Description

Non-Profit Donor Privacy Policy

Non-Profit Donor Privacy Policy Preparation Form (Coming Soon) – We recommend that you gather the information in this form prior to accessing the online questionnaire.  Doing so will help you efficiently create your custom Non-Profit Donor Privacy Policy.

Summary

A donor privacy policy notifies donors about the non-profit charitable organization’s practices concerning the collection, storage, use, and disclosure of information, including personal information. While not required by federal laws governing non-profits, it is advisable to have a donor privacy policy that is readily available on the non-profit’s website to:

• Communicate the importance that the non-profit places on protecting its current and potential donors’ personal information.
• Maintain the trust of its current and potential donors who have an expectation of privacy when donating.
• Meet the expectations of watchdog agencies and rating organizations. These agencies and organizations may factor whether a non-profit has a donor privacy policy into their scoring of the non-profit’s level of accountability and transparency.

Details

In addition to having the policy available on its website, a non-profit should also include a reference to its donor privacy policy in any communications with the public. A donor privacy policy may be part of a general privacy policy or as a standalone policy that links out to the general privacy policy. While there is overlap between the two policies, it is helpful to have a separate donor privacy policy. The donor privacy policy highlights donor-specific issues because the continued support of donors is essential to the success of the non-profit.

Legal Issues

A donor’s decision to donate to a particular non-profit is considered a private matter. Therefore, the First Amendment’s rights fo free speech and free association protects the decision to donate. Many non-profits conduct fundraising campaigns at least in part through their websites and provide online donation options. Non-profits with websites that collect user information, both from donors and from site visitors, should post their privacy policy on the site to disclose the non-profit’s information collection and privacy practices. It is important that non-profits are aware of and comply with any applicable privacy and data security laws.

Relevant Privacy and Data Security Laws

• The Federal Trade Commission Act, regulating unfair or deceptive business practices and providing guidance on consumer privacy disclosures.
• The Children’s Online Privacy Protection Act (COPPA), regulating the online privacy of children under 13.
• State privacy laws. Non-profits may generally be exempt either entirely or in large part from many of these laws. However, non-profits should be aware of them to the extent that their activities intersect with covered activities or entities. For example:
• the California Consumer Privacy Act (CCPA), a comprehensive data protection statute governing use of the personal information of California residents, effective January 1, 2020, may apply if the non-profit obtains data from a CCPA-covered business; and
• the California Online Privacy Protection Act (CalOPPA), which regulates commercial website operators that collect California residents’ personal information, may apply if the non-profit engages in unrelated business activities, such as an online gift shop or paid advertising.
• International privacy laws, such as the EU General Data Protection Regulation ((EU) 2016/679) (GDPR) and EU Privacy and Electronic Communications Directive (2002/58/EC) (E-Privacy Directive). While compliance with foreign privacy and data protection requirements is outside the scope of this donor privacy policy, non-profits that collect personal information from donors residing outside of the US or that operate in foreign jurisdictions (for example, by storing or hosting personal information in non-US jurisdictions) may be subject to privacy and data protection laws in those jurisdictions.

However, even where the law does not specifically require a website privacy policy, posting an accurate and well-drafted policy can reassure website visitors that the site operator does not use their personal information irresponsibly.

Content of Donor Privacy Policy

A donor privacy policy should state its effective date and address the following privacy principles:

• The policy should clearly inform visitors about the types of personal information collected. Additionally, the policy should describe how the information is collected, used, and shared.
• Choice and consent. The policy should provide visitors with choices regarding how their personal information is used or disclosed. The non-profit may need to obtain consent if the information is used for purposes unrelated to the non-profit’s interaction with the visitor.
• The privacy policy should describe how users can access, correct, and remove any personal information collected by the site.
• The policy should describe the steps taken by the site operator to protect personal information.

Customizing the Policy

Non-profits should use this donor privacy policy as a standalone policy for a charitable organization that collects basic personal information. This information is typically provided by its current or potential donors through online and offline means, including through:

• Its website.
• Phone calls.
• Email or mail.
• In person conversations, such as at a fundraising event.

Examples of basic personal information include names, addresses, and credit card information. This policy also assumes that the non-profit:

• Is not subject to COPPA.
• Does not sell any of the personal information it collects and maintains.
• Generally uses an opt-out approach. This approach requires the donors to actively elect to withdraw their consent as described in the donor privacy policy.
• Uses an opt-in approach where specifically described in the donor privacy policy. This approach requires the donors to actively elect to grant their consent.
• Addresses any applicable CCPA requirements in a separate notice. Websites collecting personal information from California residents must comply with the CCPA’s notice requirements by January 1, 2020
• Is based in the US and only targets US-based donors.

However, no donor privacy policy works for all non-profits. Instead, a donor privacy policy must be carefully drafted to specifically reflect the non-profit’s actual or anticipated information collection and privacy practices. This document can be purchased as a stand along document or as part of our Non-Profit Compliance Package.