Digital Privacy Compliance for Nonprofits: The Big 3 Laws

Sharon Cody • Mar 04, 2022

It’s called the information age for a reason! Data is now the gold standard resource for decision-making in organizations of all shapes and sizes. 


And nonprofits are no exception. Today, continually learning more about your donors, constituents, communities, and how they all engage with you can generate
a lot of data. This information likely includes names, addresses, email addresses, birth dates, payment information, donation histories, volunteer histories, and more.


But with the increased importance of data to your strategies comes an increased responsibility to use data properly and respectfully, not to mention legally. 


Digital privacy has become a major new fixture in public discourse across all sectors. Much discussion of digital privacy revolves around the buying and selling of data, which isn’t largely relevant to day-to-day nonprofit operations. Another aspect of data privacy involves how data can and cannot be used to market to donors, which
is much more relevant.


Although your nonprofit likely isn’t anywhere close to collecting large-scale location and engagement data to sell to other firms or push hyper-targeted ads like the tech giants, the point of regulations at any level is to protect consumers (or donors) and weed out bad actors. From
fundraising legal requirements to digital privacy laws, it’s important to understand the rules to which your nonprofit can be held accountable.


An attorney knowledgeable about data privacy matters will always be your best guide when navigating these rules, but there’s still plenty you can do to familiarize yourself with the landscape. Let’s review three of the most impactful digital privacy regulations and what they mean for nonprofits.



Regulation #1: The CAN-SPAM Act


The CAN-SPAM Act was passed into US law in 2003, and it protects consumers from receiving emails that they never agreed to receive. It’s primarily intended to prevent spam email ads from commercial entities, but nonprofits are not exempt. 


Full compliance is required for any emails you might send that promote products,
corporate partners, or any other commercial product or service. Full compliance beyond promotional emails is also highly recommended since it will cover your bases and signal respect to donors.


Understanding Email Permission

The CAN-SPAM Act requires that you verify all email recipients have “opted in” before you can send them any messages that fall under its purview. This hinges on the idea of “permission,” which takes two forms:


  • Express permission - A donor gives you their email address specifically to receive communications from you, like signing up for your newsletter.
  • Implied permission - A donor gives you their email address during a transaction, like making a donation online, and you clearly state during the transaction that you may send additional emails in the future to thank them, share updates, and ask for more support.


For both types of permission, you must give email recipients a clear opt-out option on all of your messages. 


Steps You Should Take

There are a few best practices you should abide by to stay compliant with the CAN-SPAM Act:

  • Ensure that email opt-in, opt-out, and permission information is actively tracked in your database or CRM and is recorded in a standardized way.
  • Think carefully as you create mailing lists for emails that are explicitly covered by the law, essentially any emails that are for explicitly commercial purposes.
  • Update your donation page to clearly include language about email and the types of messages you may send to donors in the future.
  • Use marketing and email software that adds opt-out links to emails and will automatically update your records to remove opted-out donors from your mailing lists.



Regulation #2: The GDPR


The European Union’s General Data Protection Regulations (GDPR) was implemented in 2018. It’s a sweeping set of laws that covers multiple aspects of data privacy and aims to give EU citizens more control over how their data is collected, tracked, and stored.


How does the GDPR relate to US-based nonprofit marketing and communications? 


The rules of the GDPR apply to your nonprofit if EU citizens donate to your organization, sign up to receive your emails, or otherwise interact with your website. The world of online fundraising compliance is a legal gray area today (more on this below), so it’s highly recommended to err on the side of caution and pursue GDPR compliance on your website and in your email strategies.


Steps You Should Take

To ensure general compliance with the GDPR, follow these best practices:


  • Actively update your website’s privacy policy and notify your email contacts whenever changes are made. Your privacy policy should cover the following information:
  • What personal data you collect
  • How and why you gather it
  • How you use it
  • How users can control their data and opt out
  • Whether your website uses cookies to track users
  • Any third parties with access to user data
  • Ensure that your donation pages and other opt-in forms are set up correctly. Users must actively opt-in, so the default setting on any checkboxes must be blank. Users must also agree to your terms and conditions separately from the contact permission option.
  • Work with a nonprofit technology consultant if needed to conduct an assessment of your current data policies and protections.



