Website privacy policies can be confusing or daunting for nonprofits to understand. They might be recommended by a website designer or tossed around at a nonprofit conference as a hot topic.

Still, when it comes to implementing a privacy policy on the website, many are left wondering what to do or where to start.

When searching for guidance to give a client on this topic, I was surprised to find that most of the information online needed to be updated or, at most, a quick summary that offered little practical advice. Protecting user data, managing data collection, and responsibly using personal information is the responsibility of every nonprofit and website owner. Unfortunately, privacy law in the United States is often misunderstood or misconstrued, and most nonprofits overlook the area altogether.

Just because you're not a major corporation doesn't mean you don't need to prioritize your website visitor privacy and have a robust, legally-drafted privacy statement available for review at all times.

*Disclaimer: I am affiliate for The Contract Shop which means that when you purchase a product from them, I receive a small commission. However, they have not compensated me for this post, or asked me to write this information. I genuinely believe in the products they offer and recommend them to everyone!

Sample Nonprofit Privacy Policy

If you came to the post simply to see a sample privacy policy, I'm linking the one I use below. However, please understand that every organization should customize a privacy policy to fit its own needs. All nonprofits collect and use data in different ways. They use different payment processors, website platforms, and have different policies around data privacy. Because I’m an LLC and not a nonprofit organization, my policy includes different sections that may not be applicable to you.

It's fine to start with a legal privacy policy template (in fact, I recommend it). However, it will need to be customized to fit your particular organization.

Here's a sample privacy policy: One Nine Design Privacy Policy

Questions To Ask And Answer Before You Write Your Website Privacy Policy

Before you buy a privacy policy template or create one from scratch, you'll need to answer a few questions. Use a simple Google Doc to work through this list and record your answers so you can refer to it later when working on your specific privacy policy.

1. What type of information do you collect from your website?

2. How do you use the information you collect?

3. Why do you collect that specific information?

4. Do you ever share the information, and if so, with whom?

5. How long do you keep the information, and how do you protect the data? (Always good to mention your cookie policies here)

6. What rights do users of your website have when it comes to sharing personal data?

7. Do you collect email addresses and if so, where is that information stored and how is it used? (For those in the EU or do business or communicate with people in the EU, understanding GDPR Compliance and what that entails is critical.)

It can be difficult at first to work through this list. Let's look at a couple of examples that might help.

Let's say you're a nonprofit that provides food to low-income residents in your community. You have a standard website that offers information about your organization, how to access services, solicits funds, and recruits volunteers. With that in mind, let's answer the questions listed above.

1. You collect information from website users whenever someone visits your website. Your website platform (and likely third-party tools) records the user's IP address, the type of browser they used to access the site, their internet service provider, the pages they viewed, the links they clicked, and the forms they filled out). Additionally, if the user made a financial gift, you collected additional personal data such as their address, email address, credit card information, personal notes on the donation form, and fund designation. If they filled out a form to request information or volunteer, you've also collected that additional information.

If they left your website and visited a social media website, you've collected that data and possibly tracked their activity off your website through a Facebook Pixel or similar tracking mechanism. Likewise, if you have a mobile app through the app store, there are additional disclosures you'll want to include.

2. If you're collecting information from potential volunteers, you're using that information to contact them regarding volunteer opportunities. If you're collecting financial data, you need it to process that transaction and the gift. You may also use the data to send email updates, engage with them on social media, and analyze trends as you evaluate your website's performance, sometimes through third-party tracking technologies like Google Analytics.

3. The primary reason you collect information is to deliver your service - the thing that your nonprofit does in your community. You may also use the information to work with a third party - for instance, your email service provider like MailChimp or ConvertKit.

4. Most people jump to say no; we never share the information you give us. However, that's usually not the case, and it's okay to say yes, and here's how and why we share it. For example, if you have a volunteer who regularly reviews forms submitted, you are sharing that information with another person, but it's a legitimate cause. Law may also require you to share the information at some point. Lastly, do you ever hire an outside agency to help you with marketing or advertising using programs like Google Adsense? If so, they are likely to ask you for data to support their campaign development – data sharing you're required to disclose.

