Why nonprofit organizations need to have a Privacy Policy

If you are running a nonprofit organization, you probably wear many hats and are responsible for things ranging from welcoming new members and donors to ensuring that all of your fundraising events go off without a hitch. One item that is often overlooked by nonprofits is website compliance and ensuring that your website has an up-to-date and accurate Privacy Policy. In this article, we will discuss why nonprofit organizations should consider having a Privacy Policy for their website, including what privacy laws can apply to nonprofits and why consumers visiting websites expect such websites to have Privacy Policies.

What is a Privacy Policy?

Chances are that you have seen many websites that have a Privacy Policy and may have even agreed to a few when submitting your Personally Identifiable Information (PII) to a company, but you may be wondering what a Privacy Policy actually is. A Privacy Policy is a document that explains a company’s privacy practices, mainly what PII they collect, what they do with that PII and who they share it with. Companies usually have a Privacy Policy to comply with the privacy laws that apply to them that require such Privacy Policies to provide certain information to people using that website. Companies also have a Privacy Policy to assure their website visitors that their website is legitimate and that their PII will be used only in accordance with the Privacy Policy.

What is Personally Identifiable Information?

Websites that collect Personally Identifiable Information (PII) need to have a Privacy Policy. PII is any data that could identify someone. Examples of PII commonly collected by nonprofit websites include names, emails, phone numbers, billing addresses, and IP addresses. This information is commonly collected through contact forms, email newsletter sign up forms, event sign up forms, and donation forms.

Do nonprofits need to update their Privacy Policies?

With over a dozen proposed privacy bills in the United States (some of which could apply to nonprofits), it is also important that your organization keeps track of proposed privacy bills, laws, and their requirements. For example, Quebec’s Bill 64, which will go into effect on September 1st, 2023, applies to persons who collect, hold, use or share the PII of residents of Quebec in the course of carrying on an enterprise, which is defined as both commercial and non-commercial activities, meaning that this new law can apply to nonprofit organizations as well. If your organization needs to comply with this new law or if any bills become laws, you need to make sure that you have a strategy to keep your Privacy Policy up to date with newly required disclosures.

Which privacy laws require nonprofits to have a Privacy Policy?

The purpose of privacy laws is to protect the privacy of consumers, not organizations. This means that privacy laws have a very broad reach and can apply outside of the state or country in which those privacy laws are passed. While many privacy laws apply to for-profit businesses, nonprofit organizations may be subject to the following privacy laws:

• General Data Protection Regulation (GDPR) – this privacy law protects the privacy of residents of the European Union and applies to you if you:
• Are located in the European Union;
• Offer goods or services to European Union residents, regardless of your location (and also regardless of whether payment is received for such goods or services); or
• Monitor the behavior of European Union residents, regardless of your location (if your website uses analytics, you may be monitoring the behavior of EU residents as they use your website).
• United Kingdom’s Data Protection Act 2018 (UK DPA): this privacy law protects the privacy of residents of the United Kingdom and applies to you if you:
• Are located in the United Kingdom;
• Offer goods or services to United Kingdom residents, regardless of your location (and regardless of whether payment is received for such goods or services); or
• Monitor the behavior of United Kingdom residents, regardless of your location (if your website uses analytics, you may be monitoring the behavior of UK residents as they use your website);
• Australia Privacy Act 1988: your organization will need to comply with this law if you have a connection to Australia and have an annual turnover of more than AUD $3,000,000, provide a health service to a person, or if you sell or purchase PII.

If the above privacy laws apply to you, then you will need to follow the requirements of those laws, one of which is to have a Privacy Policy. One of the consequences of not having a Privacy Policy is the potential for being fined. Fines for privacy law violations range from $2,500 per website visitor to a total of €20,000,000 or more. And, if you think only large companies such as Facebook or Google are being fined for non-compliance, that is not the case. Organizations with as little as one employee have been fined for non-compliance. In addition, you will need to ensure that your Privacy Policy contains all of the disclosures required by the privacy laws that apply to you.

Website user expectations

The last reason as to why you should consider having a Privacy Policy is to meet the expectations of the individuals visiting your website – individuals are increasingly looking to ensure that the companies to whom they provide their PII take their privacy seriously. For example, a study by Cisco found that 32% of respondents have switched from one company to another because of privacy practices. Another study found that 7 in 10 Canadians refuse to provide their PII to a company over privacy concerns. Lastly, a study by Techradar found that 40% of consumers are concerned about what happens to their data when using eCommerce or payment portals online. Not having a Privacy Policy could mean a smaller email list, less donors, and less engagement with your nonprofit over privacy concerns. Thus, when thinking about whether to have a Privacy Policy for your website, make sure to keep the privacy concerns of website users top of mind as well.

Disclaimer: the information provided in this article is for informational purposes only and do not constitute legal advice. Please consult with your attorney for help with your specific legal needs.

---