Quick Answer: Do Nonprofits Need a Privacy Policy?
Yes, and often more urgently than for-profit businesses. Nonprofits handle donor payment data, beneficiary health and financial records, volunteer background checks, and grant application data. Several federal laws (COPPA for child-serving nonprofits, HIPAA for health-focused nonprofits) may apply. State charity registration laws in California, New York, and other states impose donor data disclosure requirements. GDPR applies if you accept donations from EU supporters. And most major foundations require a published privacy policy before awarding grants.
Why Nonprofits Need a Privacy Policy
Many nonprofit leaders assume privacy policies are only for technology companies or e-commerce businesses. This is a costly misconception. Nonprofits are data-intensive organizations that collect personal information from multiple stakeholder groups, often including highly sensitive categories of data.
The reasons a nonprofit needs a formal privacy policy extend well beyond legal compliance:
Legal Compliance
State charity laws, GDPR (for EU donors and beneficiaries), COPPA (if serving children), and HIPAA (if handling health data) all impose privacy obligations.
Donor Trust
Donors want to know their payment information is secure and their personal details will not be sold to other charities or fundraising firms. A clear policy builds confidence and increases giving.
Grant Funding
Major foundations including Gates Foundation grantees and government grant programs often require a published privacy policy as a prerequisite for funding eligibility.
Beneficiary Protection
Beneficiaries, particularly vulnerable populations, have a right to understand how their information is used and who can access it. A privacy policy formalizes these protections.
Donor Data: What Your Policy Must Cover
Donor data is the foundation of nonprofit fundraising. It is also a category of personal information that donors have strong expectations about. Your privacy policy must be specific about what donor data you collect, how you use it, and critically, what you do not do with it (such as selling or renting donor lists).
| Data Type | Common Uses | Sensitivity Level |
|---|---|---|
| Name and address | Gift acknowledgment letters, tax receipts, direct mail | Moderate |
| Email address | Donation receipts, newsletters, campaign appeals | Moderate |
| Donation amount and date | Tax receipts, donor wall recognition, major gift cultivation | High (financial) |
| Payment card data | Processed by payment processor; recurring donation setup | Very high |
| Employer and matching gift info | Employer matching gift requests, cultivation research | Moderate |
| Donor notes and capacity ratings | Major gift fundraising, internal prospect research | High (internal) |
Many nonprofits engage in prospect research, using public records and wealth screening tools to estimate donor giving capacity. If your organization does this, your privacy policy must disclose that you may collect or infer financial and professional information from publicly available sources for fundraising purposes.
Did you know?
The Association of Fundraising Professionals (AFP) Code of Ethics states that donor information should not be sold or shared with other organizations without explicit donor consent. Your privacy policy should explicitly state whether you rent, exchange, or sell donor lists, and whether you share data with affiliated organizations or co-branded campaigns.
Volunteer Data
Volunteer management creates a distinct category of personal data that your privacy policy should address separately from donor data. Volunteers typically provide more detailed personal information than donors because of the closer relationship they have with the organization.
- Application data: Skills, availability, work experience, references, and motivation statements collected during volunteer onboarding.
- Background check data: For nonprofits working with vulnerable populations (children, elderly, people with disabilities), criminal background check results are collected. This is sensitive data requiring strict access controls and retention policies.
- Health and accommodation data: Some volunteers disclose health conditions, disabilities, or dietary restrictions. This is special category data under GDPR and requires explicit consent.
- Volunteer hours and activity records: Used for grant reporting, recognition programs, and IRS documentation for volunteer services valuation.
- Emergency contact information: Name, relationship, and phone number of a contact to notify in emergencies. Requires specific disclosure since this involves data about a third party.
Beneficiary Data: The Most Sensitive Category
Beneficiary data is typically the most sensitive data a nonprofit handles. Depending on your mission, you may collect health information, immigration status, mental health history, financial circumstances, family composition, trauma history, housing status, or criminal justice involvement. This data demands the strictest privacy protections and the most carefully written privacy policy language.
Your privacy policy must address:
- What data is collected: Be specific. If you serve immigrants, disclose that immigration status may be documented. If you provide mental health services, disclose that treatment records are kept.
- Who can access it: Specify which staff roles have access to beneficiary files (case managers, program directors, board members) and whether partner organizations can access data.