5. I've mentioned data retention, and data protection / storage policies on the blog before (9 policies every nonprofit needs), and your privacy policy is another you'll need to disclose this information. You'll need to state how long you retain the data, how you handle requests to have data deleted, and the security of that personally identifiable information you store.

6. It's imperative to disclose people's rights to their own data. For example, if a donor wants to see the file you have on them, will you share it? How long will it take you to prepare the file? Will anything be excluded? This section also includes a person's right to be excluded from receiving email, physical mail, solicitations, etc.

7. Newsletter privacy should be explicitly explained in your privacy policy. Users should understand how their contact information is added to newsletter lists, what to expect, and how to unsubscribe.

Why A Free Nonprofit Privacy Policy Generator May Not Be Helpful

A quick Google search of privacy policy examples produces some interesting search results, namely some "free" privacy policy generators that have the potential to create a false sense of security around this topic.

One of the more popular sources for "free privacy policy generators" makes it very clear on their homepage that they are not lawyers, and those in the legal field have not reviewed the policies. To me, this is a huge red flag. It's fine to state that your product does not constitute legal advice - many companies need to make that statement.

Most nonprofits do not have the budget to hire a lawyer to create specific policies, and that's okay. However, there are still ways to have legally binding policies for your organization without breaking the budget.

Another drawback of the free privacy policy generators is that they are often limited to a specific number of website visitors. Once this number is exceeded, you are required to pay for an additional level of access which can sometimes exceed the fee you would have paid outright for a professional, legally-reviewed privacy policy.

The best compromise has been to recommend The Contract Shop. All of their contracts are created by an attorney and peer-reviewed by attorneys. They are a great middle ground between hiring an attorney yourself and using a generic free version found online.

8 Sections To Include In your Website Privacy Policy

As a reminder, here are the eight primary sections you want to ensure you include in your website privacy policy.

1. Disclose the type of information you collect, and detail how user consent works.

2. Detail how you use the information you collect.

3. Clearly state why you use the information you collect.

4. Be honest about how you disclose their information and why

5. Distinguish between how you use the information directly and what you share with third parties like donation processors

6. Address data retention and data security measures

7. Clearly state the user's rights with respect to personal data

8. Don't forget to address email newsletter privacy

And a bonus section - oh California! The state of California has its own regulations that apply to California residents. Because we never know who might use our website, it's best to include a section about the California Consumer Privacy Act to cover all your bases.

Website Privacy Policy vs. Website Terms and Conditions

A quick note here on distinguishing between a website privacy policy and website terms and conditions.

Essentially, a website privacy policy centers around the end user's rights - the person visiting your website. However, website terms and conditions are more about your website and you. Website terms and conditions are like the rules for using your website.

Some common items we see included in website terms and conditions include (but are not limited to):

General provisions like how old you need to be to visit the website (generally, 16 years of age is a good guideline unless you have mature content).
Intellectual Property notice that makes it clear how your IP property can and can't be used
Security disclaimers that disclose the inherent risk of sharing personal or sensitive data online
Legal disclaimers to protect you around the content you share
Contact information for your organization

Final Thoughts on A Website Privacy Policy For Nonprofits

These parts of running an organization are less fun and shiny than putting on that fantastic event or celebrating the completion of fundraising campaigns. However, every organization must uphold the data privacy laws of their state and country. Doing so protects your organization and your donors, volunteers, program participants, and the community members who support you.

Please consider your own policies and take action on your next step. Here are a few ideas to move forward:

1. If you have a current privacy policy, ensure it's updated and displays the current date.

2. If you still need to create a privacy policy, work to get one in place in the next 30 days. You can consult a local attorney or use a privacy policy template from The Contract Shop and personalize it to fit your organization.

3. Avoid free solutions if you can. Remember, if it's free, you're probably the product.

You might find these related posts helpful…

Featured