Nonprofit Privacy Policy: What to Include on Your Organization’s Website

Does your nonprofit need a privacy policy? What should be included in a privacy policy? When does it need to be updated?

We’ll tackle all these questions and more in this how-to guide, but first — since this guide covers legal topics — we need to include our “this is not legal advice” disclaimer. Be advised:

What is a Privacy Policy and who needs one?

Many countries, states, and other jurisdictions are passing laws intended to protect individuals’ private data as they use the internet. Many of these laws require that if a website collects personal information, the website must have a clearly posted Privacy Policy.

This personal information is typically referred to as Personally Identifiable Information (PII), and includes:

• Names
• Emails
• Phone numbers
• Addresses

Some laws also include non-personal data in the definition of PII, such as:

• IP addresses
• Financial transaction or ecommerce order IDs
• Location data
• Personal data that has been de-identified, encrypted or pseudonymised but could be used to re-identify a person

What laws require a privacy policy?

The list of laws that require websites to have a privacy policy is constantly growing. This makes keeping up requirements challenging, particularly in smaller organizations with a budget or staff expertise for focused attention to legal compliance.

Here are some examples of laws that may impact your organization, both in the US and beyond:

US States:

• California Online Privacy Protection Act of 2003 (“CalOPPA”)
• The California Privacy Rights Act (CPRA)
• Nevada Revised Statutes Chapter 603A
• Delaware Online Privacy and Protection Act (“DOPPA”)
• Virginia Consumer Data Protection Act (“VCDPA”)
• Colorado Privacy Act
• Utah Consumer Privacy Act
• Connecticut SB6

Outside the US:

• European Union: General Data Protection Regulation (“GDPR”)
• UK: UK Data Protection Act (UK DPA)
• Canada: Personal Information Protection and Electronic Documents Act (“PIPEDA”)
• Australia: Australia Privacy Act of 1988

It’s important to understand that privacy policies are not focused on where the website owner (e.g. your nonprofit organization) is located. Instead they are focused on where the website user is located. This means that a website owned and based in the US may need to comply with privacy laws from jurisdictions outside the US, in order to protect the privacy rights of visitors who live in those other countries.

Do nonprofit websites need a privacy policy?

The simple answer to this question is Yes: nonprofit websites need privacy policies in the same way other websites do.

If your nonprofit website contains any of the following features, you will likely need a privacy policy:

• Contact form
• Donation form
• Volunteer sign-up form
• Email subscription form (more on email sign-up forms here)
• Website analytics

For example, simply using Google Analytics on your website means that you are required to disclose its use in a privacy policy.

What are the benefits of having a privacy policy?

There are several other clear benefits to developing, publishing, and updating a privacy policy for your nonprofit:

Build trust with your audience

Sharing a privacy policy builds trust with your website visitors and donors, and demonstrates transparency. A good privacy policy will help website visitors understand what personal data is being collected, how it is used, and how it will be safeguarded.

Help your organization plan and maintain data hygiene

Creating a privacy policy will encourage your organization to take stock of what personal data is being collected and think through how it being used, stored, and shared. This is a helpful exercise and often reveals opportunities to streamline internal operations and tighten data security.

Compliance with online privacy laws

Publishing and updating a privacy policy is often the first step towards staying in compliance with online privacy laws, like the examples listed above.

Legal protection

A privacy policy can help provide basic legal protection in the event of a dispute regarding your website.

What should a privacy policy include?

In the next section we share some recommendations about how to create a privacy policy, many of which involve tools created by experts that will ensure you cover all the right topics. But before that, let’s review some of the basic categories of information that make up a comprehensive privacy policy:

• Clearly identify the website owner (likely your nonprofit organization) and the website address (or addresses if you have satellite sites or subdomains) that the privacy policy applies to.
• The date on which the privacy policy was last updated (the effective date).
• A list of visitor data collected (e.g. name, email address, etc.). Remember to include both data that is actively submitted by visitors, and other data that is collected directly like website analytics data.
• How the data is stored and protected.
• Whether the data is shared with third-parties (this might include your email marketing platform, or your donation processing platform).
• What tracking or data collection tools your website uses (e.g. Google Analytics, Hotjar, Facebook pixel).
• Whether, and how, users can opt-out or withdraw consent for their data to be stored or processed.
• Whether, and how, users will be notified of updates to the privacy policy in the future.

How to create a privacy policy

Creating a privacy policy is complex, and wherever possible the resulting policy should be reviewed by an attorney who is familiar with your organization. There are various privacy policy templates and privacy policy generators out there, but not all will produce a quality product that meets the needs described above.

Can we use a privacy policy template or a free policy generator?

We recommend that you do not use a privacy policy template you find on the internet. Similarly, we recommend that you do not use another organization’s privacy policy as an example and edit the details.

Free, “simple” privacy policy templates or generators are likely to produce a privacy policy that is not actually compliant with privacy laws, or are compliant with a single law only. While the cost may be attractive, a privacy policy that does not address today’s complex online privacy law landscape will not protect your organization, and may leave you looking less trustworthy to website users.

Additionally, many “free” privacy policy generators are not actually free, and will upsell you the features and disclosures you need to create a compliant privacy policy. Proceed with caution!

Consider how you will update your privacy policy

With the speed and frequency of new online privacy laws taking effect, creating a privacy policy is no longer a one-time task. This means you should plan for how often you will revisit and update your privacy policy, both to keep up with changes in privacy law, and to reflect how your website data practices may be changing.

Our recommendation: Try Termageddon

We recommend the privacy policy solution developed by Termageddon to our clients. Termageddon is co-owned by a licensed attorney who also serves as the Chair of the American Bar Association’s ePrivacy Committee. The company is the longest-running Privacy Policy generator listed as a vendor by the International Association of Privacy Professionals (iapp).

Termageddon offers a per-website license that provides a privacy policy that updates automatically as new privacy laws come into effect, and the team will alert you as new laws pass so you can stay in compliance.

Your Termageddon license also provides additional legal policies for your website, including legal disclaimers, terms and conditions, and a cookie policy.

As a Termageddon partner, we can share a 10% discount on your first year of service, which you can access by signing up using this link.

After you sign up, you’ll be guided through the Termageddon onboarding questionnaire, which asks the questions necessary to generate your privacy policy. Here’s a screenshot from the second stage of the generator, where you are defining the individual categories of data you collect:

If the Termageddon onboarding questionnaire recommends that you also need a cookie Consent Management Platform for your website, your Termageddon license will also provide free access to the entry-level tier of the UserCentrics cookie consent platform.

Once Termageddon has generated your privacy policy, you’ll see the embed code you can use to add this to your website. If you click the Advanced button, you’ll see some additional options to customize how the Privacy Policy is rendered: these can be helpful to match the style of other content on your website.

Here are some tips on embedding the privacy policy code on popular website platforms:

• WordPress: create a new page and use a Custom HTML block to add the embed code to your Privacy Policy page. Note that WordPress now includes configuration to specify the location of your Privacy Policy page, in the Settings > Privacy section of your dashboard. Make sure to select your Privacy Policy page and add it to your WordPress settings there.
• Squarespace: Create a new page for your Privacy Policy and add the embed code in a Code block. Note that with the current Squarespace pricing structure you will need to use a Business level plan or higher to access the Code block.
• Wix: Create a new page for your Privacy Policy and from the Add Elements menu, select Embed Code, and then Embed HTML. Paste the embed code in this page element.

And finally, don’t forget to link to your Privacy Policy! A link to the Privacy Policy page should be included in your website footer, and you should also provide the privacy policy link alongside any form where website users are submitting their personal information, such as email subscription forms and donation forms.