Does a Nonprofit Need a Privacy Policy on Their Website?

A nonprofit requires a Privacy Policy on its website if it collects and uses personal data. This ensures compliance with the laws that protect personal data as people use the internet.

This article will discuss Privacy Policy, what it is, the benefits, Privacy Laws that necessitate a Privacy Policy, and how you can create a Privacy Policy for your nonprofit.

What Is a Privacy Policy?

A Privacy Policy is a legally recognized document that details how that particular website collects, uses, and shares personal data from users.

Examples of information that a Privacy Policy for nonprofits should contain include:

  • Data use: explains how the data collected is used and whether it’s sold or shared with third parties
  • Data security: details how the data is stored, encrypted, and other safety measures
  • Data collection: explain to users why their personal data is needed and what information is required
  • User consent and rights: this grants users the right to voluntarily give their personal data. It also informs donors and other users of their right over the information they provide and to opt out of your website at will

What Kind of Personal Data Requires a Nonprofit to Have a Privacy Policy?

You will require a Privacy Policy if your nonprofit website has any of the following features that collect Personally Identifiable Information (PPI).

  • Donation form
  • Email subscription
  • Contact form
  • Volunteer sign-up form

How Does a Privacy Policy Help Your Nonprofit?

There are many ways a Privacy Policy benefits your nonprofit. A Privacy Policy:

Promotes Transparency and Trust

A Privacy Policy that is easy to find on your website helps your website visitors or supporters view the details of your policies. They will feel at ease about giving the required personal information once they see that you have a Privacy Policy and you have shared it on your site.

Helps You Plan Ahead

A well-crafted Privacy Policy helps your users to know what to expect. It also assists you to think through what information you collect and how to keep the data safe.

Improves Data Management Procedures

Through a privacy policy, you are able to come up with internal guidelines to manage, store, and delete donor and user data. Not only does this help safeguard data security, but it also helps avoid disputes that may arise from data violations.

Keeps You Safe From Legal Battles

Users may sue your nonprofit organization for accidental data violation. A well-thought-out Privacy Policy may be your savior when it comes to lawsuits regarding personal data. Therefore, there is a need to adhere to standards concerning the wording and display of a Privacy Policy on your website.

What Privacy Laws Require a Privacy Policy for a Nonprofit?

Specific laws require nonprofits to have a Privacy Policy. While some laws exempt nonprofits, these laws still apply when a nonprofit is dealing with data collection on behalf of a third party. These laws include:

Colorado Privacy Act (CPA)

CPA applies to your nonprofit if it processes private information for over 100,000 users annually. The law also affects your organization if it generates revenue from selling data of over 25,000 users annually.

California Consumer Privacy Act (CCPA)

CCPA does not directly affect your nonprofit. However, the law applies if your organization acts as an information processor on behalf of a data controller.

General Data Protection Regulation (GDPR)

GDPR applies if you collect data from residents of any country in the EU. The law also applies if you offer online services to citizens of the EU, even if the organization is operating outside of the EU.

Virginia Consumer Data Protection Act (VCDA)

VCDA does not affect nonprofits. However, your organization is not exempt from this law if it works with businesses that are subject to VCDA. Specifically, your nonprofit might be impacted if it’s under contract as a data processor on behalf of a data controller.

What Information and Clauses Should You Include in a Privacy Policy for Your Nonprofit?

There are some things you need to do right to ensure that you come up with a Privacy document that can protect your organization and users.

Here are some important clauses and information your Privacy document should include:

Data Collection

This section explains the type of data you collect. Here, you commit to only collect the information you need. Then, keep the data for as long as you need it.

Collecting more data than necessary puts your organization at risk. Some privacy laws bind you to collect only the necessary information to achieve the desired purpose.

Remember to tell your donors how you plan to use the information. Transparency creates donor loyalty and promotes trust between parties.

You also need to occasionally review your data collection forms on your website. Periodic reviews help to ensure you only collect the needed information.

Here is an example from David C. Cook’s Privacy Policy explaining the data it collects from users. The document also explains when the data is collected and why:

David Cook Privacy Policy information collect clause

User and Donor Consent

Personal information is very sensitive. You need to create a provision for the user to consent to give data. Duping your donors or users into giving data creates mistrust and may attract legal action.

Remember that personal information belongs to the user, not to your website. The law, therefore, is very strict on matters regarding user consent.

Some of the things that privacy laws prohibit include:

  • Using pre-checked boxes for collecting personal information (tricking the user)
  • Bundling consent as a non-negotiable Terms and Conditions
  • Disallowing users from withdrawing consent (create an opt-out option)

Here is a great example of a privacy policy document from The Greater Boston Food Bank, which clearly states that nonprofits request users to give information willingly. No user is under obligation to give such requested information:

GBFB Privacy Policy information collect clause

Here is another document from St. Jude's Children's Research Hospital. The Privacy document allows users to opt-out at will:

St Judes Privacy Policy choices clause

Data Protection

After limiting the amount you choose to collect, the next thing is to ensure you keep that information protected from breaches.

