Hi, everyone. We're so glad to have you with us today. We've got a nice large group joining us. So we'll just give folks a moment to come in. As you are joining us, though, we'd love to know who you are and where you're here from. So take a moment and just add your name and your institution and where you're joining from in the chat. Oh, I love it when they all pop up really fast. Great, nice to see so many folks from all over. Thank you again for joining us today. Well, as folks are coming in, we have a great hour planned for you. So without further ado, since we are at the hour, I am going to go ahead and kick things off. My name is Jenny Cook-Smith and I'm our Senior Director of Case Insights Solutions. And I'll tell you about case insights in just one moment. And I will also have my esteemed colleagues who you'll be primarily hearing from today introduce themselves and tell you a little bit about why they're here. But first one housekeeping item, this is recorded. We will make sure you get the slides. You'll also have a link to access this at any point. And in terms of communicating with us, because we absolutely hope you came with questions. We ask that questions for us, please put that in the Q&A. And as you have comments for one another, or if you want to respond to something that was said, let's use the chat as a place to keep this interactive. And speaking of interactivity, we'll also have a couple of polls today. So we wanna learn a little bit about, where you're coming from and why you're here. So let's go ahead and get started. The way we've structured this today is, really this is the first in a three-part series. And today is sort of this idea of, let's think about this from a how we got here, or some of the awareness aspects around why it's so important to take this time out and have this conversation around data privacy. Webinar two will be, and when you signed up, you should have actually been able to sign up for all three of those webinars. Webinar two, which will happen in the beginning of August, we'll talk about strategies to meet the data privacy challenge. And we're gonna talk about a bit of that balance between what do we legally have to do, and how do we still do our jobs as advancement professionals. And we've invited Jen Sarasa from University of Illinois Foundation, who's their chief legal counsel, to take part in that discussion with Elise Walnut. And then webinar three, Mark Koenig will be coming back to us along with Elise as well. And we're really gonna get into the weeds. And if we think about the first two as sort of setting the stage, we're gonna go into some real examples and case studies as we look in some of those risk areas. So without further ado though, let's go ahead and jump into webinar one. I did want to spend just a moment and orient the group to what we mean when we say Case Insights. So the Case Insights team is a division within case. And we are really focused on all things data and standards and research. And I would say that data privacy is sort of a Venn diagram that's important as we look at all parts of these areas. Just so you're aware, our main objective is to help you as advancement professionals have the metrics you need across an integrated advancement office. And so you can see that means metrics around philanthropy and alumni engagement. We've just released a framework to start to look at that idea and measuring marketing and communication some more to come. And then those two other areas that are so crucial as we're managing and understanding those outcomes of the work and that's understanding the impact of your DEIB initiatives, whether you call it that or not, that idea that you're really looking to both have activities that are inclusive for staff, alumni and constituencies, and then understanding the impacts and campaigns on all of these areas. But without further ado, we are really proud to bring to you our three amazing presenters and really experts in this space. And I'm gonna kick it off to them to introduce themselves. Thanks, Jenny. So I'll start things off. I'm Elise Walnut. I run a consulting company called Agility Lab. And I spent 16 years in-house at various nonprofits doing my consultancy. And I really got into the space based on watching the results on the fundraising side and how things were shifting as a result of data privacy, both from the legislative perspective in terms of what we needed to shift in our obligations to let people know their opt-in options or not, as well as the trickle-down impact from big groups who were impacting our ability to get in front of audiences, whether they're new or existing, and how that's really shifting the dynamic. So I've gotten to work with Mark at Oregon State University Foundation, and I'll pass to him next, as well as a few other really great groups. And I'm excited to be here. I'm Mark Koenig. I'm the VP for Technology and the Chief Innovation Officer. And about two years ago, when Oregon was coming up with their data policy, we still affectionately call it Senate Bill 519, as opposed to the Oregon Consumer Protection Act, which is now signed into law and went into effect on July 1st this year. We still have a bit of a window as a nonprofit for another year, as we then have to comply in a year from now. And honestly, I wasn't thinking of necessarily compliance, but as we think back to our GDPR experience, where I had to ask 1,000 individuals that we had in our system, whether or not they wanted to continue to get the messaging and everything, and I needed opt-in, not, yeah, they didn't respond, so we're gonna keep doing it. I needed opt-in. I had 50 out of 1,000 people afterwards. And I was thinking, oh, dear goodness, if we're going to enact a legislation similar to GDPR with different rules, how am I going, how are we going to deal with this as an organization? Because I lost a lot of our European connections because of GDPR. And so, of course, this immediately rose to our interest. Now, I needed to find some expertise out in the market. That's how Elise and I got together, by the way, too. Great, thanks, Mark and Elise and Jenny. It's great to present with all of you. It's great to be with all of you. And it's great to see so many folks from, I saw a bunch of independent schools, a lot of community colleges, a lot of college university foundations, a lot of universities. So, great to have so many of you from so many different types of institutions joining us. So, I'm Brian Flavin. I'm Vice President of Strategic Partnerships at CASE. And part of my role, part of my division is focused on global advocacy and all of our work up on Capitol Hill, but also around the world, representing members. And obviously, data privacy, starting with GDPR, which really set the standard, and now trickling down and going around the world in other various fashions, including here