlled by an entity that meets or exceeds one of the above criteria and shares common branding. Nonprofits are not required to comply with the CCPA. However, if you are a non-profit organization that controls or is controlled by a for-profit entity that qualifies as a “business” and share common branding, or if you receive personal information from a business via a “sale” – you could be subject to CCPA.” So, I think universities (unless for-profit) will be off the hook for now, but I’m presuming by this point all universities have put measures and policies in place to handle GDPR, and many are labeling CCPA as “GDPR lite.” So, in theory, Emory should be well prepared. But, the CCPA also includes technology providers, regardless of the type of customer. So, for example, a university’s learning management system collects a massive volume of personal information on a university’s student body. I’ve read the suggestion (and I agree) that universities and nonprofits should inquire of their vendors whether or not they are compliant with CCPA and ask for proof of such compliance. In advancement, this should also be a requirement for any cloud services (SaaS products) you utilize. Again, not a lawyer, L Lori Hood Lawson CEO, Co-Founder WorkingPhilanthropy.com LLC 850.294.0602 Lori@WorkingPhilanthropy.com<mailto:Lori@WorkingPhilanthropy.com> http://www.linkedin.com/in/hoodlawson<http://www.linkedin.com/in/hoodlawson> http://twitter.com/WorkingLori<http://twitter.com/WorkingLori> [wp_200]<http://www.workingphilanthropy.com/> From: Advancement Services Discussion List <FUNDSVCS@LISTSERV.FUNDSVCS.ORG<mailto:FUNDSVCS@LISTSERV.FUNDSVCS.ORG>> On Behalf Of Greenbaum, Josh S Sent: Wednesday, March 20, 2019 9:00 AM To: FUNDSVCS@LISTSERV.FUNDSVCS.ORG<mailto:FUNDSVCS@LISTSERV.FUNDSVCS.ORG> Subject: Re: [FUNDSVCS] SB-1121 California Consumer Privacy Act of 2018 I’m back from a few days off and catching up. In speaking with our Director of Privacy, I learned that she isn’t as concerned about this since we are a not for profit entity. My boss and I aren’t so convinced, especially when I see so much chatter here. Is anyone else getting ambivalent responses from inside counsel? -jsg _____________________ Joshua S. Greenbaum 09B, Executive Director Advancement Information Services Emory University, Advancement & Alumni Engagement 1762 Clifton Road, Office 1456, Atlanta, GA 30322 Office: (404) 712-2020, Fax: (404) 727-4876 josh.greenbaum@emory.edu<mailto:josh.greenbaum@emory.edu> From: Advancement Services Discussion List <FUNDSVCS@LISTSERV.FUNDSVCS.ORG<mailto:FUNDSVCS@LISTSERV.FUNDSVCS.ORG>> On Behalf Of John Taylor Sent: Tuesday, March 12, 2019 7:33 PM To: FUNDSVCS@LISTSERV.FUNDSVCS.ORG<mailto:FUNDSVCS@LISTSERV.FUNDSVCS.ORG> Subject: Re: [FUNDSVCS] SB-1121 California Consumer Privacy Act of 2018 Anita, a super presentation on this was made here (Chapel Hill) recently (February) at UNC's Festival of Legal Learning. The attached is a PDF of the presentation. Midway through you will find some really straight-forward language on what must be done to accommodate the law. You will also see nearing the end some details on exceptions to the law. John John H. Taylor Principal, John H. Taylor Consulting 2604 Sevier St. Durham, NC 27705 johntaylorconsulting@gmail.com<mailto:johntaylorconsulting@gmail.com> 919.816.5903 (cell/text) Serving the Advancement Community Since 1987 On Tue, Mar 12, 2019 at 7:23 PM Anita Lawson <ALawson@laphil.org<mailto:ALawson@laphil.org>> wrote: Hello Fundsvcs Colleagues, We are wondering if anyone has yet put in place a policy or protocol to comply with donor requests to delete any personal information. This law goes into effect 1/1/20 and hoping to learn from other orgs. Also, are any CA orgs applying different business rules to GDPR and this CA Privacy Act? I did read the aasp Best Practices, which were quite helpful, and now I’d like to know what has been implemented elsewhere. Any and all feedback would be most appreciated. Anita Lawson Director, Development Operations Los Angeles Philharmonic Association Walt Disney Concert Hall • Hollywood Bowl 151 South Grand Avenue, Los Angeles, CA 90012 alawson@laphil.org<mailto:sreardon@laphil.org> • T 213 972 0731 laphil.com<http://laphil.com> • hollywoodbowl.com<http://hollywoodbowl.com> [cid:image001.jpg@01D44C10.63044940] Disclaimer The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful. This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast Ltd, an innovator in Software as a Service (SaaS) for business. Providing a safer and more useful place for your human generated data. Specializing in; Security, archiving and compliance. To find out more Click Here<http://www.mimecast.com/products/>. ________________________________ This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). Disclaimer The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful. This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast Ltd, an innovator in Software as a Service (SaaS) for business. Providing a safer and more useful place for your human generated data. Specializing in; Security, archiving and compliance. To find out more visit the Mimecast website.