Person interacting with digital lock icon and cyber security interface with glowing blue technology symbols.

What Associations Need to Know About State Data Privacy Laws in 2026

July 03, 2026

If you run a membership-driven association, you might assume data privacy laws don't apply to your organization because you're a nonprofit. That assumption is wrong. Most state privacy laws regulate data handling based on volume and revenue thresholds, not tax status. If your association collects member information and has a website that draws traffic from California, Virginia, Colorado, Connecticut, or Utah, you likely fall under multiple state privacy regulations right now.

Which State Privacy Laws Actually Apply to Your Association

California Consumer Privacy Act (CPRA): A state law requiring businesses and organizations that process data of 100,000 or more California residents annually to provide consumer rights including data access, deletion, and opt-out.
Your association triggers compliance obligations not by being headquartered in a regulated state, but by processing data of residents in those states — and the thresholds are lower than most association leaders expect.

States With Active Privacy Law Enforcement in 2026

Five states are actively enforcing comprehensive privacy laws against organizations of all sizes:

  • California (CPRA): Applies when you process data of 100,000 or more California consumers per year or derive 50% of revenue from selling consumer data
  • Virginia (CDPA): Applies when you control or process data of 100,000 or more Virginia residents or 25,000+ residents and derive 50% of revenue from data sales
  • Colorado (CPA): Applies when you control or process data of 100,000 or more Colorado residents or 25,000+ residents and derive revenue from data sales
  • Connecticut (CTDPA): Applies when you control or process data of 100,000 or more Connecticut residents or 25,000+ residents and derive 25% of revenue from data sales
  • Utah (UCPA): Applies when you control or process data of 100,000 or more Utah residents or 25,000+ residents and derive revenue from data sales

Why Associations Cross Compliance Thresholds Without Realizing It

A trade association with 5,000 members that collects email addresses, employer information, and payment data likely crosses California's 100,000 consumer threshold when counting both members and website visitors.

Consumer threshold: The number of state residents whose personal information an organization processes annually, which determines whether state privacy laws apply.
State privacy laws count every unique individual whose data you process — not just paying members.

Your website analytics platform, event registration system, and email marketing tool all process visitor and user data. If your association hosts an annual conference that attracts 3,000 attendees, runs a public-facing website with Google Analytics 4 tracking 50,000 unique visitors per year, and maintains an email list of 8,000 contacts, you're processing data of far more individuals than your membership roster suggests.

The Member Data Your Association Collects Is Probably More Than You Think

Most associations believe they only collect basic contact information, but membership platforms, event software, and website analytics automatically capture dozens of personal data points that qualify as regulated information under state privacy laws. Understanding the full scope of data collection is the first step toward compliance.

Membership Application Data

Personal information under state privacy laws: Any information that identifies, relates to, describes, or can be linked to a particular individual or household, including names, email addresses, employment information, and online identifiers.
When a member joins your association, the application form typically collects name, email address, employer name, job title, work address, phone number, and sometimes demographic information like industry sector or years of experience. All of this qualifies as personal information under California CPRA, Virginia CDPA, and similar state laws.

Professional associations often collect detailed employment histories, certification numbers, and license information that members expect to remain private. These data points create additional compliance obligations because they're considered sensitive personal information in some state frameworks.

Event Registration and Behavioral Data

Event registration systems capture more than just attendee names. When a member registers for your annual conference through a platform like Wild Apricot or MemberClicks, the system records:

  • Dietary restrictions and accessibility needs: Sensitive health-related information that requires heightened protection
  • Session preferences and attendance tracking: Behavioral data showing which topics interest each member
  • Travel and lodging details: Location data that may reveal personal circumstances
  • Payment information: Credit card details, billing addresses, and transaction histories

Website Analytics and Third-Party Tracking

An association that uses Zoom for webinars is collecting IP addresses, device IDs, and behavioral data that must be disclosed in privacy policies.

Google Analytics 4 (GA4): A web analytics platform that tracks website visitor behavior, device information, location data, and engagement patterns — all of which constitute personal information under state privacy laws.

Most associations use Google Analytics 4 to monitor website traffic. GA4 automatically collects IP addresses, browser types, operating systems, geographic location data, page view sequences, and time-on-page metrics. These data points are personal information under state privacy laws. If you're running paid advertising through Google Ads or Facebook, you're also sharing member and visitor data with third-party advertising platforms — a practice that triggers opt-out rights under most state laws.

Email Marketing Platform Data

Platforms like Constant Contact and Mailchimp don't just store email addresses. They track:

  • Open rates and click patterns: Which emails each member opens and which links they click
  • Device and location data: Whether emails are opened on mobile or desktop, and from which geographic region
  • Engagement scoring: Automated behavioral profiles that categorize members as highly engaged, at-risk, or inactive
  • A/B test participation: Records of which email variants each member received

These platforms also integrate with cybersecurity measures that protect member data, but the data collection itself creates compliance obligations regardless of security controls.