in the States, has now started to gain steam in the issue of data privacy and data privacy legislation continues to be a high priority for both state legislatures, but also up on Capitol Hill. And we'll talk about that in a little bit, but just such a pleasure to be with you all today. Thanks. And it's always nice to know who we have. So, as Brian said, I've also been scanning to see we've got a nice variety of institutions. But in terms of roles, we'd love to know where you're coming from. And just as a note, we bucketed some together, so it doesn't mean you have to do alumni relations and annual giving, but if one of those matches what you do, that's where we'd like you to put your note. Same with major and planned giving. And then if it's other, I'm just always curious about who doesn't fit in those categories, please go ahead and just throw that in the chat. So no surprise that we're seeing a lot of you in the advancement services operations realm. That's excellent. I'm also thrilled to see several of you that's roles. Really, you're a leader that's overseeing other functional areas because one of the things we brainstormed in putting this together is that this is really something that affects all of us, not just those of you that have services or operations in your title. So nice to see sort of a variety throughout. And Brenda, information technology. Excellent. Yes, very nice to see IT represented as well. So I think Leah's gonna go ahead and post the results. And our colleague, Leah, is our fantastic behind the scenes colleague with the Insights team, so she'll be loading our polls today. And one more poll that we're gonna make you take a moment and think about, but hopefully you signed up for this webinar for a reason. We've got an open-ended question that we're giving you the ability to weigh in on, which is when you think about data privacy, what's an example of something that keeps you up at night? We're gonna see as we get some of those in, then we'll post those out so we can see those responses. And part of the way we've structured this today is Elise is going to share several salient points with you. And then what we're gonna do is have a panel discussion. And this is something that I think is important that we'll ask our panelists to also weigh in on, on this notation of what are the things that are keeping us up at night? So we're getting to where it's starting to slow down. Go ahead and just, if you can get those answers in quickly, and then we'll go ahead and post that poll. And I did see there was a raised hand question. If you could go ahead and just put your question in the Q&A, we will absolutely make sure we address that. And it looks like that Leah has put those responses in the chat. So go ahead and just take a few moments. You can see some of the things in terms of streamlining the process, how much information is out there on all of us. I think that's an excellent point. Ooh, some security concerns around admin uses, data breach. We're all well aware of that in the news. So I'm going to go ahead and pass things over to Elise. And certainly, please continue to read through those there in the chat. OK. So I think the things that are keeping us all up at night are pretty universal here. So like Jenny said, I'm going to walk us through a few slides just to level set and make sure everybody has the same shared language around the state of where we're at, some things we need to consider as we move forward, and then we'll jump into Q&A. So if you have questions along the way, if you'll drop them into the Q&A, like Jenny said, we'll make sure to hit those in a few. So the big stat that I share pretty often with my clients is this one, which is that 72% of people say that they feel like everything they're doing online is being tracked. And 81% of that group say that they feel like the potential risks of that tracking outweigh any benefits. So the pair of shoes following you around online, is that worth the trade-off of all of the information that's being exposed to the world? And because of that data privacy challenge, really our consumers and audiences are raising their voices more frequently and they're demanding more control. And that's caused shifts in both the regulatory side of things as well as changes on the tech side. So we're going to go through what those are, but what's important to know is that these changes are likely already impacting you, whether we're in a place of having to comply or not. Which just to level set, I know that some universities are required to comply with certain state standards. Sometimes if you're on the foundation side, you're required to comply, but your university is not. So there's nuance to that, but the big point here is that even if you're not required to comply, this is going to impact you. So that's the big central point of this conversation. So this is some of the legislative side that we should know about, and we'll get into some of the details of this later in the Q&A across all of our panelists. But the big ones that are helpful to know, of course, in 2018 GDPR went into effect in the EU. And that's when we saw California adopt some initial privacy legislation. And really, in the four years following that, we saw the pickup really start to unfold here. So in 2022, four US states signed privacy laws. Last year, eight more states signed privacy laws. And as of now, in 2024, there are 30-plus pending or passed state privacy legislation bills that are being considered or, like I said, already passed. So we don't yet have a federal bill, which there will be pros and cons of having one. There is one that is pending, but we don't yet know how long that will take or what consensus will look like across party lines. So we're in a place of really having to keep our eyes on what's changing across states or to adopt a universal approach to how we treat audiences across the board nationwide so that we're not having to guess as to where our constituents are from or create something that's different operations-wise based on your constituency's state of residency. The other point here that I will mention is that so far, Colorado, Delaware, New Jersey, and Oregon do not exempt nonprofits. Some of the other bills that we've seen do allow for some exemption of nonprofits, which is important for foundations. But as we start to see these laws pick up more frequently, we're seeing that nonprofits are not being exempted. So that's going to be important for us to know in terms of how your audience considers you as a brand or as an organization rather than whether they're sorting you into a for-profit or a nonprofit bucket, as the case might be. So the other thing that I think people are aware of in their personal lives but not so sure of how this is impacting you from an advancement level or a fundraising level are the big tech milestones