Some of the best practices to keep your website data safe include:

  • Encrypting
  • Using strong passwords
  • Limiting administrative access
  • Using two-factor authentication
  • Backing up files
  • Regular security audits
  • Preventing unauthorized access

Here is an example of a clause from the Student Conservation Association's Privacy Policy document outlining how they protect user data:

SCA Privacy Policy security clause

Inform Users How You Share the Collected Data

This information is included in the Data Sharing Clause. Here, inform your clients whether you collect data for a third party and whether you sell that data. If you sell or share the data with international agents, let the users know.

You can include a list of the type of information you share and the names of the included parties. For international data sharing, you must understand the applicable laws clearly. For instance, GDPR applies if you are collecting data from members of the EU.

Here is an example from The END Fund. The clause explains to users that the nonprofit may share data with its European counterpart and other service providers. There is a commitment to keep the shared data safe:

END Fund Privacy Policy international transfer clause

Data Retention and Deletion Periods

You can't keep people's data forever. Doing so will lead to storage problems and make it hectic for you to manage user privacy.

Additionally, there are several Privacy Laws that require institutions to establish data retention durations.

To make sure you come up with a manageable user Data Retention Period clause, you should follow the following steps.

  1. Identify the laws that apply to your nonprofit and establish whether they have guidelines on data retention
  2. Establish where you've stored most of your data
  3. Classify the type of information the data contains
  4. Set your data deletion guidelines. For instance, the is no reason to keep data for users who have opted out
  5. Set aside space for data that you need to keep for legal reasons, like lawsuits
  6. Assign a specific employee to organize, delete, and manage data
  7. Train your workers on the importance of privacy to prevent unexpected breaches

Again, The END Fund has done an incredible job here. The nonprofit clearly outlines its Data Retention Period and Policy:

END Fund Privacy Policy data retention clause

It's also standard practice to ensure that you dispose of user data responsibly. The following guidelines are helpful in managing data disposal.

  • Shred any printed materials you have in possession
  • Use accredited software to clear data from all computers
  • Create records or logs to indicate how data was destroyed
  • Train your employees on the importance of data disposal

Lastly, establish a procedure to help you streamline the process of deleting data. Ensure the Disposal Procedure document outlines a list of all privacy rights as enshrined in your Privacy Policy.

The document may also contain your identity verification procedure outlining when privacy rights can be refused. The procedure document may also contain email templates you can use when communicating about privacy rights.

The Disposal Procedure document is crucial when it comes to disputes concerning privacy rights. The document can save you in case of a lawsuit regarding a violation of privacy rights.

External Links

External Links refer to hyperlinks that redirect your visitors or users to another domain. As a nonprofit, you have no control over the activities of the other website.

Therefore, your Privacy Policy should have a disclaimer informing users that clicking a link to an external site is at their own risk. You are not responsible for privacy practices or content that belongs to third-party websites.

Users and donors cannot hold your nonprofit responsible for damage or data breaches that may arise out of their use of a third party. They can neither initiate a dispute resolution procedure nor file a lawsuit against your organization.

Here is an example of an external links disclaimer from Team Rubicon. The nonprofit distances itself from data breaches that may arise out of its website:

Team Rubicon Privacy Policy links clause

Keep it Simple and Visible

Though this is not a clause to include, keeping your Privacy Policy simple and visible is paramount to creating a standard document.

Structure your Privacy Policy document using simple language that every visitor can read and understand. The use of complex vocabulary and complicated legal jargon may lead to misunderstandings and disputes in the future.

Additionally, your Privacy should be easy to find and locate. You can put it on the following places on your website:

  • Website footer: The footer of your site is static and accessible from any page
  • Privacy center: your nonprofit may have a lot of legal policies. In this case, it's prudent to include a Privacy Center where donors and other users can view all the policies
  • Donations page: donors can see your Privacy Policy and view it before they provide their personal information

Here's an example. This nonprofit has placed its Privacy Policy link on the donations page. Donors are able to access the document before donating and giving out their personal information:

Generic donation form screenshot

Summary

As a nonprofit, you need a Privacy Policy. A website Privacy Policy is a legally recognized document that outlines how your nonprofit collects, uses and shares personal data from donors and users.

Your Privacy Policy also contains information related to user rights and data security.

Besides helping your nonprofit comply with legal requirements governing data privacy, a Privacy Policy enhances donor trust, shields you from legal battles, and helps you create data management procedures.

To ensure that your Privacy document meets the required standards, you should include clauses that adequately protect your organization, donors, and other users.

The clauses and information to incorporate in your document should include:

  • Data Retention and Deletion Periods
  • User data protection procedures
  • Use of external links
  • How you share the collected data
  • The amount of personal data you collect and how you use it

Remember to keep your Privacy Policy simple and visible. Do not use complicated language or legal jargon that users may not understand. You should also place the link to the document in a place where users can easily see the hyperlink on your website.