Donation and Payment Processing Records

Payment processors like Stripe retain full transaction histories including card numbers (partially masked), billing addresses, purchase amounts, and timestamps.

Salesforce Nonprofit Cloud: A customer relationship management platform designed for nonprofits that integrates donor management, membership tracking, event registration, and marketing automation — automatically capturing dozens of personal data points across all interactions.
If your association uses an integrated platform like Salesforce Nonprofit Cloud, donation data is linked to member profiles, event attendance, email engagement, and website behavior — creating a comprehensive behavioral record that state privacy laws allow individuals to access, correct, or delete.

The Four Rights Your Members Can Now Demand (And What Happens If You Can't Deliver)

State privacy laws grant individuals four core rights: the right to know what data you hold about them, the right to delete their data, the right to correct inaccurate information, and the right to opt out of data sales or targeted advertising. Associations must respond to these requests within 45 days, but most membership systems aren't built to fulfill them.

Right to Know: Data Access Requests

Data access request: A formal demand from an individual requiring an organization to disclose all personal information it has collected, the sources of that information, how it's used, and whether it's shared with third parties.
When a member submits a data access request, you must provide a complete inventory of every data point you hold about them across all systems. This includes membership records, event registrations, email engagement data, website analytics tied to their account, donation histories, and any third-party data appended to their profile.

The challenge: a member submits an access request, but their data lives in your association management system (AMS), your email platform, your event software, your payment processor, and your accounting system. Each platform stores different subsets of their information, and none of them talk to each other automatically.

Right to Delete: Erasure Requests

A member emails your office asking you to delete all their personal information. You have 45 days to comply. Your membership database can remove their profile, but what about:

  • Email marketing platforms: Constant Contact or Mailchimp still have their email address, engagement history, and behavioral tags
  • Event registration systems: Past conference attendance records, session preferences, and dietary information
  • Payment processors: Stripe retains transaction records for fraud prevention and tax compliance
  • Accounting software: QuickBooks stores invoices and payment histories
  • Website plugins: WordPress membership plugins, comment systems, and analytics tools cache user data independently

An association receives a deletion request and has 45 days to comply, but their website developer is unreachable and member data is embedded in three different WordPress plugins with no documented data flow. The association office manager spends 12 hours manually searching systems and still isn't certain they've found everything. This is an enforcement risk.

Right to Correct: Data Accuracy Requests

Data correction request: A demand from an individual requiring an organization to update or fix inaccurate personal information in its records, ensuring all systems reflect the corrected data.
A member notices your system lists their old employer and an outdated mailing address. They submit a correction request. State laws require you to update the information across all systems where it appears and notify any third parties with whom you've shared the incorrect data.

Most associations update the AMS but forget to sync the corrected data to integrated platforms. The member continues receiving mail at the wrong address because the email platform, event system, and accounting software still have the old information.

Right to Opt Out: Sales and Targeting Restrictions

Members can demand that you stop selling their data or using it for targeted advertising. If your association shares member email lists with sponsors, sells exhibitor access to attendee data, or runs retargeting ads through Facebook or Google, you must honor opt-out requests. This means implementing preference centers and suppression lists across all marketing platforms — a technical challenge when data is spread across multiple tools.

Enforcement Risk: Fines Start at $2,500 Per Violation

Virginia, Colorado, and Connecticut impose civil penalties starting at $2,500 per violation.

State attorney general enforcement: The process by which state attorneys general investigate privacy law violations and impose fines, injunctions, or corrective action plans on non-compliant organizations regardless of size or nonprofit status.
State attorneys general are actively enforcing privacy laws against small organizations, not just large corporations. A single unfulfilled deletion request can trigger an investigation, and repeated violations can result in cumulative fines that devastate association budgets.

When State Laws Will Actually Apply to Your Association

With 20+ state laws now passed or pending, here's the practical reality of when you need to comply:

You're Clearly Required to Comply If:

  • You have members or website visitors in California, Virginia, Colorado, Connecticut, Utah, Iowa, Montana, Oregon, Texas, Delaware, Indiana, Tennessee, Florida, or New Jersey (the states with active laws)
  • Your association processes personal data of residents in those states
  • You meet revenue or data volume thresholds (most associations with 1,000+ members meet these thresholds)

You Can Probably Ignore State Laws (For Now) If:

  • You're a very small, local association (under 500 members) operating entirely in a state without privacy laws
  • You collect almost no personal data beyond basic contact information
  • You don't have a website with tracking or email marketing

The reality is that most professional and trade associations operate nationally or have members across multiple states. Even if your physical office is in a state without privacy laws, you likely have members in states that do — which means compliance requirements apply.

If you fall into one of those categories and you need help examining your data collection practices and getting everything organized, schedule a Discovery Call with Windstar Technologies today.