here. So the big one that's really important is the Apple update in 2021. So if you're not familiar, Apple has really privacy a central piece of their brand. You'll see the big billboards and the advertisements that really are made to make you feel secure that Apple is watching out for you in terms of how they're sharing your data. And the update they made in 2021 was an iOS update that essentially forced any web app developers to ask for permission to track audiences in their mobile browsing behavior. So the scary part about that is that previous to 2021, all of that information was just being collected. It was a, you didn't have the ability to opt out. But as of 2021, you do. And not surprisingly, when that update rolled out, 90 plus percent of people said they did not want that tracking to roll out to them. So that number has changed a bit over time. Sometimes over time people get more comfortable and they've opted in at greater frequencies. But the last time I looked a few months ago, I was sitting at around 75% of people are still opted out. So the big impact on this was to groups like Facebook who relied on this third party tracking to identify the behaviors of audiences and understand what makes them tick, as well as to Gmail, which no longer saw that they were able to track open rates effectively because Apple essentially anonymized all of that activity. So if you've seen things like your email rate or email open rate being really great all of a sudden, or your Facebook ads not reaching the number of people that they used to, this is what's happening. So this is because of that data privacy demand, third parties and big for-profit companies are having to make changes to both get ahead of audience expectation as well as legislation that hits them. So in 2022, as a result of all this, Meta lost $10 billion in revenue. And as a result, they stopped supporting some key nonprofit activities. So if you were ever a group that relied on encouraging your alumni base or your donor base to donate their birthday or something to that effect or host a Facebook fundraiser on your behalf, Facebook has stopped promoting those activities and their algorithms. And they've also laid off a lot of their support staff for nonprofits. And then the big shift that we'll see in 2025 and probably toward the end of this year is data brokers are not collecting some of the audience data they once did such as ethnicity, because it's a sensitive data topic or field as noted in legislation. And then the last part here is that Google is going to stop eliminating support for third-party cookies. And those cookies are what allow you to see information that's relevant to you in the advertising space. So all that to say, previous to 2021, all these groups, all these big tech data groups were getting a lot of your information, a lot of your audience's information. It was impacting your ability to target people really well. And that is all shifting. So we need to care about this, like I said, even if we're exempt. And these are some of the stats on why. So we saw that there's the 90 plus percent group of consumers who said they didn't want to be tracked as a result of Facebook's, as a result of Apple's update in 2021. That translated to an 88% lift in ad price hikes among the top five digital providers. So if you don't do digital advertising, this step might not have hit you as much, but if you were doing things like boosting posts on social media or uploading lists of your email constituents so that you could build lookalike models, that all is hitting you at this point. And then the last, like I mentioned, is that email open rates are completely unreliable at this point. They presumed to be up quite a bit as the Apple change went into effect. So if you looked at 2020 compared to 2021, everything looks really great from an open rate perspective, but your click rates and things like that probably stayed pretty the same. So all this is impacting your analytics infrastructure and just your ability to understand how consumers are moving through your digital assets. And then the, I think there are two points here. So this is a bigger picture. On top of all this, just to add to the scaries, philanthropy has had a hard time in the past few years. 2021 was something of a boon year for a lot of groups across the board. And since then we've seen that volumes have declined industry-wide. So this chart here comes from the GivingUSA report, excuse me, in 2023. And it's not sorted based on organization type or donor type. So take that into account here. This is just philanthropy at large from an individual giving perspective. But what we see here is a trend line of volumes declining. So most groups have seen that their number of donors has declined in the past few years. Oftentimes their revenue hasn't necessarily declined in line because the average gift has been higher. So we don't know if that's law of averages, that if we've taken out the bottom, average gift just looks better, or if it's people are feeling more philanthropic. And so if they're able to give, they're giving more. So this is just a note that philanthropy has had some challenges on top of all of the data privacy landscape. But the thing that we need to keep in mind here is that there is the, what they're calling the great wealth transfer pending. So there's a large opportunity to meet prospects where they're at with the language and the options that will convert them to donors. So we're seeing that millennials are set to inherit this 27 trillion number in the next few years through 2045. And then Gen X will inherit 30 trillion by that same year marker. So what's good to know about this is that when we look at younger generations, Gen Z millennials who are not necessarily in the traditional giving age, what they say is that they tend to trust organizations less and that makes them less likely to donate. So what we can do about that is start to build bridges earlier, start to build that trust earlier and data privacy is a way to stay ahead of both your legislative mandate, but also your strategic mandate to build that future donor pipeline and stay ahead of what's going to drive people in the future. So I'm gonna pause for a second for any questions and then Jenny's going to move us to the panel discussion. And I haven't seen any come so far into the Q&A, but as a reminder, do make sure to put your questions in. And with that, let's go ahead and move to our panel. I also feel like, thanks, Elyse, you've given us lots of things to keep us up at night. As it comes to data privacy. And actually I thought maybe I'd start with you, Brian, really big picture before, I'd love to hear a little bit about what happened at Oregon State in a moment, but Elyse shared a bit of the landscape as we look at legislation and as our chief advocate from a case perspective, just love to