Sign In

Navigating Privacy Policies: A Guide for Nonprofits

Learn more about crafting compliant privacy policies, handling data with care, and fostering a culture of transparency.
Left: two security cameras overlooking the streets from a pole suspended in the air with purple florals in the background. Center: A stack of halved cookies. Right: A padlock on a door. The door has a rainbow painted on it.

From donor details to beneficiary information, handling sensitive data is a common task for most nonprofit organizations. Complying with privacy regulations can be complicated, but it’s crucial for maintaining trust and ensuring confidentiality. In this article, we’ll compile everything you need to know about Privacy Policies to ensure your organization can safeguard data, ensure compliance, and foster a culture of transparency.

Why Nonprofits Should Care About Privacy Policies

Reason 1: People Deserve Privacy

Oxford Languages defines privacy as the right to be left alone or “the state or condition of being free from being observed or disturbed by other people.” Seems reasonable, right?

While it may seem like common sense, people’s privacy can be overlooked, either on purpose or by accident, by websites. That’s because it’s very easy (and sometimes necessary) for modern websites to collect, store, and share people’s data. This type of data is typically referred to as Personally Identifiable Information (PII). Examples of PII include:

  • Names
  • Phone Numbers
  • Email Addresses
  • Physical Addresses
  • IP Addresses

Nonprofit websites commonly collect all of this PII via features like:

  • Contact forms
  • Email newsletter subscription forms
  • Donation forms
  • Text-to-Give tools
  • Volunteer application forms
  • Analytics tools such as Google Analytics
  • Advertising tools such as Facebook Pixels
Note: Collecting this information isn’t a bad thing. Many nonprofits must collect this information to operate effectively and efficiently.

Now that we know what PII is and how it’s commonly collected, we also need to point out that it’s the property of the individual, not the website owner. Therefore, to respect people and their privacy, website owners need to take certain steps when collecting PII. That’s where privacy laws and Privacy Policies come into play.

Reason 2: It’s the Law

Legislators around the globe have been busy over the last few years passing privacy laws that require website owners to provide specific disclosures in their Privacy Policies in an effort to encourage website owners to respect people’s online privacy.

A Privacy Policy is a document that describes your privacy practices to anyone who visits your website. In addition to having all the disclosures required by privacy laws that apply to your website, a Privacy Policy will almost always contain:

  • The kind of PII you collect
  • How you use PII
  • And who you share PII with
Note: Some privacy laws can require 20 or more disclosures to be included in your Privacy Policy. A nonprofit must determine what laws apply to them and figure out what disclosures are required by those laws before writing their Privacy Policy.

So, what laws typically apply to nonprofits? Well, most privacy laws apply to for-profit organizations only as they specifically exempt nonprofits in their text. However, some laws do not distinguish between the two and apply to both. For example, the following privacy laws apply to nonprofits as well as for-profit businesses:

Don’t let the names fool you, privacy laws are designed to protect individuals, not nonprofits. Even if your organization is outside of these areas or countries, you may still be required by law to comply with them if you collect the PII of their residents or track individuals from those areas through tools such as cookies, pixels, or analytics.

You could also have to comply with a whole host of additional laws, especially as a nonprofit organization. For example, if you’re processing data on behalf of a client subject to these laws, you may be required, via contract, to meet the obligations of these laws.

Even after you’ve learned all the laws that apply to your organization, it’s important to establish a plan to make sure your Privacy Policy stays up to date. As of the writing of this blog, over 30 privacy bills are being worked on across the globe. Some of these bills, if passed, will require nonprofits to update their Privacy Policies with additional disclosures. In addition, new regulations, guidance, enforcement actions, and lawsuits are being released every day, all of which may impact Privacy Policy disclosures as well.

Note: Fines vary depending on the privacy law, but they typically start at $2,500 per website visitor whose rights have been infringed upon. This happens more often than you might think. GDPR alone has seen a massive increase in fines.

