Why your nonprofit website needs a Privacy Policy

We're very happy to share a guest blog post from Donata Stroink-Skillrud, Esq., CIPP, co-founder of Termageddon. I met Donata at a WordPress event in 2019 and learned about how Donata (an attorney) and her partner Hans (a WordPress developer) put their heads together to create this brilliant service. Termageddon helps you create the policies you need, and automatically updates them to reflect changes in privacy laws. We highly recommend it!

by Donata Stroink-Skillrud, Esq., CIPP, co-founder of Termageddon

You have probably seen the “we have updated our Privacy Policy” emails or agreed to a Privacy Policy when making a purchase online and may be wondering whether your nonprofit’s website needs one as well. Being a nonprofit does enable you to opt-out of certain requirements that apply to for-profit businesses, but having a Privacy Policy is not something you can opt-out of.

While it is true that some privacy laws do not apply to nonprofits, many privacy laws do not provide such exemptions. In this post, we will discuss which websites need to have a Privacy Policy and what laws apply to nonprofits based in the United States or the European Union so that you can make the best decision for your organization.

Which websites need to have a Privacy Policy?

Websites that have a contact form or a newsletter sign up form collect Personally Identifiable Information (PII). PII is any data that could be used to identify someone or any data relating to an identified person. Examples of PII include name, email, phone number, or physical address. Privacy laws have been created to protect the PII of consumers and, if those laws apply to you, your website needs to have a Privacy Policy that makes certain disclosures. If you do not have a compliant Privacy Policy, you could be fined anywhere from $2,500 per violation (per website visitor) to €20,000,000 or more in total.

Which privacy laws apply to nonprofit organizations?

When discussing compliance, you first want to have a good understanding of what laws apply to you before you start implementing solutions. Privacy laws are a bit different from what you are probably used to in the sense that privacy laws were created to protect the consumers of certain states and countries, not the businesses. This means that the laws of a particular state or country may apply to your organization even if you are not based there. The following privacy laws can apply to non-profits:

  1. The General Data Protection Regulation (GDPR) is the European Union law that protects the privacy rights of residents of the European Union. GDPR does not have an exemption for nonprofits and is a highly enforced privacy law, with dozens of decisions and fines being levied. GDPR applies to you if you: 
    • Are located in the European Union; 
    • Offer goods or services to European Union residents, regardless of your location; 
    • Monitor the behavior of European Union residents, regardless of your location; or 
    • Process and hold the personal data of European Union residents, regardless of your location. 
  2. California Online Privacy Protection Act of 2003 (CalOPPA) applies to any commercial website that collects the PII of California consumers. The “commercial” part may not be an easy “applies to for-profit businesses only” and the law may apply to nonprofits whose websites: 
    • Promote business activities unrelated to the nonprofit; 
    • Include paid advertising; or 
    • Solicit new members who may receive a commercial benefit not related to your nonprofit’s exempt purpose in return for their dues. 
  3. Nevada Revised Statutes Chapter 603A protects the personal information of Nevada consumers and applies to both for-profit and nonprofit organizations. Even though this law applies to websites operated for business purposes, Nevada’s law does not state that nonprofits are exempt from this law. The Nevada privacy law and its amendment applies to “operators” which are defined as any person who: 
    • Owns and operates a website or online service for business purposes; 
    • Collects and maintains the personal information of consumers who reside in Nevada and use or visit the Internet website or online service; and 
    • Purposefully directs its activities towards Nevada, consummates a transaction with the state of Nevada or a resident of Nevada, purposefully avails itself of the privilege of conducting activities in Nevada or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the U.S. Constitution. 

As you can see, there are quite a few laws that apply to nonprofit websites that collect PII online and require such websites to have a Privacy Policy. Furthermore, as consumers put more pressure on legislators to protect their privacy, more and more states are proposing their own privacy bills. Some of these bills will affect nonprofit organizations as well as for-profits. In fact, eleven states have proposed privacy bills as of writing this article. 

If you have a website that’s collecting PII such as names, emails, or phone numbers through a contact form or a newsletter sign up form, your website should have a Privacy Policy. Doing so will help prevent fines and lawsuits and will provide your visitors with a clear sign that you take their privacy rights seriously. 

NOTE: As an agency partner with Termageddon, Surelutions will receive a small commission if you decide to sign up for their services through our link. We only share links to products and services that we personally recommend to our own clients and have found to be reliable, professional, and high quality.