hear a little bit about what you think institutions know beyond what Elyse shared in terms of the policy environment and data privacy. Well, thanks, Jenny. And Elyse did a great job of providing kind of that over broad overview of what's happened and really everything from a data privacy perspective, it's not surprising to see both state lawmakers and also members of Congress take an interest in this because if you have anything that shows 70% concern or support or 80%, those types of numbers, they're obviously not going to be the same as what you're seeing in the data. They're obviously hearing from their constituents about it. There's been a lot of focus on data privacy, data privacy rights, consumer rights, and all of that. So really starting with GDPR, that broader EU, European Union regulation really started down, they really kind of set the marker for looking at data privacy around the world. And so we've started to see that gain steam and the way it works in the United States is for those of us who are based here, as we all know is if Congress doesn't do it, the states will figure out a way to do it. And there are certain states that usually lead the way when it comes to that, and California was right out of the bat with its data privacy law pretty quickly after GDPR. And since then we've seen a steady stream, but I want to make it very clear, what's interesting about the 30 plus or so states that have either signed or have introduced or are considering data privacy laws is that there are 30 states, there are plenty of both what we would call blue states and red states. So it's not a Republican issue, it's not a democratic issue, it is an issue that is a bipartisan issue and there are bipartisan concerns. Now that doesn't mean that the parties agree on how best to address data privacy or how that should be approached, that's very different. I think everybody agrees there's a data privacy issue, there's a need for legislation, particularly federal legislation, we'll talk about that in a second. However, there's definitely different approaches depending on party. But what's interesting, so we have a variety of these different state laws that are in place and have been signed, all very different. Elise mentioned there are four that explicitly cover nonprofits, others that cover certain types of nonprofits. And so those are obviously ones that you have to be aware of. And because our institutions deal with constituents, alums, and others around the country, and frankly, around the globe, you have to be aware of these laws generally, which is why there's been a lot of support and interest, not only from a case perspective, but also across the charitable and the nonprofit sector for some sort of federal standard. Some standard that allows, that essentially is like GDPR in a sense, it allows organizations, particularly national organizations or organizations with a national or global footprint to have an idea of how to manage or how to address data privacy in a consistent fashion across states. Now, as we said earlier, there are pros and cons. I think Elise said there are pros and cons to a federal standard. And depending on your viewpoint, again, whether you have a Republican viewpoint, a Democratic viewpoint, or a viewpoint in between, you're gonna have various perspectives on how best to accomplish a federal data privacy law, or, and also perspective on whether a federal preemptive law is better, is best. And what that means is if Congress were to pass a law, one of the things that a lot of folks on Capitol Hill would wanna see is as for agreeing to do a data privacy law, that that law would essentially overtake or preempt all state laws that have been enacted in prior. Again, part of the advantage of a federal law is it encompasses everybody, it encompasses all states. So all organizations know what to expect. But there are some downsides to that. And the law, there has been a bill introduced at Congress called the American Privacy Rights Act. It is bipartisan. Actually, the Republican chair of the House Energy Committee, Representative Kathy Morris-Rogers from Washington, a Republican, joined with Maria Cantwell, a Democrat from Washington on the Senate side. And they've introduced the American Privacy Rights Act. And it has a lot of the things that have been brought up in the states. And most of these state laws cover in some scope or another privacy impact, consumer notices, contracting, rights to access data just at a very high level. So they've taken a lot of these things, but they've also built upon some of this and added some new requirements in that aren't covered by the states. So one thing that is clear with this bipartisan bill that's been introduced is it covers nonprofits explicitly. They are explicit that it covers nonprofits. Now, there are some thresholds as to what you have to follow in terms of some of the rules, but it says right at the outset, nonprofits are covered. So that is a very clear difference from some of the states that have exempted nonprofits directly. There are some other broader, there's actually a broader provision than what's in Oregon, Mark, that you probably have had a chance, at least have been dug in well, around what you have to share in terms of the sharing data with third parties and information. They actually take a broader view in the federal statute of that and what you have to share and the information you have to share. So that's one piece that's a little bit different. But interestingly also, the federal bill as introduced, and again, this has just been introduced and I'll talk about the politics of it in one second. Also, as of now, they've decided not to preempt everything at the state level. So they've added, they've kind of tried to do a middle ground and say, well, we'll keep a few things from the California law. We'll keep a few things over here. And you can see what the politics are being played for that. And to understand that politics, you have to understand where Congress is right now. Congress is a very divided legislature. You have very slim majorities in both the Senate and the House, where to get anything done, you really need to have bipartisan support. If you don't have bipartisan support, it doesn't get done. Even on the House, which is typically a majoritarian body, there's a two seat majority that our Republicans can avoid to lose two votes in order to get anything through the House. So as I mentioned, there was a bill introduced in American Privacy Rights Act right before July 4th holiday, there was an attempt to mark up this bill and committee on the House side. And at the last minute it was canceled. Why? Because even though there was bipartisan, the chair of the committee supported it, there was a number of concerns raised with House Republican leadership and leadership essentially asked the committee not to