Reason 3: It’s an Advantage

Nonprofits rely heavily on trust in order to regularly get the volunteers and donations needed to operate. By taking your website visitors’ privacy seriously, through comprehensive, easy-to-understand, and regularly updated policies, you’ve taken steps in the right direction.

After all, ever since the Cambridge Analytica scandal in 2010, people have started paying more attention to their online privacy and data. There have been several studies to support this as well. For example:

With this in mind, let’s explore how nonprofits can obtain a Privacy Policy and improve their privacy practices to ensure they’re leading the way in privacy.

How to Get a Privacy Policy

As you may have guessed by now, writing a Privacy Policy isn’t the easiest of tasks. You have to know what laws apply to your specific organization, what disclosures those laws require, and keep up with ever-changing legislation that could impact your website’s policies.

First, let’s start with what you should NOT do as a nonprofit.

Privacy Policy Don’ts

You should always avoid:

  • Copying and pasting policies: No two organizations are the exact same, therefore their policies likely won’t require the same disclosures. Even another, very similar, nonprofit to your own could have a very different looking Privacy Policy due to the application of different privacy laws and different privacy and business practices. Not to mention, this could lead to a copyright infringement claim, especially if the other website paid for their policies.
  • Free templates: Similar to the point above, free templates online are designed to encompass as many organizations as possible. They don’t get to know your organization and, therefore, can’t create the specific disclosures your website needs to comply with laws. They also can’t update your policies as laws change or new ones are passed.
  • Forgetting about your policies:  Even if you have an attorney write your Privacy Policy, a compliant Privacy Policy today doesn’t always mean it will be compliant tomorrow. Laws are always changing, so you need to regularly revisit your policies to ensure they remain in compliance when legislative changes take place in the future

Privacy Policy Do’s

When it comes to Privacy Policies you should always:

  • Find out what laws apply to you. You cannot create the disclosures needed for your website if you don’t know what laws you need to comply with.
  • Include all the correct information. There’s quite a bit of information that needs to be included in most Privacy Policies. It can be a bit overwhelming, but it is necessary to fully comply with today’s laws.
  • Your privacy policy should be easy to find. It shouldn’t be hidden on your website, including behind something like “legal documents” in the footer.
  • Update your Privacy Policy regularly. Address any changes to privacy laws or your organization’s PII collection or use.

If all this sounds like a hassle, it’s a good idea to use an attorney. Even though it can get pricey, a licensed privacy attorney is always the best option for creating your Privacy Policy. Not only can they create your policy, but they can also offer legal advice along the way. Just remember to ask your attorney to monitor your policies regularly in case any new laws are passed.

However, we understand that may not be in the budget for every organization. In that case, generators are a far more affordable way to get your policies. While they can’t provide legal advice, a proper generator can learn enough about your organization to create a Privacy Policy with all the proper disclosures. We recommend Termageddon’s Privacy Policy Generator since it is founded by a privacy attorney, is affordable, and will auto-update your policies as the laws change.

Building a Strong Privacy Foundation for Your Nonprofit

A proper Privacy Policy is a great first step to establishing your nonprofit as an organization that cares for people’s privacy, but it’s not the only step. There are many additional things you can do to keep privacy as a core priority for your organization.

These include:

  • Understanding data collection and limitations
  • Securing donor trust through consent and opt-in mechanisms
  • Safeguarding sensitive information
  • Establishing responsible data retention and deletion
  • Cultivating a privacy-aware culture
  • Preparing for incidents

Let’s briefly examine each one and consider how you can implement it into your nonprofit’s privacy and security program.

Understanding Data Collection and Limitations

When it comes to privacy, one of the best things you can do is limit the amount of information you collect from people to just what’s needed and keep that information for only as long as it’s needed. Multiple privacy laws even require data minimization – ensuring that organizations collect only the PII that they need to fulfill a specific and legitimate purpose.

One of the best ways to do this is to go through every form or data-collecting feature on your website and ask yourself, “Do we really need this?”

Plus, limiting the amount of data you collect will also help with:

  • Making it easier for individuals to exercise their privacy rights (organizations won’t have to look for their data in huge databases)
  • Putting your organization at less risk of data breaches
  • Making it less costly if a data breach does occur

Once you’ve limited the amount of data your organization collects, it’s time to ensure that your website is transparent in its data collection processes.

