Church data privacy: laws and how to protect member data

Most U.S. privacy laws exempt churches as nonprofits, so the typical congregation isn't directly regulated by the CCPA or similar state laws. But the exemption isn't universal. A handful of states cover nonprofits, GDPR reaches any church handling European data, and your software vendors are almost always covered even when you aren't. The real obligation is the trust members place in you.

I pastor a church and I build software for churches, so people ask me some version of this constantly: "Are we even allowed to keep all this?" The honest answer is that the law gives you a lot of room, and that room is exactly why it's worth holding yourself to a higher standard than the statute does. Your members handed you their giving, their kids' names, their prayer requests, sometimes the worst week of their year. No law made them do that. They trusted you.

Do privacy laws actually apply to churches?

Usually not directly. Most U.S. state privacy laws were written to regulate for-profit businesses, and they carve out nonprofits, so a standard 501(c)(3) church falls outside them. The big exceptions are a few states with minimal nonprofit carve-outs and Europe's GDPR, which applies to anyone handling data on people in the EU regardless of nonprofit status.

The cleaner way to think about it is by jurisdiction. In most states, your church isn't a "covered entity" and the comprehensive consumer privacy law doesn't reach you. But according to nonprofit law firm Wagenmaker & Oberly, several states including Colorado, Oregon, Delaware, and New Jersey offer virtually no nonprofit exemption, meaning a church there can be covered if it crosses the law's data-volume thresholds. Those thresholds are high (Colorado's kicks in around 100,000 residents' data), so a normal congregation still won't trip them. GDPR is the one with no nonprofit escape hatch: if you collect data on someone in Europe, an online giver traveling abroad, a missionary partner, you're processing under it.

The part most articles skip is what happens downstream. Even where your church is exempt, the companies you hand data to usually are not. Your email platform, your payment processor, your church management software, those vendors are for-profit and squarely inside these laws. So the practical question shifts from "does the law cover us?" to "do the tools we chose take this seriously?"

Are churches exempt from the CCPA?

Generally yes. California's Consumer Privacy Act defines who it regulates as a "business," and that definition is for-profit. A nonprofit church isn't a business under the CCPA, so the typical congregation isn't a covered entity and doesn't owe CCPA obligations to its members.

There are two ways that exemption can disappear, and both are uncommon. If a church shares common branding with a for-profit affiliate and passes personal information to it, the nonprofit can get pulled under the for-profit's CCPA duties. And if an organization derives a meaningful share of revenue from selling personal information, it stops looking like a charity to the law. The California Attorney General's office is the primary source for how the statute defines a covered business if you want to read the actual text. For a normal church, neither trapdoor applies. You're exempt, and that's the point where I'd encourage you to stop reading the law as a ceiling and start treating it as a floor you've already cleared.

How do I protect church member data in practice?

Start with access. Most data problems at a church aren't dramatic breaches. They're too many people able to see everything, accounts that stay live after someone leaves, and giving records living in a shared spreadsheet anyone with the link can open. Tightening those three things does more than any policy document. Then choose vendors who keep your data isolated and don't mine it.

This is the working list I'd give any staff team, in order of how much it matters:

1. Scope access by role. A check-in volunteer doesn't need to see giving. A kids' worker doesn't need pastoral notes. Set permissions so each person sees what their job requires and nothing past it. This single habit prevents most internal mishandling.
2. Close accounts the day someone leaves. When a volunteer or staff member steps off, their access should end that week, not linger for a year. Keep a short list of who can see member data and review it each quarter.
3. Get giving and notes off loose spreadsheets. A donor export emailed around, a prayer list in a shared Google Doc, these are where leaks actually happen. Sensitive records belong in a system with real permissions instead of a file with a shareable link.
4. Use strong, unique logins with two-factor. The most common way church data walks out the door is a reused password on a staff email. Two-factor authentication on every account that touches member data closes that gap cheaply.
5. Vet the vendor, not just the feature. Before you trust a platform, confirm your church's data is isolated from other churches, that they don't train AI models on your members, and that they don't sell or broker data. The next section is the script for that conversation.
6. Write one plain page and tell people. A short, readable note on what you collect and how you protect it isn't a legal requirement for most churches. It's a trust gesture, and members notice when you bother.