move forward. The committee said, we're gonna move forward, but then at the end of the day decided not to move forward because they didn't have the votes. So right now we are in a place of stall, everything is stalled. And that is just on the House side. The Senate side is actually now to try to get some momentum back that the Senate Commerce Committee is gonna be holding a hearing this Thursday, where they're gonna be again, talking about the importance of a federal data privacy in the context of AI, to try to again, get some momentum behind this federal data privacy legislation. But with the presidential election coming up with slim margins on the House and the Senate side, the likelihood of seeing a federal data privacy law go through this year is very, very slim. It's gonna take a lot of work and a lot of time, but it's something we certainly are gonna watch. And we'll also be watching what other states decide to move in the meantime. Thanks, Brian. I think, I know when I work with members, it's always really a great opportunity to hear you talk a little bit about some of what's happening and we'll come back to you in a little bit about the case advocacy sense of that. But let's now take it down to the next level or maybe even a few levels down. And this is sort of a tag team question for Elise and Mark, because as Mark said, you both work together. So I'd just love to know a little bit more about how you work together and your approach to the environment around data privacy. I'll kick us off, Elise, and then you can come in because as I was sitting around the desk one day, of course, what was keeping me up at night was this and all of the different areas. And Brian, you did a nice job of detailing those out because it's not just about can we keep this data point or not? And so it has that component. It has a component, security component is extremely important right now. It's not a matter if you're gonna get hacked you're gonna get hacked and how many times a year are you gonna get hacked? And that decreases your confidence and trust with your consumers that you have their data. And so every time that happens, you take a hit. And I thought my main driver here was thinking about how we act as a fiduciary for the university, especially around gifts and how we manage those funds. People can trust us with their money. They need to entrust us with their data as well. It's not good enough to say, yeah, we're in compliance or we're doing this over here. It's okay, trust us. I felt a need to really get out in front of this. And I started doing basic research on all kinds of different things because there's different approaches to this. There's the opt-in versus the opt-out. There's zero data. There's all kinds of things you can delve into. And I really quickly understood I needed to work with someone who had some experience doing this because right now, as we said, 33 some states, does that mean I have to apply the rules in my system to 33 states? I'm all for a federal bill. I agree with Brian that it ain't gonna happen anytime soon, but the opposite is I'm having to follow 33 different states in their legislation to make the determination. Can I send to these people or not? Did they opt in? Did they, what rules were applied there? And there I did a search and started looking for folks and I found Elyse and Elyse and I have since started working and we really made this a team effort. I wasn't, I'm not the only one. There's a lot of interested parties around the organization, let's be clear. It took them a little bit to get interested because I don't think they recognized what the bill was saying initially. And we didn't either. And we still aren't a hundred percent, even though it has gone into law, how are they going to enforce it? There's a $7,500 fine for any person who feels their data is being misused. All they have to do is go to the attorney general and say, hey, they're misusing my data. Well, how am I gonna track that? I mean, our data management people, they do great work, but they type in everything. They say, oh, you opted out, we opted you out. That's not good enough if I'm sitting there with the attorney general saying, well, you guys are doing these bad. I wanted proof that they did it. So it started me in this path. And Alyse, do you wanna maybe kind of just talk a little bit about our initials? Yeah, yeah. So what was great about Mark and Oregon State University Foundation is that Mark did a really good job of understanding that you don't just have to care because of the legislative pieces of things. You have to care about how your audience perceives you. So I think there's a question in here about whether the state laws are mirroring GDPR. Yes and no, but it's very much a crapshoot by state. So that's been, I think, the biggest challenge to it that even the legislators themselves don't always understand the language that they're putting into things, which was very much our experience with Oregon. So when we started working together last summer, we were being messaged that the bill was going to be an opt-in bill, meaning that all constituencies were going to have to actively opt-in to communication with the foundation. And we weren't sure if that was going to apply to people who were already on file, people who had already donated, people we knew we had an email address for but didn't have a donation record for, so very opaque. And it's become more clear over time, but I think what Mark has been right about is a really clear sight of no matter how the legislation shifts, we're thinking about our audience first and respecting what they want. Probably because there's 33 different answers out there right now. And until we get a federal answer, we're basically, it's a weird game to be in right now. But I think it's an important one because people do see those stats you saw. If we don't do something, the industry will do something, the government does something else. But I'd like to be out in front of all of that because at the end of the day, we're a trust organization, we're a relationship organization and you don't build relationships without trust. And if they don't have trust in the organization from the time that they sign up for an email list, that doesn't mean you immediately get 40,000 emails because, oh, we got your name and email, so now we're gonna affectionately spray and pray all of our emails to you in hopes that something might stick. Yeah, so when we started working together, we thought we were going for an opt-in approach and that's what we started with. But really, one of the other questions on here is how do you teach data privacy to people who don't stay up at night worrying about it? So my approach to addressing this is to bring all of those people together. So we start with a gap analysis, which involved working with a number of different teams within