William & Mary Law Review


Sarah Fisher


This Note argues that Congress should use its Commerce Clause power to pass a consumer data privacy measure that (1) preempts state law and (2) explicitly exempts 501(c)(3) organizations from compliance. Such preemptive action with a narrow 501(c)(3) carve-out would avoid the potential harm of exempting too broad a group of nonprofit entities while ensuring charitable organizations’ continued existence, would be more protective of both the individual privacy right and 501(c)(3) existence than merely adjusting the revenue dollar threshold at which entities must comply, and would properly balance the individual right to control personal data with the societal good served by the existence of 501(c)(3) charitable organizations.

Part I of this Note elaborates on the relationship between 501(c)(3) organizations and personal data and expands on the compliance difficulties faced by (and the collective societal good of) (c)(3) groups. Part II reviews the four major existing privacy law measures—the GDPR, the CCPA, the CPA, and the VCDPA—and analyzes the scope of each measure’s reach as it pertains to 501(c)(3) charities. Part III of this Note makes the case for federal preemptory action in a sweeping consumer privacy rights measure that trumps the existing patchwork of state law and exempts 501(c)(3) organizations from compliance. Finally, Part IV of this Note considers and responds to potential Tenth Amendment and state expertise counterarguments that could be raised in opposition to federal preemptory action in this arena.

This abstract has been taken from the author's introduction.