Charity organizations do important work that often involves data collection and processing, like organizing call lists, collecting emails for newsletters, or analyzing user engagement to determine the effectiveness of events and campaigns.
It’s important to communicate how your charity uses personal data in a privacy policy so you can align with any applicable data privacy laws and keep your potential clients or donors properly informed.
Below, I explain how you can make a privacy policy for charities, what should go into one, the laws that might impact it, and more.
Creating a Privacy Policy for Charities
To start, let me briefly go over some different ways you can make a privacy policy for your charity website.
Use a Privacy Policy Generator
One of the easiest ways to make a customized charity privacy policy is to use Termly’s Privacy Policy Generator.
Our generator asks simple questions about your organization and how it processes personal data, and creates a unique policy based on your answers.
We update it regularly to stay on top of new and evolving data privacy laws, and it’s vetted by our legal team and data privacy experts.
It’s important to note that some charities may be subject to additional laws that may not apply to for-profit businesses. Industry-specific regulations may also apply.
For guidance on legal compliance, consider consulting a lawyer or privacy expert.
Use a Privacy Policy Template
Some Charity organization leaders might prefer to use Termly’s free privacy policy template.
It requires more work than the generator but is still easy to use and incredibly customizable.
Just download the template, manually fill in the blank sections with details about your Charity and edit and remove parts that don’t apply to you.
You can also add or adapt any language as necessary.
Write Your Own Privacy Policy
You can also write your privacy policy on your own, but this should only be done if you have a strong understanding of data privacy laws and a lot of technical knowledge.
If you make a mistake or leave something out, you may be putting your Charity organization at risk of violating privacy laws, which could lead to significant fines.
Remember to use basic language so all users can understand what they’re agreeing to.
For more info, read our guide on how to write a privacy policy in nine easy steps.
What Is a Privacy Policy?
A privacy policy is a document that informs people about what personal data your business collects, why, and how it gets used.
These legally required documents need to outline specific information, especially if you fall under any data privacy laws.
While the specific clauses you must include will change depending on the laws that apply to you, most privacy policies include the following details:
- What personal data you collect
- Why you collect the personal data
- If you share or sell the data to third parties
- Who the third parties are
- What rights users have over their personal data
- How users can act on their rights over their data
- Your company contact information
Which Privacy Laws Affect Charities?
If your charity is a for-profit business, then any privacy law could impact it. If your charity is not for profit, some privacy laws still apply, while others explicitly exempt them:
- Colorado Privacy Act (CPA): The CPA applies to not-for-profit charities that process the personal data of more than 100,000 consumers annually or derives revenue from selling data of more than 25,000 consumers.
- California Consumer Privacy Act (CCPA): Typically, the CCPA does not apply to charities. However, non-profit charities may be affected indirectly if they are under contract as data processors on behalf of a data controller.
- Virginia Consumer Data Protection Act (VCDPA): The VCDPA exempts not-for-profit charities. But charities working with businesses subject to this law may be impacted, for example, if they’re under contract as a processor for a controller.
- Connecticut Data Privacy Act (CTDPA): This law typically doesn’t apply to charities, but there may be exceptions for specific types of data processing or partnerships with for-profit entities
- Oregon Consumer Privacy Act (OCPA): The law’s final text and applicability to nonprofits may vary, so review any exceptions or thresholds that could affect nonprofit organizations.
- Utah Consumer Privacy Act (UCPA): Not-for-profit charities are exempt from the UCPA. But, like other exemptions, charities may face privacy obligations under contract with for-profit businesses.
Charities must also review sector-specific regulations, for example:
- Health Insurance Portability and Accountability Act (HIPAA) for the healthcare industry.
- Children’s Online Privacy Protection Act (COPPA) for interacting with children.
- Family Education Rights and Privacy Act (FERPA) for the field of education.
Does Your Charity Website Need a Privacy Policy?
Some charities need a privacy policy, but for others, it may not be necessary.
If your charity meets the legal threshold of any data privacy laws or if you collect a lot of data from individuals, then you should have one posted on your charity website.
Even if no laws apply to your charity, it’s best to be honest about how your website collects and processes personal information from visitors by presenting them with a basic privacy policy.
This allows them to make an informed choice about if they want to continue using your site or not, which ultimately builds trust by showing users you’re respectful of their privacy.
What Should You Include In Your Charity Website’s Privacy Policy?
While the specific information in your charity privacy policy will vary based on the laws that impact you, here’s a quick summary of the most common clauses.
What Data You Collect
All privacy policies say what data is collected, and your charity’s privacy policy is no different.
This is a basic requirement of most privacy laws, including the CPA and CCPA.
Use a bullet list or table to neatly communicate all personal information your charity organization uses, which may include details like:
- Full names
- Email addresses
- Home addresses
- Payment information
- Birth dates
- Political or religious affiliations
How You Collect Data
Privacy laws like the CPA and CCPA also obligate organizations to say how you collect personal data, which might include:
- Directly from the consumer
- From third party sources
- From social media posts
- Through publicly available information
- Through the use of cookies or other internet trackers
Your policy should clearly list all ways your charity gathers information and remember to include in-person events like silent auctions, dinners, and galas.
Why You Collect Data
You should also explain why your charity collects personal data in your privacy policy.
Under laws like the GDPR, this is known as your legal basis.
If a supervisory authority audits your charity, you’ll be responsible for proving that the data is being used for the purposes you included in your privacy policy.
If You Sell or Share Data
Also referred to as a third-party clause, your privacy policy needs to explain if your charity sells or shares data with any third parties, as required by laws like the CCPA.
It should include a list of the categories of data you share and the categories of the third parties.
If you don’t share or sell data, this clause should clearly say as much.
Cookies and Other Trackers
Most websites today use internet cookies to function and to collect and analyze information about user activity. Charity websites are no exception.
If you’re using cookies or other trackers, you need to say so in a clause in your privacy policy.
Depending on what laws apply, you might also need a separate cookie policy, which you can link to directly in this clause.
Information About Consumer Rights
Your charity’s privacy policy needs to explain to users what rights they have over their personal information and how they can follow through on those rights.
This is required by nearly every privacy law, and if more than one applies to you, consider making separate clauses for each specific regulation, so it’s easy for consumers to know what information applies to their specific case.
Your Charity’s Contact Infoow Termly Helps! rmation
Finally, you should include your charity’s contact information in your privacy policy so people can reach out to you if they have questions or concerns.
You might consider providing people with a working email address, an active phone line, and a mailing address.
Whatever you choose, make sure the communication channel is properly monitored and genuinely respond to inquiries.
Where To Display Your Charity’s Privacy Policy
Your charity’s privacy policy should go in a few places throughout your website, but the primary goal is to link it wherever data collection occurs, which can include:
- Website footer: This is a static place on your website. Posting your privacy policy here ensures users can access it from any page.
- Donor forms: If you collect any data when accepting donations, add a link to your privacy policy so people can see and read it before giving their information.
- Account creation pages: These pages often collect personal data from users, so add a link to your privacy policy here.
How Termly Helps!
For some charities, having a privacy policy is a legal necessity. But being honest with people about how your charity uses their personal information is also the right thing to do.
Make sure your website is set up with a policy that keeps people properly informed and aligns with any applicable laws by using resources like Termly’s Privacy Policy Generator.
It’s a quick, affordable way to make a privacy policy for your charity organization with ease.
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author