Regulation #3: The CCPA


The California Consumer Privacy Act (CCPA) is a California law that was passed in 2018. It’s functionally very similar to the GDPR, setting comparable guidelines around how the personal data of California residents can and cannot be collected, used, and sold.


The law is aimed primarily at tech companies that sell personal data for profit, but the same logic applies here as it does to the GDPR. California has a very large population, so even nonprofits that aren’t based there have likely received donations from or engaged online with California residents.
The safest route is to ensure general compliance with the CCPA.


Steps You Should Take

Follow the same best practices as listed above for the GDPR. Take extra care to do your due diligence and check for compliance whenever you work with third-party vendors or data marketing services that are required to be fully compliant with the CCPA.


All three of the regulations listed above are important to understand as they’re the most impactful and often serve as models for new digital privacy laws. 



The Gray Areas of Online Fundraising Compliance


The worlds of digital privacy and nonprofit compliance in general are constantly evolving, so stay on top of developments and seek help when you encounter new scenarios or gray areas. For example, you might’ve never thought your nonprofit would need to understand and use waivers prior to the pandemic!


There’s another gray area that is particularly glaring for nonprofits: online fundraising compliance. 


Your nonprofit is required to register to fundraise wherever you actively accept donations from donors. This is the
standard charitable solicitation registration process with which you’re likely already familiar—registering with your home state and other state governments as your fundraising operations expand. 


But how does this process change when the internet allows you to accept donations from anyone, anywhere, at any time?


Consider how you may need to comply with the GDPR and CCPA even if you’ve never done business or fundraised in the EU or California. Expand this idea to the entirety of your fundraising. Nonprofits can’t control who visits their websites and feel inspired to donate online, so knowing where you’re technically required to be registered can be extremely tricky.


Unfortunately, the US regulatory framework for online fundraising is outdated in this regard, meaning there are no clearly defined rules as there are for email and data privacy.


If you conduct large-scale online fundraising campaigns, your safest bet is to proactively register in as many states as you’re able or think will be necessary. Start with those with the largest populations like California, Texas, Florida, and New York, and adapt to their
state-specific filing requirements. Nonprofit compliance services can handle these registrations and their renewals on your behalf, but your nonprofit should also regularly update any online donation disclosures. If you’re not registered to fundraise in a particular state, explicitly state that you cannot accept donations from that jurisdiction.


Key takeaways for both online fundraising and digital privacy compliance: The world of nonprofit compliance is complicated and constantly changing. 


Stay on top of developments and changing laws at all levels, and seek the help of experts whenever needed. Nonprofit compliance experts, attorneys, and
technology consultants are all invaluable partners to have by your side as your organization grows over time.


If you have specific questions on these regulations, other digital privacy concerns, and how they might impact your nonprofit, your best first step is to reach out to an attorney knowledgeable in this field.


About the Author

Sharon Cody


Sharon Cody, J.D. is the Nonprofit Market Manager at Labyrinth, Inc., the leading provider of state charity registration services. Sharon is passionate about educating nonprofits and fundraisers on the role of state charitable compliance as both a best practice and an industry differentiator. She received her bachelor's degree from Rutgers University and her Juris Doctor from Penn State Dickinson School of Law. Sharon’s more than 30 years of experience as an attorney, charitable fundraiser, foundation executive, donor, and nonprofit board member give her unique insight on the use of fundraising compliance as a strategic tool to build trust, enhance reputation, and increase revenue.


SPEAK TO AN EXPERT

Executives shaking hands in the meeting at office.
By Valentina Kibedi, Danielle Rocheleau, & Caitlin Patterson 22 Mar, 2024
Developing a nonprofit strategic plan allows you to maintain clarity, adapt to change, and increase your impact. Explore four strategic planning best practices.
Success, accountant or woman writing in notebook for financial strategy or company growth tax audit.
By Meredith Noble 18 Mar, 2024
Storytelling can make a crucial difference in nonprofit grant proposals. Stand out to funders and make a compelling pitch for your mission with these ten tips.
A set of microphones and a laptop on a desk, the equipment you need for a podcast.
By Samantha Swaim 01 Mar, 2024
Nonprofit podcasts can help you improve awareness of your cause and grow connections with your audience. Learn how to start your podcast with this guide.
Show More
Share by: