Donations and Regulations: Privacy Policy Requirements for Nonprofits



Privacy policies are important for nonprofits! Here’s what you need to know.

Privacy and people’s data are on the tips of many tongues in the web-design business, and it’s for good reason.

Fines for privacy law non-compliance are quickly growing in number as governments across the globe are looking to better protect their residents’ data. While big businesses are certainly getting hit, small businesses account for a hefty portion of violations.

That’s because these smaller businesses usually don’t have the funds needed to keep a privacy attorney on hand to auto-update their website policies whenever a new privacy law is passed or an existing privacy law changes.

New Privacy Laws for Nonprofits

In 2023, six new privacy laws go into effect requiring new disclosures within your Privacy Policy if applicable to your business, and the fines for non-compliance are significant – starting at $2,500 per website visitor whose rights you’ve infringed upon.

Even websites for nonprofits that are used primarily for fundraising are required to have certain disclosures in their Privacy Policy. In this article (and webinar!), we will dive deep into what a nonprofit needs to provide policy-wise to help comply with laws and limit the website owner’s liability.

Please note that the following information is provided for informational purposes only and should not be considered legal advice. We recommend speaking to an attorney for help with your specific legal needs.

Your website is likely collecting data… and that’s not a bad thing

Most modern websites collect website visitor data, whether that simply be through a contact form to receive inquiries, through a third-party captcha tool to block spammers, or with an analytics tool to understand how users interact with your website.

Common features for nonprofits that collect regulated data:

  • Donation forms
  • Donor management tools
  • Email/newsletter subscription forms
  • Text-to-Give tools
  • Contact forms
  • Volunteer application forms
  • Event submission forms
  • Analytics

People’s names, email addresses, IP addresses, and more are regulated pieces of data under multiple privacy laws. Privacy laws regulate people’s data and require certain website owners to make very specific disclosures within their Privacy Policy.

It is very important to understand that privacy laws protect people and do not care where your business is located. In other words, privacy laws outside of where you are located could easily apply to you.

If you are collecting people’s data from other areas around the world, and failure to provide the Privacy Policy disclosures required under those laws may result in a non-compliance penalty (fine or lawsuit). For example, if you’re collecting donations from California residents, California privacy laws may very well apply to you.

Collecting regulated data isn’t bad.

There is nothing wrong or bad about collecting regulated data!  In reality, most businesses need to collect even the most basic information just so that they can properly run their business and provide users with a decent website experience.

That being said, if you are collecting that regulated data, that is the moment privacy laws can start applying to you. Meaning you may be required to make very specific disclosures within your Privacy Policy to comply with those laws.

Having a proper Privacy Policy in place not only helps you comply with laws, but also helps you demonstrate to your users that you respect their privacy rights and are willing to be transparent about what information you’re collecting and how it’s being used.

Your website is likely sharing data (also not a bad thing)

Sharing data is not the same as selling data, and it is far more common than most website owners realize. For example, if someone were to submit a donation on your website, do you receive an email with that person’s contact details? Does that donor receive a ‘Thank You’ email?  These are excellent examples of sharing data with an email service provider (like Gmail, Outlook, etc).

Sharing data is quite common, and ensuring that you properly disclose this is a requirement under multiple privacy laws.

Common examples where nonprofit websites are sharing data with third parties:

  • Sending a newsletter to donors through a service such as MailChimp or Constant Contact
  • Sending donation receipts to donors through Gmail, Outlook or through your payment processor
  • Donor management tools that connect to Salesforce, Hubspot, MailChimp, etc.
  • Processing donations with a 3rd party payment gateway (Stripe, PayPal, etc.).

If you found yourself collecting and possibly even sharing data from the above examples, then our next webinar is made for you!

Learn best practices on what to disclose within your Privacy Policy by joining our webinar!

Rather than hiding from privacy law requirements, we recommend embracing them!  Learn how to help limit your liability, comply with laws, and demonstrate your respect for your website visitor’s privacy rights!

In this webinar you will learn:

  1. When and why privacy laws may apply to a nonprofit organization;
  2. What disclosures one needs to make within their Privacy Policy;
  3. Overview of other important policies, such as a Cookie Policy, Terms and Disclaimer;
  4. How to obtain comprehensive policies for your website;
  5. How to establish a strategy for keeping your policies up-to-date with newly required disclosures; and
  6. How web agencies can help educate and protect their clients with website policies as well.

*This article and webinar are not legal advice and are intended for educational purposes only.

This article was originally posted on

ABOUT THE AUTHOR – Hans Skillrud

Hans is the cofounder of Termageddon, an auto-updating Privacy Policy generator company, where he oversees partnerships and business development for Termageddon. When he isn’t teaching other web designers about the importance of website policies for clients, you can find him working on arduino projects our hiking outdoors.