Nonprofits and Digital Privacy Compliance: Three Essentials

In this guest post, by Sharon Cody, she gives nonprofit organizational leadership an excellent primer on what digital privacy means for nonprofits and why it’s important. It begins with Principle 4: Learn & Plan™ of The Eight Principles®

Principle 4: Divide & Grow™ of the Eight Principles of Sustainable Fundraising® states that before seeking funding from them, you should understand who your prospective donors are.

That includes personal privacy.

There’s plenty of guidance for protecting personal privacy. As communication tools have advanced, new laws have been created to regulate them. Some of these laws address specific, modern tools and applications, while others simply build upon somewhat dated legislation to account for current digital privacy practices. Regardless of how up to date your state or municipality’s laws are, your nonprofit’s staff needs to be aware of privacy compliance essentials. 

Fortunately, nonprofits aren’t on their own to navigate these complex legal channels. For instance, our team at Labyrinth are experts on nonprofit filing and legal compliance. We’ve put together this guide to help your nonprofit understand three basics of digital privacy.

1. Complying with Communication Laws

Digital marketing has become extremely prevalent in the nonprofit space. As an outside observer, this type of outreach may seem relatively free and easy to engage in, but there are specific laws detailing how organizations, including nonprofits, can and cannot communicate with donors digitally. 

As with other nonprofit legal requirements, privacy laws vary heavily based on location, so be sure to look up your country, state, and even local communication regulations before engaging with donors online. To help get your research started, here are two notable digital marketing laws:

  • The CAN-SPAM Act. In 2003, this US law was created to prevent consumers from receiving unwanted emails. While this law primarily is concerned with commercial businesses, it also applies to nonprofits’ email communication, specifically those that promote products or corporate sponsors. However, even for emails outside of those specifications, it’s still good practice to follow this law, and only send emails to constituents who have given either express or implied permission. 
  • Telephone Consumer Protection Act (TCPA). Phones may not be your first thought when it comes to digital marketing, but nonprofits that use telemarketing, text messaging, and other phone communication strategies will need to be aware of the TCPA. As with many data protection laws, the TCPA requires nonprofits to obtain permission from their constituents before sending them specific types of communication, in this case pre-recorded and artificial calls.

2. Protecting Donor Data

Digital privacy laws don’t just apply to data collection, but also data storage and protection. Nonprofits are legally required to protect their donors’ sensitive and/or personally identifiable information, making cybersecurity a top priority. 

However, cybersecurity protection often gets overlooked, as Bloomerang’s report on nonprofit cybersecurity reveals that 38% of nonprofit organizations don’t have a cybersecurity risk policy and 68% don’t have documented policies for what to do in the event of a cyberattack. 

To make sure your nonprofit is within the percentage of organizations that follow stringent data protection policies, research your state requirements and take the necessary steps to protect donor data. Still, cybersecurity and your states’ corresponding regulations can be complicated. Here are a few common questions organizations have about data protection:

  • What is personally identifiable information? Personally identifiable information is data that could be used to identify the individual it belongs to. Your donors’ names, addresses, phone numbers, and email addresses can all be considered personally identifiable information. 
  • What do I need to do if there is a data breach? In most cases, nonprofits will need to identify the cause of the breach and what information was compromised. Then, your team will need to fix the vulnerabilities as soon as possible and alert impacted donors. 
  • Am I legally required to have cybersecurity insurance? Cybersecurity protection laws vary, and many are open-ended, requiring organizations to take reasonable steps to protect their constituents’ data. In most cases, nonprofits are not legally required to have a cybersecurity insurance policy, but it is often worth the investment.

3. Public Disclosures

A nonprofit’s annual tax returns must be publicly available. However, whether or not the names of your donors must also be disclosed is a more contentious matter. In recent years, challenges have been presented to the Supreme Court over whether nonprofits should be legally required to make their major donors public, but current laws and precedents have been upheld broadly establishing that nonprofits do not need to do so. 

To explain further, when a nonprofit files the Form 990, they may also need to file Form 990 Schedule B, which discloses personally identifiable information about donors who make contributions of $5,000 or more. 

Currently, nonprofits are required to file the Form 990 Schedule B with the IRS if they receive individual contributions of $5,000 or more. However, the Schedule B is no longer required to be submitted to state governments as part of the typical fundraising registration and renewals processes

The information on file may still be viewed by outside parties, such as during an audit. Also, while nonprofits do not need to publicly disclose the names of major donors, it’s still considered a financial management best practice to maintain transparency and thank prominent contributors in your annual report with their permission. 

Nonprofit organizations have a responsibility to respect their donors’ privacy, both when reaching out to them and when keeping their information safe. Laws around donor privacy and data protection are contentious and may see changes, but the fundamentals, such as preventing security breaches and respecting donors’ communication preferences, will likely remain the same for the foreseeable future.

Sharon Cody, is the Nonprofit Market Manager at Labyrinth, Inc., Sharon is passionate about educating nonprofits and fundraisers on the role of state charitable compliance as both a best practice and an industry differentiator. Sharon’s more than 30 years of experience give her unique insight on the use of fundraising compliance as a strategic tool to build trust, enhance reputation, and increase revenue.