OSUF to get a sense of how they were bringing data in from what sources, what those fields looked like, what their purpose was, et cetera, but also what their tech stack looked like so that as audience permissions changed, would that translate all the way to the CRM? Did they have these kind of random lead gen vehicles or offline event vehicles that were bringing in data that we didn't know about? How do we think about alumni engagement and how that looks different than maybe admissions or advancement efforts? So that gap analysis process is what we started with. And then we put together a one-day workshop where I put together kind of the roadmap of what we needed to address for the day. And then we worked together to build consensus around what the priority projects were to address those gaps and the holes in the infrastructure so that we could proceed forward. And then Mark has done a really great job of having kind of a data privacy cohort of colleagues internally who have taken that forward and really make sure that each piece of the landscape is addressed. And having that working group in place has, I think, allowed for you all to be really nimble in responding to change as it happens and as the law has become more clear on that front. There is a lot of interplay in different areas. And what we did is we built a team that had folks from almost every department, alumni from athletics, from marketing communications, from, of course, the tech side. Even the development officers are interested in, does this enable, does this keep them from calling someone and other things? So they were very interested. And it was a really, I think the team approach was as one of the hallmarks of what we walked away with so far. I still, there is still a lot of work left to be done, to be very clear. Even I was hopeful that we might be in really sitting pretty, but then I ran into the, even the privacy policy and understanding that now our vendors have to tell us what they do with the data once we give it to them. And that's going to be an interesting, just think about that for a second, especially with black box type solutions. How are you using that data? It becomes a harder question to answer. And if I have to respond to the donor or the constituent that this is what we're doing with that, and we can't get the answer from the vendor because the vendor says that's proprietary. Anyway, that's the one that I'm most worried about right now is in the vendor and the vendor relations side. And how are we going to do this? Because some of the companies now I'm seeing it already, some of the companies that work in Oregon are starting to comply with the law, because again, it's active for for-profits right now. And you're starting to see some of that messaging come out. And we're hoping to learn as much as we can as we go. But I think this is just similar to my commentary about a data breach. It's not a matter of if or when, it's not a matter of if, it's just when, when you're going to have to deal with some of this privacy issue. Because the consumer doesn't care whether you're exempted or not. Oh, the last thing I was going to mention, this wasn't so much related to OSUF, but in lots of different groups that I work with, the approach to understanding your state's legislation is highly dependent on what your legal structure within your teams looks like, whether that's in-house legal counsel, whether that's external counsel, whether that's in-house legal counsel, and they're kind of outsourcing data privacy to a third party counsel. All that is important to include in that initial stakeholder gathering so that you have that sense of, sometimes we think legal is making decisions in a vacuum and you've got them having marketing and communications moving toward an opt-in model, and maybe that's not what was called for in the state or vice versa. Legal doesn't know about things that are going on in all of our different worlds, so they're not able to give you the proper guidance. So I think with respect to all of the different groups that are here today and that question of how legislation looks different by state, I think that's a really important consideration. And that's also a great plug for our second and the series of this webinar as well, and a big reason why I felt legal needed its own section as we address this topic. I wanted to just note, I think one of the things I loved about your approach, Mark, is we often talk within our insights team and when we do presentations about sort of what a data-adjacent model looks like versus a data-informed. And I think we'd all like to say we're data-informed, but when you pull back the layers, sometimes we're a little more data-adjacent. And I do think one of those hallmark features is this notion of everyone's taking on that ownership that we need to be thinking about the data and concerned about data privacy. And so I love that model as an example of something where it wasn't just living on you and your team's shoulders. There's so many layers that connect back. And if we're not doing this as a symphony, we're gonna be stepping on it, so. You may have addressed this, but I'd love to know, you know, as you and Elise talked about some of the work you did together, aside from what you've mentioned, was there anything else specifically at the foundation that made you want to assure that you were ahead of that data privacy change? Like I mentioned initially, the morning I woke up and recognized that this was occurring was the impact that GDPR had to our European constituency. That was not great. And, you know, we complied with GDPR, we did everything we needed to do, but that left a big hole. And I just thought of our market and our, you know, I wanna be able to, you know, I don't wanna lose our good customers or our good donors and constituents because of something that we did tangentially. I mean, you know, obviously some of the things that are occurring within Apple and such, you can turn off your phone, you don't get the outside callers unless they're on, those things are hurting us, whether we want to admit it or not. And so just being out in front of this made me feel a little bit more reassured that we would be able to tackle not just this legislation, but a future federal legislation. I just don't see a world where we have 50 different legislations and we're all sitting here, okay, well, you're ready for that load? We're gonna send it to DC and, oh, wait, we can't send it to DC, we can only do it, it just become a bureaucratic nightmare for us. And so how do we get in front of it? Honestly, and Jenny, you'll love this as well, it really ties into some data governance. It really forces the question of what kind of governance you have and what you're doing. I know we all operate, no one operates, well, somebody might, but I like to see it, their binder of every