Nonprofit organizations are impacted by various laws, some of which require an accurate, updated privacy policy.
While some data privacy laws directly apply to nonprofits that meet the legal thresholds, others impact them if they’re under contract with third-party entities as data processors.
Below, I walk you through what you need to know about making a privacy policy for a nonprofit, including what goes into one, what laws to consider, and more.
Creating a Privacy Policy for Nonprofits
You can make a privacy policy for your nonprofit using an automated solution, a template, or writing it yourself.
Managed Solution
The easiest way to make a privacy policy is to use a managed solution, like Termly’s Privacy Policy Generator.
Using a generator takes the guesswork out of knowing what should go into your privacy policy because it automatically includes that information based on your answers to basic questions.
The policy updates for you automatically when you make changes via the Termly dashboard.
However, nonprofits are subject to additional laws that might not impact for-profit businesses. Industry-specific statutes and regulations may also apply.
Nonprofits should consider consulting a lawyer or privacy expert for additional guidance on legal compliance.
Template
Nonprofits can also use a privacy policy template to help jumpstart creating their policy.
Templates are already properly formatted for you and include common clauses.
You just manually fill in blank sections with information about your organization, remove clauses that aren’t necessary, and add information as needed to ensure compliance.
See what it looks like below.
Make sure you don’t leave anything out and remember to manually update it whenever your data processing activities change so it remains accurate and honest.
Write It Yourself
You can write your own privacy policy for a nonprofit; this requires extensive legal knowledge.
If you leave something out, privacy laws could hold you accountable, so be cautious.
To help make the process easier for you, I’ve outlined some tips and best practices you can follow if you decide to write your policy:
- Tip 1: Ensure you know all laws that apply to your nonprofit and what they require from your privacy policy.
- Tip 2: Format your policy using clearly labeled clauses and a table of contents so users can find necessary information as needed.
- Tip 3: Write using simple language and avoid legalese or unnecessary jargon so the information is accessible for all users to read and understand.
- Tip 4: Use bullet lists or tables to present complex information to your users in easier ways, like a list of all data you collect and your purpose for doing so.
- Tip 5: Plan to regularly review your privacy policy and update it as necessary whenever laws or your processing activities change.
- Tip 6: Have a privacy lawyer or expert vet your privacy policy to ensure it fully complies with all applicable laws.
Do Nonprofits Need a Privacy Policy?
Some nonprofits need privacy policies, but not all are required to have one.
For example, nonprofits that collect personal information and fall under the threshold of specific laws need compliant privacy policies.
Otherwise, you might get fined for violating the law.
Posting a privacy policy also helps your organization build trust with users by transparently presenting them with your data processing activities.
This gives your users a chance to read about your protocols and make an informed choice about whether they’re okay with having their personal information collected and used by you.
But, if your nonprofit does not collect, process, or use personal information, having a privacy policy can still show your commitment to being open and honest about privacy practices.at Impact Nonprofit Privacy Policies
Laws That Impact Nonprofit Privacy Policies
Nonprofits are subject to specific laws that impact privacy policies and are exempt from others.
However, the laws they’re exempt from can still impact nonprofits if they’re under contract with a data controller acting on their behalf as a data processor.
In these scenarios, the nonprofit must treat the data following whatever privacy law applies to the data controller.
I’ve compiled a list of consumer privacy laws and how they directly or indirectly apply to nonprofits in the table below.
| Consumer Privacy Law | Impact on Nonprofits |
| Colorado Privacy Act (CPA) | The CPA applies to nonprofits that meet certain one of the following thresholds:
|
| California Consumer Privacy Act (CCPA) | Generally, the CCPA does not apply to nonprofits.
However, nonprofits may be affected indirectly if they are under contract as data processors on behalf of a data controller. |
| Virginia Consumer Data Protection Act (VCDPA) | The VCDPA exempts nonprofits.
However, nonprofits working with businesses subject to the VCDPA might be impacted, especially if they’re under contract as data processors on behalf of a data controller. |
| Connecticut Data Privacy Act (CTDPA) | The CTDPA generally does not apply to nonprofits.
However, there may be exceptions for specific types of data processing or partnerships with for-profit entities. |
| Oregon Consumer Privacy Act (OCPA) | The law’s final text and applicability to nonprofits may vary, so review any exceptions or thresholds that could affect nonprofit organizations. |
| Utah Consumer Privacy Act (UCPA) | Nonprofits are exempt from the UCPA.