None of this is exotic. It's the same discipline you'd want around a locked filing cabinet, applied to systems that move a lot faster than a filing cabinet ever could. If you want the deeper cut on where the human side of this gets ethically tricky, I wrote a companion piece on whether it's ethical for churches to use AI on member data.

What should I ask a software vendor before trusting them with member data?

Ask five questions, and make the vendor answer them plainly. Where does the data live, is our church's data isolated from other churches, do you train AI on our members, who do you sell or share data with, and how is access controlled by role. A vendor who hedges on any of these is answering you, just not with words you'll like.

Question to ask	What a solid answer sounds like	A reason to walk away
Where does our data live?	Named, reputable cloud infrastructure; encrypted at rest and in transit.	Vague answers, or data stored somewhere they won't name.
Is our church's data isolated?	Each church's records are sealed off; nothing crosses between churches.	Your data pools with other churches or feeds their marketing.
Do you train AI on our members?	No. Congregant data is never used to train their models.	"We may use aggregated data to improve the product."
Who do you sell or share data with?	No selling, no data brokering, third parties limited to processing.	Any revenue tied to sharing or selling member information.
How is access controlled?	Role-based, so staff see only what their role needs.	Anyone with a login can see everything.

Save that table. Paste it into an email to any platform you're evaluating. The questions are the real artifact here, more durable than any single product, because they hold up no matter which vendor you're weighing. If you're sizing up church management software more broadly, I walk through the full buying decision in a pastor's nine-question framework.

Is church member data protected by law, or only by us?

Partly by law, mostly by you. A church usually isn't directly regulated, the laws that exist reach your vendors more than your congregation, and only a few states cover nonprofits at all. So the binding protection is the one members assume already exists: that the church they trust isn't doing anything careless with what they shared.

That gap between what the law requires and what people expect is where churches get to lead instead of comply. When someone gives to your church, drops their kid at check-in, or writes a prayer request on a card, they're not reading your privacy policy first. They're extending trust based on the relationship. Holding member data carefully is part of keeping that, the same way you'd guard anything else someone handed you in confidence.

This is the one place I'll mention what I'm building. Scout keeps each church's data sealed off from every other church, never trains models on your members, takes no cut of giving (you still pay the payment processor's standard fees, because the point is getting as much of every gift into the church's hands), and scopes access by role so a check-in volunteer never sees a pastoral note. I'm church-funded with no outside investors, so there's no one upstream whose business depends on mining your congregation's data. The manual safeguards above stand on their own. Scout is the version that builds them in so you don't have to police them by hand.

Frequently asked questions

Do privacy laws apply to churches? Sometimes. Most U.S. state privacy laws exempt nonprofits, so the typical church isn't directly covered. But Colorado, Oregon, Delaware, and New Jersey have minimal nonprofit exemptions, and any church handling European data falls under GDPR. The vendors you use are usually covered even when you aren't.

Are churches exempt from the CCPA? Generally, yes. California's CCPA targets for-profit businesses, so a standard 501(c)(3) church isn't a covered business. The exemption can fall away if a church shares branding and data with a for-profit affiliate, or sells personal information, but that's rare for a normal congregation.

How do I protect church member data in practice? Limit who can see what by role, turn off accounts when people leave, keep giving and pastoral notes off shared spreadsheets, and pick vendors who isolate your church's data and never train models on it. Most breaches start with too many people having access to everything.

What should I ask a church software vendor about data privacy? Ask where the data lives, whether your church's records are isolated from other churches, whether they train AI on your members, who they sell or share data with, and how access is controlled by role. A vendor who can't answer those plainly is telling you something.

Is church member data protected by law? Partly, and unevenly. A church usually isn't directly regulated, but laws still reach your software vendors and payment processors, and a few states cover nonprofits. The stronger protection is the trust your members place in you, which holds whether or not a statute does.

---

Nic Moore is a pastor and the founder of Scout. I had to answer these questions for my own church's records before I'd ask anyone to trust them with theirs.