- Government reporting: Many nonprofits are required to report aggregated data to government funders. Clarify whether individual beneficiary data is reported and under what circumstances identifiable data is shared.
- Beneficiary rights: Beneficiaries have the right to access their own records, request corrections, and understand how their data is used. Your policy should include a simple process for exercising these rights.
- Photography and testimonials: If you use beneficiary photos or stories in fundraising materials, you need explicit consent. Your policy should reference your consent process for this use.
Did you know?
If your nonprofit provides health-related services and receives federal funding, you may be subject to HIPAA even if you are not a traditional healthcare provider. Federally Qualified Health Centers (FQHCs), nonprofits that handle protected health information as part of federally funded programs, and organizations that use electronic health records for service delivery are often covered entities or business associates under HIPAA.
Grant Applications
Grant applications involve a two-way flow of sensitive information. Your organization provides detailed financial, programmatic, and organizational data to funders. In some cases, grant applications require data about the populations you serve, which may include individual beneficiary information.
Your privacy policy should address grant-related data processing in these ways:
- Aggregate vs. identifiable data: Grant reports should use aggregated, de-identified statistics about program participants whenever possible. If identifiable data is required by a funder, this must be disclosed to beneficiaries and consented to.
- Funder data access: Some grant funders require site visits or program audits that may involve reviewing beneficiary files. Your policy should note that anonymized data may be shared with funders for reporting and evaluation purposes.
- Grant management platforms: If you use platforms like Fluxx, Submittable, or Foundant to manage grant applications, these platforms store your organizational data and must be listed as data subprocessors in your policy.
Email Marketing to Supporters
Most nonprofits use email to communicate with donors, volunteers, and supporters. This email marketing activity is subject to CAN-SPAM for US-based senders and GDPR for EU recipients. Your privacy policy must cover your email communications practices.
Required email disclosures for nonprofits:
- Name your email service provider (Mailchimp, Constant Contact, Salesforce Marketing Cloud, or similar).
- Explain the types of emails you send: newsletters, donation appeals, event invitations, program updates, tax receipt summaries.
- Confirm that donors who request to stop receiving fundraising emails will be removed from appeal lists within a reasonable timeframe (10 business days is the CAN-SPAM standard).
- Disclose whether you segment email lists (e.g., sending different messages to major donors vs. first-time donors) and whether you use behavioral data to personalize appeals.
- Note that transactional emails (donation receipts, event confirmations) may still be sent even to supporters who have opted out of marketing emails.
GDPR for International Donations and Volunteers
GDPR is not just a concern for European nonprofits. Any US-based or international nonprofit that accepts donations from EU residents, corresponds with EU volunteers, or serves EU beneficiaries must comply with GDPR. The regulation applies based on where the data subject is located, not where the organization is based.
- Legitimate interests vs. consent: For existing donors who have an ongoing relationship with your organization, legitimate interests may be a valid legal basis for sending fundraising communications under GDPR Article 6(1)(f). For new contacts, consent is typically required.
- Special category data: Beneficiary health data, immigration status, and similar sensitive information is special category data under GDPR Article 9. Processing this data requires explicit consent or another specific exemption (such as substantial public interest).
- Data transfers: If your nonprofit is US-based and uses US-based CRM systems (Salesforce, Bloomerang, Little Green Light), EU donor data is being transferred to the US. Your policy must reference the transfer mechanism used.
- Representation: EU nonprofits and US nonprofits with significant EU operations may need to appoint an EU Representative under GDPR Article 27 if they do not have a physical EU presence.
State Charity Registration Requirements
Forty states require nonprofits to register before soliciting donations from their residents. Several of these states have specific provisions about donor data that go beyond general privacy law requirements.
| State | Key Requirement | Donor Data Provision |
|---|---|---|
| California | AG registration + CCPA compliance for large nonprofits | Must disclose if donor lists are rented or sold |
| New York | Nonprofit Revitalization Act; CHAR500 annual filing | Board data governance requirements |
| Illinois | Charitable Trust Act registration required | Donor list practices must be disclosed on request |
| Texas | Registration required for solicitations over $25,000 | Transparency in how donations are used |
Did you know?
California's Consumer Privacy Act (CCPA) includes an exemption for nonprofits from the main consumer rights provisions, but California nonprofits are still subject to the California Online Privacy Protection Act (CalOPPA), which requires a privacy policy disclosing what personal data is collected and how it is used. Large nonprofits with for-profit activities may also lose the CCPA exemption for those activities.
