Skip to content
MIGHTYminnow Logo
  • Our Work
  • Our Services
  • Our Story
  • Our Work
  • Our Services
  • Our Story
Contact Us

Solutions for Privacy Compliance

  • Website Features
  • By kristin

Privacy Compliance for California Nonprofits & Small Businesses

CCPA, CPRA, and When They Apply

The California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), give California residents more control over how their personal data is collected and shared.

While many nonprofits and small businesses assume they’re automatically exempt, the key is understanding who the law applies to.

When the CCPA/CPRA Applies

According to the California Attorney General, the CCPA generally applies to for-profit businesses that do business in California and meet one or more of these thresholds (Cal. Civ. Code § 1798.140(d)(1)):

  • Annual gross revenues over $25 million
  • Buying, selling, or sharing the personal information of 100,000 or more California consumers, households, or devices per year
  • Deriving 50 % or more of annual revenue from selling personal information

Do Nonprofits Have to Comply?

The Attorney General confirms that “the CCPA generally does not apply to nonprofit organizations or government agencies.” (FAQ 6)

However, a nonprofit may still be subject to these laws if it is controlled by, shares branding with, or shares consumer data systems with a for-profit entity that meets the thresholds above.

Even if you’re exempt, it’s smart to adopt the same privacy-transparency standards: they’re increasingly expected by funders, partners, and the public.

Why You Should Still Offer Privacy Transparency

Even if your organization isn’t legally required to comply, if your website uses analytics, donation tools, video embeds, or email platforms, you’re still participating in data collection.

Here’s why it matters:

  • Many vendors’ terms of service require you to disclose cookies and tracking.
  • Visitors increasingly expect to control their data.
  • Following privacy best practices builds trust and future-proofs your site.

Understanding Third-Party Data Obligations

Embedding third-party tools (like YouTube, Vimeo, Mailchimp, Google Analytics, or PayPal) does not automatically make your nonprofit a “business” under the CCPA, but it does mean your site is helping collect data that California law considers personal information — such as IP addresses, device IDs, and browsing behavior.

Even if you’re exempt, you still have contractual and transparency obligations under your vendors’ terms.
Most major platforms require that you:

  • Disclose their tracking in your privacy policy
  • Provide opt-out or consent options for users
  • Avoid loading non-essential scripts before consent where possible

Vendor references:

  • Vimeo Privacy Policy – Data Collected via Embedded Players
  • YouTube Cookies and Data Collection
  • Google Analytics Data & Privacy Overview
  • California Privacy Protection Agency FAQ – “Sharing” Definition

In short: using third-party tools doesn’t make you legally liable under the CCPA, but it does require honesty and control.

What Happens When You Use Embedded Videos or Third-Party Tools

Embedding videos, forms, or widgets can trigger data collection that you are indirectly responsible for disclosing.

Embedded Videos (YouTube, Vimeo)

Video players may collect IP addresses, device/browser data, and usage tracking across websites. See Vimeo’s Analytics FAQ for details.

Analytics + Embeds = Tracking

When you combine analytics, embeds, and social-sharing widgets, your site almost certainly uses cookies.

Under California law, that can count as “sharing” personal information. (Cal. Civ. Code § 1798.140(ad))

That’s why cookie consent isn’t just for e-commerce—it’s for transparency.

Best Practices: What the Third-Party Obligation Means for You

If your website uses any tool that collects personal data, you should:

  1. Provide clear notice via your privacy policy and cookie banner.
  2. Allow opt-outs of non-essential cookies and tracking before or as soon as possible.
  3. List vendors (Google Analytics, Vimeo, Mailchimp, PayPal, etc.) and describe what each collects.

Even if you’re not a “business” under CCPA, these practices protect your organization and your users.

Our Recommendation for California Nonprofit & Small-Business Websites

Even if you’re not required by law, we strongly recommend having:

1. Cookie Banner / Consent Manager

  • Notify users of cookies or tracking
  • Explain their purpose (analytics, embeds, donations)
  • Provide a way to opt-out of non-essential cookies

2. Up-to-Date Privacy Policy

  • Describe your use of cookies and third-party tools
  • List vendors and data collected/shared
  • Explain how users can disable cookies or tracking

Managing Privacy Policies: Free vs. Paid Options

Option 1: Termageddon (Recommended)

Termageddon (~ $12/month) offers a more complete solution:

  • Auto-updating privacy and cookie policies as laws change
  • Integrated banner powered by Usercentrics technology
  • Guided onboarding to tailor for your tools and data flows
  • Less manual maintenance and better compliance coverage

Sign up: policies.termageddon.com/register

  • Use promo code MINNOW for 10 % off your first payment
  • After you have signed up, schedule free onboarding with Termageddon: termageddon.com/onboarding/
  • We can help you integrate the policies and consent manager into your website

Option 2: CookieYes (Free Version)

  • Free cookie banner that can block scripts until consent.
  • Requires manual privacy-policy updates.
  • Free tier capped at 5,000 monthly page views (as of July 1, 2025).
  • Best for very small or low-traffic sites.

Sign up: https://www.cookieyes.com/

  • Create your banner https://www.cookieyes.com/documentation/add-cookie-banner-to-website/
  • We can help you integrate the policies and consent manager into your website

Quick Privacy Compliance Checklist

  • Publish a clear, current privacy policy
  • Add a cookie banner with opt-out options
  • List all third-party vendors and data collected
  • Update disclosures annually – or use auto-updating Termageddon
  • Review vendor terms of service for privacy requirements – or leave that to Termageddon

Disclaimer

This post is for informational purposes only and is not legal advice.

However, based on our experience working with California nonprofits and small businesses, we recommend implementing:

  • A clear, up-to-date privacy policy and
  • A cookie consent banner that respects user choice

Doing both builds transparency, trust, and long-term resilience as privacy laws evolve.

 

PrevPrevious Post
Next Post Next
Recent Posts
  • Should You Use Google Analytics?
  • Early Thoughts on Using AI for Web Projects
  • Squarespace vs. WordPress: How to Choose the Right Platform (Without Regret)
  • Is Your Website Hacked? A Guide to Malware Scanning
  • Is Your Website Backed Up? A Guide to Keeping Copies of Your Site
Categories
  • Did you know?
  • MIGHTYminnow News
  • Tech Tip
  • Uncategorized
  • Website Features
  • WP
  • WP Plugins

Get in Touch

We would love to learn about your project, offer you a free quote and share our project planning tips and resources. 

Contact Us

Or call us : 510 629 1440

Facebook-f Twitter Instagram Youtube Yelp
Newsletter Sign Up

Blog | Sitemap | Privacy Policy | Cookie Policy | Terms of Service | Disclaimer
Copyright © 2026 MIGHTYminnow Web Design & Development

Newsletter

Subscribe and stay connected through our Newsletter. We send out important news, tips and special offers.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

MIGHTYminnow