If you visit any website, there’s a good chance that you see a Privacy Policy link sitting in the footer of that website. That’s because most websites collect Personally Identifiable Information (PII) from their users. PII is any data that could be used to identify someone or any data relating to an identified person.
Examples of how websites commonly collect PII include:
- Collecting names, phone numbers, and email addresses via a “Contact Us” form;
- Collecting IP Addresses via an analytics tool like Google Analytics;
- Collecting names and email addresses for a newsletter;
- Collecting payment information for donations/payments.
As collecting the PII of website users has become more common, so have privacy laws designed to protect that PII. Many of these privacy laws require websites that collect PII to have a Privacy Policy in place to inform website users how and why their PII is being collected. This is done via numerous privacy-law-specific disclosures. Failing to include these could result in a website owner being fined $2,500 per violation (website visitor). And that’s where the fines start!
That’s only if the privacy laws apply to you in the first place. That’s where nonprofits come into play. It’s a common misconception that nonprofits are exempt from privacy laws (thus, not needing a Privacy Policy). While it is true that some privacy laws do not apply to nonprofits, there are several that do.
Table of Contents
Which privacy laws apply to nonprofit organizations?
Before we jump into the individual laws, it’s important to note that privacy laws are a bit different from what you are probably used to as a nonprofit. Privacy laws were created to protect the consumers of certain states and countries, not the businesses or organizations. This means that the laws of a particular state or country may apply to your organization even if you are not based there.
All that to say, don’t immediately disregard any of the privacy laws listed below if they have a state/country in their name that’s different from where your nonprofit is located. Simply collecting one email address (or any other PII) from a resident of that location could require your nonprofit to comply with that law.
The following privacy laws can apply to nonprofits, requiring them to have a Privacy Policy:
General Data Protection Regulation (GDPR)
GDPR is a privacy law that went into effect on May 25, 2018, with the goal of protecting the personal data of residents of the European Union.
You need to comply with GDPR if you:
- Your nonprofit is located in the European Union;
- Offer goods or services, regardless of payment to European Union data subjects, regardless of where your nonprofit is actually located; or
- Monitor the behavior of European Union residents, regardless of where your nonprofit is actually located.
Due to the fact that GDPR is not specific to the location of the data processor or controller, you must comply with its requirements if your nonprofit meets the conditions stated above.
U.K. Data Protection Act (UK DPA)
The UK DPA is a privacy law that was created to protect the privacy of residents of the United Kingdom and was previously covered under GDPR (prior to the United Kingdom leaving the European Union)so it’s almost identical to GDPR in terms of what it means for nonprofits.
You need to comply with UK DPA if you:
- Your nonprofit is located in the United Kingdom;
- Offer goods or services, regardless of payment to United Kingdom data subjects, regardless of where your nonprofit is actually located;or
- Monitor the behavior of United Kingdom residents, regardless of where your nonprofit is actually located.
Quebec Law 25
Quebec Law 25 (Formerly, Quebec Bill 64) protects the privacy rights of residents of Quebec, Canada, by requiring certain websites to have a compliant Privacy Policy.
Quebec’s Law 25 applies to persons who collect, hold, use or share personal information in the course of carrying on an enterprise within the meaning of Article 1525 of the Civil Code.
This law applies to anyone participating in an economic activity, even if that activity is not commercial, meaning that nonprofit organizations will need to comply with this law, as well as for-profit organizations.
California Online Privacy Protection Act of 2003 (CalOPPA)
CalOPPA applies to any commercial website that collects the PII of California consumers. Don’t let the “commercial” part fool you, though. CalOPPA may apply to nonprofits whose websites:
- Promote business activities unrelated to the nonprofit;
- Include paid advertising; or
- Solicit new members who may receive a commercial benefit not related to your nonprofit’s exempt purpose in return for their dues.
Nevada Revised Statutes Chapter 603A (sorry, no abbreviation this time)
Nevada Revised Statutes Chapter 603A protects the personal information of Nevada consumers and applies to both for-profit and nonprofit organizations. While this law does mention “websites operated for business purposes,” it doesn’t state that nonprofits are exempt from it.
The Nevada privacy law applies to “operators” which are defined as any person who:
- Owns and operates a website or online service for business purposes;
- Collects and maintains the personal information of consumers who reside in Nevada and use or visit the Internet website or online service; and
- Purposefully directs its activities towards Nevada, consummates a transaction with the state of Nevada or a resident of Nevada, purposefully avails itself of the privilege of conducting activities in Nevada or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the U.S. Constitution.
In addition to these laws, there are two privacy laws that exempt some, but not all, nonprofits.
- Delaware Personal Data Privacy Act (DPDPA) – The DPDPA exempts nonprofit organizations that provide services to victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felony or stalking but does not exempt nonprofits working in other areas.
- Oregon Consumer Privacy Act – The law specifically exempts nonprofits that are established to detect or prevent fraudulent acts in connection with insurance and nonprofits that provide programming to radio or television networks.
More on the way
As you can see, there are many privacy laws that can apply to nonprofits. We’re also currently tracking over a dozen privacy bills across the globe that, if turned into laws, could require nonprofits to get a Privacy Policy. So, where can you – as a nonprofit – get a Privacy Policy?
Your best option will always be to get an attorney. A privacy attorney can draft your policies, keep them updated as laws change, and offer legal advice. However, this can get pricey.
Your next best option as a nonprofit is to use a Privacy Policy Generator like Termageddon. Termageddon provides comprehensive policies that also automatically update when laws change. The only difference, is Privacy Policy Generators can’t offer legal advice like an attorney can.
Avoid any free templates or generators. If they are free, they likely don’t get to know your nonprofit well enough to know what laws apply and they also won’t update. Also, many Privacy Policy Generators will advertise themselves as ‘free,’ but will up-charge you as you go through the generation process. Make sure your generator is upfront about it’s pricing (Termageddon is $12/month or $119/year).