Your Privacy Policy must state what data you collect and how you use it. Depending on what laws apply to you, you may also need to state where you obtain this data, whether or not it is shared or sold, and who it is shared with or sold to.

Being transparent also goes a long way in building trust with website visitors by showing them that you’ve got nothing to hide.

Securing Donor Trust Through Consent and Opt-in Mechanisms

A key aspect of privacy is giving individuals the ability to opt in/out of having their PII collected by websites. As mentioned previously, the data belongs to the individual, not the website or the organization.

Laws like GDPR have very stringent requirements on how websites should obtain explicit consent for data collection and processing.

Some of these include:

  • Individuals must not be tricked into giving consent (i.e. pre-checked boxes)
  • Consent shouldn’t be bundled up as a non-negotiable part of the Terms of Service (i.e. force newsletter sign-ups when a donation form is filled out)
  • Individuals must be free to withdraw consent at any time without detriment

You may also have noticed that more and more websites have cookie consent banners popping up. That’s because seven privacy laws currently require certain websites to have one to further protect the privacy rights of individuals.

According to these laws, a cookie consent banner must:

  • Have an “accept” and “decline” option (just having ‘okay’ is not compliant)
  • Clearly state what cookies a website is collecting and categorize them (marketing, functional, essential, etc.)
  • Must be clearly visible and avoid dark patterns

If your nonprofit is required by these laws to have a cookie consent banner, not doing so can be costly. Organizations both big and small have been penalized in the past with fines ranging from €50,000 for placing around 60 cookies on a user’s device without prior consent to Microsoft being fined $60 million for their cookie practices.

If you need a cookie consent banner for your nonprofit, you can get one via Termageddon and Usercentrics.

Safeguarding Sensitive Information

Once you’ve limited the amount of data your website is collecting (with consent), it becomes the website’s responsibility to keep that data protected from things like data breaches, ransomware, etc.

Some best practices when it comes to website security are:

  • Encrypting data through Secure Sockets Layer (SSL) certificates
  • Limiting administration access to only those who need it
  • Using strong passwords with two-factor authentication
  • Backing up your files
  • Implementing secure storage practices for donor information
  • Conducting regular security audits and taking proactive measures to prevent unauthorized access

Establishing Responsible Data Retention and Deletion

It’s never a good idea to store people’s data for an indefinite period. Not only will this take up storage space and make it harder to manage people’s privacy rights, but several privacy laws require websites to establish data retention periods and specifically state how long data will be stored within their Privacy Policy.

Here are the steps you need to take when coming up with clear guidelines for data retention periods:

  • Identify the privacy laws that apply to your website and see if they dictate how long you can retain data
  • Identify where your data is located and classify it
  • Establish when and how data should be deleted (e.g., if a person who is not a donor has unsubscribed from your newsletter, there is no reason to maintain their data. Their data should be deleted.)
  • Create a space for legal holds (data held in case it’s needed for a lawsuit)
  • Establish clear roles and responsibilities for who is responsible for data organization and deletion
  • Establish security measures for your data and train your employees to prevent accidental security breaches

Just like when you cut up an old credit card, it is important to dispose of people’s data responsibly.

Best practices include:

  • Shredding printed materials or CDs
  • Using software to destroy all data from computers and other magnetic storage (before a computer is disposed of)
  • Creating logs and records for when and how data was disposed of
  • Ensuring employees are trained on the importance of data disposal

Several privacy laws also make it clear that individuals have the right to request data deletion and the right to be forgotten. This can sometimes be tricky for nonprofits to know how to go about this.

It is also important that you create a procedure document that can help streamline the process and ensure nothing is forgotten. This document should include a list of the privacy rights that your organization offers to individuals, a list of who should be contacted regarding privacy rights, your procedures for verifying identity, the ability to designate an authorized agent, when you can refuse a privacy rights request, and email templates that can be used to respond to individuals.