single data point they may have and how they use them. But this is making that work far more important to us going forward. So we're approaching it from a strategic standpoint and what are the most valuable data points are? We have a chart, which I could probably get in a follow-up afterwards that shows the different classifications of your data and having a really good understanding first and foremost, what those are. And if you don't have one, that's probably where you start. So, or make sure everyone has a good understanding of that. But there is so many different components in it that is, I think that's when we started unwrapping the onion, and I feel like we're behind right now. I know we're up here saying we're ahead, but I actually feel like we still have so much work left to do that I'm looking forward to next year when we have to comply, having a new privacy and preference center up that allows me to tag when people opt in and opt out and what they want and not. So I'm not saying, well, so-and-so my data person recorded this on 7-Eleven and I have no idea where it came from. So we need that level of confidence. I've got a brand new vendor management protocol where we have a new privacy piece to anytime we could do a contract review. They need to be answering these questions of what they're doing with our data and ensuring that we have these specifics. For example, destruction of data. I mean, we all think we have that in our things, but sometimes you find out that they're not necessarily destroying your data. The other piece is what are they doing with your data that you don't know about? Are they using it to aggregate information? They can't do that either. So these are all little nuances that are new to us and we're trying to navigate in the best way possible. And like I said, it's better to start now than to be behind the eight ball on this one. And shout out to you, Mark, for raising your hand and saying, I think this is a place where CASE could really take a larger role. And this is actually what led to this webinar series. So, and it looks like you're getting some love for seeing that checklist. So that's something we can follow up with the group afterwards. That's like I said, Barney Basie, you don't have this level. Now we're onto different things. And we're always happy to, when I think we are going to talk more in granularity about what the different pillars of each of this is in a later episode. So Elise, I wanted to ask you, and I think this is sort of, I'm looking at some of the questions that came in and it's a little bit of the flavor of some of the questions we're seeing, which is how would you encourage institutions just to get started when we're talking about, implementing some of these best practices? Yeah, I think, so I do think that the working group model is the one that I would start with first. So just to back up, I, so when I started working, I was actually in-house at World Food Program working on the fundraising side. And I knew what I could control for my purview, but I also knew what I couldn't control to Mark's point. So the framework that I built was meant to intentionally bring together fundraising, legal, comms, IT and operations just to build that framework. So I think if you have that kind of muscle built for collaboration across those different aisles, you'll be set up with at least that first step. And honestly, I think that goes for any business problem, but for data privacy in particular, I think what's helpful is in that cadence and that group already established. So across the clients that I work with, that's what we go to first is, who are the core stakeholders that are involved in this? And then we can broaden out from there, but the people who are going to have to actually model the cultural change are the ones that are most important. And building that buy-in with that group is that best first step in my opinion, followed closely by getting a handle on what data you have coming in the door. But I think having the right people collected to be able to respond to that information as it comes in is a good starting place. Let me go back to you, Brian. And then there's a couple of questions that I'd love to throw out to the group that have come in. So you talked a little bit about the landscape. As I mentioned, I'd love just to hear about how we at CASE advocate on the issue of data privacy aside from hosting sessions like this. Well, I think, yeah, I was gonna say, actually, this is a great example of a way that we can help members when we learn a particular issue or particular challenges bringing in, doing forums like this, doing webinars. And in fact, when GDPR first was going into effect, working out of our London office did a lot of conversation with members in the UK and across Europe around how to best prepare or best advocate for ensuring what we always try to ensure, which is a balance, right? There's a balance between the real need for data privacy, that trust that Mark talked about, that is critical to the work that we do in advancement, but also the need to actually do the work, to engage, to raise the dollars that help us achieve our mission. So there needs to be a balance as these laws come in and to the extent that we at CASE can help, whether it's US federal policy, whether it's policy around the world, the extent we can help and advocate for that balance to ensure that that balance exists, that's what we're here to do. We also work a lot with partner associations and other organizations in the States, obviously organizations, associations like EDUCAUSE, which is really on the forefront from an IT perspective, but also our colleague associations in the education world, we're working closely with them on this, but also in the charitable and nonprofit sector, there are a number of great charitable associations and organizations, independent sector, also the nonprofit alliance who've been really focused on data privacy and putting great summaries of how data privacy and some of the original laws have started to impact. So where we can as education, again, connect with the rest of the charitable sector in a US context and advocate as a part of that larger charitable sector, the better off that we are and the better our chances of really helping and hopefully getting and achieving that balance. As I talked about earlier, it doesn't look like federal legislation is going anywhere anytime soon. However, I will say this, if you would have said to me six months ago or even a year ago, that we would have gotten to a point where you had a Republican member of the house in a key position and a democratic leader in the Senate in a key position agree on a federal data privacy law, I would have said, I don't think that's gonna happen. So the fact that they got to the point where they have legislation that's been introduced, they got to