5 Common Privacy Policy Mistakes by Nonprofits
Mistake 1: Not addressing beneficiary data separately from donor data
Nonprofits often write a single privacy policy section about 'personal information we collect' without distinguishing between the very different data types and sensitivity levels of donor, volunteer, and beneficiary data. Beneficiary data deserves its own section with stronger protections.
Mistake 2: Failing to disclose prospect research and wealth screening practices
Many nonprofits use DonorSearch, iWave, or similar prospect research tools that compile publicly available financial and professional information about donors. This constitutes personal data collection that must be disclosed, yet most nonprofit privacy policies do not mention it.
Mistake 3: Not specifying whether donor lists are shared or sold
Donors frequently worry about their information being passed to other charities without consent. Your privacy policy must state explicitly whether you share donor lists with affiliated organizations, co-promotion partners, or list rental agencies, and provide an opt-out mechanism.
Mistake 4: Using a for-profit business privacy policy template
Generic business privacy policy templates are written for commercial data processing purposes. They omit critical nonprofit-specific categories: beneficiary data, volunteer background checks, grant reporting, charitable solicitation disclosures, and the specific legal bases that apply to charitable organizations.
Mistake 5: Not obtaining consent for using beneficiary photos in fundraising
Many nonprofits use photos and stories of beneficiaries in appeals and annual reports without documented consent. Your privacy policy should reference your consent process for this use, and internally you should have signed consent forms on file for every beneficiary whose image or story you use.
How to Create a Privacy Policy for Your Nonprofit
Map all stakeholder data types
Create a data inventory for each stakeholder group: donors, volunteers, beneficiaries, staff, board members, grant funders. For each group, document what data is collected, why, who accesses it, and how long it is kept.
Identify applicable laws
Determine which laws apply to your nonprofit based on the populations you serve (COPPA for children's programs, HIPAA for health services), your location (state charity laws), and your donor and beneficiary geography (GDPR for EU connections).
Write separate sections for each stakeholder group
Donor data, volunteer data, and beneficiary data have different sensitivity levels and legal requirements. Write a distinct policy section for each group rather than lumping all personal data together.
Address donor list practices explicitly
State clearly whether you rent, sell, or exchange donor lists with other organizations. If you do not, say so plainly. This is one of the most frequent concerns donors have and a clear statement builds significant trust.
Have legal counsel review the policy
Given the sensitive nature of beneficiary data and the multiple laws that may apply, nonprofit privacy policies benefit significantly from attorney review, particularly if you serve vulnerable populations or operate internationally.
Frequently Asked Questions
Do nonprofit organizations need a privacy policy?
Yes. Nonprofits collect personal data from donors, volunteers, and beneficiaries. Several laws apply depending on the organization's activities: state charity registration laws, GDPR for EU connections, COPPA for child-serving programs, and HIPAA for health-related services. Most major grant funders also require a published privacy policy.
What donor data does a nonprofit privacy policy need to cover?
A nonprofit privacy policy must cover donor names and contact information, donation amounts and payment history, payment processing details, whether donor information is shared with third parties, recurring donation data, whether names and gift amounts appear in public recognition, and how donors can request anonymity or data removal.
How should a nonprofit handle beneficiary privacy?
Beneficiary data is typically the most sensitive data a nonprofit handles, potentially including health information, immigration status, and financial circumstances. Your policy must explain what data is collected, who has access, how long it is retained, whether it is shared with government agencies or partner organizations, and how beneficiaries can request access or correction of their records.
Does GDPR apply to nonprofits?
Yes. GDPR applies to any nonprofit that processes personal data of EU residents, regardless of where the nonprofit is based. Nonprofits are not automatically exempt from GDPR simply because they are charitable organizations.
Do state charity registration laws require a privacy policy?
Several states have requirements that effectively mandate privacy disclosures for registered charities. California and New York have the most rigorous requirements. Many states require charities to disclose whether they rent, exchange, or sell donor lists. Even where not explicitly required, a privacy policy is required by most major grant funders.
Generate Your Nonprofit Privacy Policy
Create a privacy policy tailored for nonprofit organizations in minutes. Covers donor data, volunteer information, beneficiary protections, GDPR, and state charity law requirements.
Generate Free Privacy Policy