You should also create a procedure for responding to any privacy rights requests.

This should include the following steps:

  • Verify the individual’s identity
  • Review all databases where the individual’s information is stored (have a list ready)
  • Compile all of the information requested or perform the tasks needed to exercise the individual’s privacy rights
  • Email the individual the appropriate template (listed above)

Cultivating a Privacy-Aware Culture

Employee training has been mentioned throughout this blog a few times already. That’s because the very nature of data means that it just takes one employee to cause a breach, violation, or security problem. That’s why privacy training should be included as part of an employee’s onboarding process and cover topics such as:

  • Purpose of training
  • Definition of privacy
  • Why care about privacy
  • Information classifications
  • A list of PII types being collected
  • How PII can be used
  • PII transmission and sharing procedures
  • PII retention methods
  • PII destruction methods
  • The legal, regulatory, and contractual obligations for privacy
  • The consequences of non-compliance
  • Where to obtain additional information
  • Examples of common violations, especially among nonprofits

This training should also be paired with ongoing training and reminders to help employees and volunteers keep privacy in mind.

As you may have guessed (or not if you’ve made it this far), privacy isn’t the most exciting topic for most people. That’s why it’s crucial to foster an organization-wide respect for donor and supporter privacy. This starts at the top with the owners, directors, and managers making it clear that privacy rights should be respected at all times.

Preparedness for Incidents

Nobody is perfect. Even with all the proper training and the utmost respect for privacy, accidents do happen. Data breaches can be devastating to a nonprofit from both a financial and reputation standpoint – and they certainly happen.

The Identity Theft Resource Center tracked 22 data compromises at nonprofits during the third quarter of 2023, which impacted more than 7 million people.

While you can’t always prevent an incident from occurring, there are steps you can take to be ready for one if it were to happen.

These include:

  • Classifying incidents into severity levels
  • The different teams that are responsible for incident response (e.g. computer response team, physical security personnel, communication with clients, and regulators team) – determine who these individuals are and have their contact information
  • Preparing for incidents by creating policies, implementing security tools, and training personnel
  • Upon discovering an incident and determining what is a suspicious event, you should file an Incident Report Form
  • Determining who needs to be notified and when/how
  • Analysis of the incident to determine the right response
  • Creating a response strategy
  • Containment to prevent further damage or intrusion (e.g. change passwords)
  • Prevention of further incidents (e.g. determine how it happened, close off incident site, shut down infected system, etc.)
  • Restore affected systems
  • Document the incident
  • Preserve evidence
  • Notify external parties
  • Assess damage and cost
  • Review and update policies
  • Conduct training that takes place when an employee first starts and then once per year thereafter; Training should include a tabletop testing procedure

LIVE: How to Navigate Privacy Policies with Termageddon

There’s no getting around it: privacy can be complicated.

While there are tools that can help nonprofits get policies, a lot of the work of building a privacy-focused organization falls on the nonprofit itself. However, given the two main benefits of good privacy practices – protection from fines, lawsuits, and data breaches and building trust with potential donors and supporters – it’s worth it.

Join us as we chat about privacy policies in the nonprofit sector. Let us help you understand how to ensure your nonprofit is handling data with care, complying with privacy laws, and fostering a culture of transparency. We’ll be live on YouTube and Facebook!

About the Author

Hans Skillrud

Hans Skillrud

Hans is the cofounder of Termageddon, an auto-updating Privacy Policy generator company, where he oversees partnerships and business development for Termageddon. When he isn't teaching other web designers about the importance of website policies for clients, you can find him working on arduino projects our hiking outdoors.

Share this post

You might also like

Stripe Verified Partner
Cloudflare

Join Our Newsletter

Get fundraising insights directly in your inbox. Plus a 15% discount off all plans.

  • This field is for validation purposes and should be left unchanged.

Policies

Resources

About US

Copyright © 2024 Liquid Web, L.L.C.

GiveWP™ is a trademark of Liquid Web, L.L.C.

A Liquid Web Brand

© 2024 All Rights Reserved.

StellarWP
Nexcess