the point of almost having a markup is incredible progress from the perspective compared to where we were two years ago, we were like, I can't imagine the parties ever coming together on this. Now that doesn't mean again, there's a lot of, the markup didn't go forward. There's a lot of concern. There's the private right to action, which is a real concern at the federal level that a lot of lawmakers have the ability to sue and for individuals and consumers to sue directly. That's a real concern in the federal bill. But the fact that they've gotten this far means that depending on what happens in November, and of course the election always matters, we'll have to see whether there is new momentum and a new opportunity to see federal legislation moving forward. But we will certainly at case be on top of it and providing resources and tools to all of you. And I'm going to throw out a couple of questions that have come out to the group. And then I'd love to bring back and do a little quick lightning speed round to ask you all one final question. So we had a question from John that said, what are two to three high level takeaways that a department leader needs to be thinking about? Broken down by the data we collect and hold, contact data we use for outreach and sensitive data we might receive and how we should deal with it generally. So I think some of this we've touched on, but wanted to see anything else you'd sort of add to that list of those couple of takeaways. We think we covered it? Understanding of the legislation that may impact you, whether it be your state, California's, et cetera, just getting a little bit of a handle on some of that. I think it's a really good understanding of how this affects you. And it also gives you something to lean against because otherwise if you're just trying to check the boxes, it may not necessarily be the best. I mean, you got to really kind of get a, that's why I reached out to an outside council. I didn't understand how to navigate that on my own. And it's also affects so many different groups. It just isn't a tech issue. I think that's the part that I'd really stress. And just the fact that you're asking these questions are great. I would suggest, do you have a, looking at your privacy policy, step one, what does your privacy policy say today? When's the last time you had legal look at your privacy policy? I think that's the second step. And if you even just do that, I suspect you'll find some work that needs to be done. Yeah, I would say too that my concern in all of this is that organizing will wait and your fundraising will suffer. The longer you wait, the more you will suffer because this isn't a matter of just checking boxes. If this hits you in the time we have to get from legislation passing to compliance, all of that is going to involve monstrous decision-making with your tech stack, making sure those permissions carry through, making sure you understand what data is coming in and also the third party perspective. But I think in addition to all of those, you have to think about how you're going to replace your acquisition pipelines. So that's a huge strategic lift and that's the benefit to staying ahead of this is the money. And I think always the motivator. So I think if you're talking to leadership or whoever that might be, the legal mandate is one thing, but the revenue is very much another and very distinct. So we're thinking about. So boy, this hour has flown by. I was going to ask you a final question of, are there challenges? But I feel like maybe I should say, what are the challenges that do continue to keep you up at night in respect to this topic? So I'm going to start with you, Elise, we'll go to Mark and then Brian, I'll give you the final word. Yeah, I mean, I think I just covered it, but I think the waiting, I think in terms of advocacy, I think like Brian said, I work with the nonprofit alliance pretty frequently on their data privacy and AI working group. I think we need to just embrace that this is happening. Again, to Brian's point, we don't know what it's going to look like yet, but it's probably going to look like something. So we need to have clear eyes and accept that and think about how we build the infrastructure to adapt. I'll echo a lot of what she just said. I think me personally, I've touched on a couple of pain points already, the things that really hurt me, it's like the vendor piece is still kind of out there to me. How much, and I'm not seeing, I see us out ahead, but then I noticed there's some other trains that need to come along with us and how are we going to do all of that work and have it done succinctly? I suspect that we're going to be working in bits and pieces for a number of years. The biggest piece that we've got to deliver on is that privacy and preference center though, because that's the biggest CYA that I have to protect us from the penalties of the Oregon bill. And the only thing I would add to all of that is I think you've taken the right first step or another step by taking some time to think about this, to look at it. And one of the best ways to, if you ever get asked about this or a question about it or what you're doing, if you have a working group in place, if you've looked at your data privacy policy, you've done things, if you've taken action to do things, you're in a much better place than if you've not done anything on this or you feel like you're on the back foot. So I think keeping on top of it, doing the best you can, of course, getting the legal counsel and the advice that you need. And then obviously from an advocacy perspective, watching and weighing in when necessary, if there is an opportunity to make this a bit more clear and easy, relatively speaking, moving forward. So, and that's what we're here at CASE to help you do. So just appreciate all the great questions and also Alyse and Mark for sharing your expertise and your experience. I'm really appreciative that CASE is stepping in here to help because it's a big issue. And I think you guys have the opportunity to really help everyone to be mindful of this. And it's an important thing. My data is important to me. I suspect if you ask that question to everyone on this call, they'd all say the same thing. So how do we become better stewards of our data? And I hope you will all join us on August 1st at 1 o'clock PM Eastern time for the second in our series. And again, we've got Jen Sarasa who's joining us today, who will be joining as our panelists next time around. And just want to echo my thanks to Alyse, Mark and Brian and all of you for being such interactive participants and hope this has been a good use of your time today. Thanks all. Thank you all.

data privacy

fundraising

advancement efforts

evolving landscape

privacy laws

collaborative team

privacy policies

legislation

data governance

revenue generation