But, like other exemptions, nonprofits may still face privacy obligations if they contract with for-profit businesses. |
The following table lists laws that aren’t comprehensive consumer privacy laws that still often apply to nonprofits and may impact their privacy policies or data processing activities.
| Law | Impact on Nonprofits |
| Colorado Protections for Consumers of Charity Care Act | Although not a comprehensive privacy law, this Colorado statute is relevant for nonprofits in the healthcare sector. It regulates how hospitals (including nonprofit hospitals) manage consumer data and charity care. |
| Nevada Privacy Law | Nevada’s privacy law is more limited in scope and generally does not apply to nonprofits.
But it focuses on online data sales, so nonprofits may engage in activities captured by the law if they sell personal data online. |
| Massachusetts Data Breach Notification Law | Massachusetts requires all organizations, including nonprofits, to notify affected individuals and the state attorney general if there’s a data breach.
While this isn’t a comprehensive privacy law, it applies to any organization handling personal information. |
| New York SHIELD Act | The SHIELD Act applies to any entity that handles the private information of New York residents, including nonprofits.
It imposes data security requirements rather than specific consumer privacy rights, but nonprofits must comply with safeguarding data under this law. |
| Illinois Biometric Information Privacy Act (BIPA) | While BIPA focuses on biometric data, it applies to any private entity, which could include certain nonprofits, especially those collecting biometric data such as fingerprints or facial recognition data.
It requires informed consent before collecting biometric data and restricts its use and sharing. |
While many U.S. state-level privacy laws explicitly exempt nonprofits, organizations should still exercise caution.
Nonprofits might be indirectly affected by these laws if they sign contracts with businesses that are subject to following them.
It’s also essential for nonprofits to review sector-specific regulations, for example:
- Health Insurance Portability and Accountability Act (HIPAA) for healthcare.
- Children’s Online Privacy Protection Act (COPPA) for organizations interacting with children under 13.
- Family Education Rights and Privacy Act (FERPA) for education.
Because of the added complexity, I recommend nonprofits consult a lawyer or data privacy expert to ensure their processing activities are legally compliant.
Information to Include in a Nonprofit Privacy Policy
While the exact details of your privacy policy depend on your unique nonprofit and the laws that apply, I’ve compiled a list of the most common clauses for you to consider below.
What Personal Data You Collect
You should list what personal data you collect in a clause in your nonprofit’s privacy policy. Format it using a bullet list or table so it’s easy for users to read through and understand.
How You Collect the Data
Privacy laws like the Colorado Privacy Act require you to explain how you collect personal data in your privacy policy.
For example, you might collect data through online forms, by deploying internet cookies on browsers, or when users fill out donation forms.
Why You Collect the Data
You must explain your purpose for collecting personal data in your privacy policy.
For example, you might collect data for marketing and research purposes, to enhance the user experience, or to complete contractual obligations with consumers.
Under most laws, you cannot process data for reasons outside of these purposes without informing the consumer and obtaining their express consent.
If You Sell or Share Personal Data
You must state if you sell or share personal data with any third-party entities directly in your privacy policy.
You should include a list of the categories of data you share with the third parties and the categories of the third parties themselves.
Information About Consumer Rights
Privacy laws require you to explain what rights your users have over their data directly in your privacy policy.
You must also explain how they can follow through on those rights.
If your nonprofit is subject to following more than one law, consider adding a clause for each one so your consumers from those regions can easily locate the rights that apply to them.
Nonprofit Contact Information
You should include your nonprofit’s contact information in your privacy policy so consumers know how to reach you if they have questions, comments, or concerns.
Where to Display Your Nonprofit Privacy Policy
Your nonprofit’s privacy policy should always be easy for users to find, so consider putting it in the following accessible locations:
- Website footer: Most websites link their privacy policy in the footer because this is a static place that users can access from any page while navigating your site.
- Pop-up consent banners: Linking to both your cookie and privacy policy on a consent banner ensures your users automatically see the document upon entering your website.
- Privacy center: If your nonprofit has a lot of legal policies and you want your users to locate them quickly, add a privacy center to your site that hosts all applicable documents, including your privacy policy.
- Wherever data collection occurs: Link to your privacy policy wherever you collect data from users, like checkout forms, account creation portals, and newsletter signups.
Summary
Nonprofits collecting, processing, or using personal information should have a comprehensive privacy policy.
It’s possible that privacy laws could directly or indirectly require you to have one, but your users also expect to find one on your website or in your app.
When it comes to data privacy, nonprofits have additional laws and regulations they must consider beyond comprehensive consumer privacy laws.
Remember to keep this in mind when you go to make your own.
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author
