Articles

Why Your Nonprofit Needs a Privacy Policy (and what to include)

Article CategoriesTechnology | Marketing | Running a Nonprofit | Fundraising | Websites | All Articles
 
Why Your Nonprofit Needs a Privacy Policy (and what to include)

Posted by Lisa Thompson in Running a Nonprofit | Fundraising | Marketing

If you’re a typical nonprofit, you probably collect a significant amount of sensitive information from your users—even if it’s simply the IP addresses gathered by your site statistics package. And after all the recent news about Facebook and the millions of users whose data was potentially breached, online visitors are becoming more skittish than ever about providing personal information to both businesses and organizations. Suddenly information that users have considered private and protected seems all too vulnerable.

In this age of data-driven marketing, it’s more important than ever to position yourself as a safe and trusted organization. Your privacy policy can no longer be an afterthought—it needs to be a prominent feature on your website and written in words that the average user can understand without hiring a lawyer.

First, let’s talk about why this is so important.
 

It shows that you’re transparent and trustworthy. If a visitor or supporter wants to know the details of your policies, it should be available and easy to find on your website. Even the users who don’t want to read your whole privacy policy in its entirety will take comfort in the fact that you actually have one and are willing to share it online.

It helps you plan ahead. A well thought out policy will help your visitors know what to expect, yes.  But it will also help you think through what information you routinely collect and how you plan to keep that data safe. Planning ahead can help you avoid difficult situations down the road.

It provides basic legal protection. Hopefully this will be a nonissue for your organization, but if you ever end up in a dispute involving your website, the fact that you have a privacy policy displayed on your site will work in your favor (assuming that you have actually adhered to the standards in your policy).

It addresses the GDPR law. GDPR stands for General Data Protection Regulation, a game-changing data privacy law emanating from the EU (European Union) and officially effective as of May 25, 2018. Even though this law originates from across the pond, it still matters to you because, essentially, anyone can visit your website and donate, regardless of where they live. It’s a good idea to operate now with the assumption that the GDPR is the new standard. Your privacy policy should make sure that your site visitors can understand what data you are collecting about them, how it may be used and how they can be removed or “forgotten.” That includes telling them how to easily contact you if they want their data deleted. It’s a bit complicated, but here’s a quick article that details how to be GDPR-compliant.

Now let’s address the “how” question.
 

Here are some best practices and general guidelines for how to develop and publish a privacy policy that actually matters to your visitors.

  • Write your privacy policy in plain English. Drop the legalese and write your policies and standards in a way that the average user can understand it. After you’ve written it, it’s smart to have a lawyer review it. But you can be frank and upfront that you don’t want to fill it with legal jargon that the average person won’t understand. It’s just a good practice to have it reviewed to make sure you haven’t omitted something major.
  • Make it complete. In a nutshell, you want to lay out exactly what information is collected from users, how it’s collected and for what purpose. Of course, update your policy if these details change.
  • Be honest. If you plan to use personal information for marketing purposes—or even just to send out an occasional update—make that clear in your privacy policy. Provide an opt-out option on your website as well as in a link in every email message. This is especially important if your organization shares or plans to share information with other organizations or companies.
  • Make your policy visible. You could include it in the footer of each page of your website so readers won't have to hunt for it. Maybe place it prominently on your homepage or donation pages. Most people may never read the fine print, but it’s still crucial for you to display it in a way that shows you’re not trying to hide anything.
  • Be mindful of specific laws. There may be extraneous laws that apply to you even if your nonprofit doesn’t operate in a specific sector. For example, if you ask health-related questions, laws like HIPAA (Health Insurance Portability and Accountability Act) may apply to how you collect and retain information. When it comes to financial questions, laws governing the SEC may apply. Avoid unnecessary fines by making sure you’re in compliance with all rules and regulations. Of course, don’t ignore the FTC or state laws that provide minimum standards.
  • Make it your own. Don’t cut and paste an already-written privacy policy that you found for free from someone else online. The risk of penalties is real and this is not the time for a cookie cutter solution. Your policy should be your own and reflect the unique circumstances of your website and organization.
And finally, what you need to include.
 

Once you determine specifically what information you will collect—email, cookies, subscription information, credit card, login, gender, age, etc.—and you state your legitimate reason for collecting this info, you need to identify what you will do with it.

Here are some things to be sure to include in your policy.
 
  • Explain exactly what information you need to collect and whether it’s identifying, anonymous or both.
  • No need to get lengthy and detailed, but explain how information is collected: search terms, sign-up info, log files, clicked links, cookies or other methods.
  • If you’ll share information with other sites or partner organizations, be honest. Most consumers’ number one concern is who else will receive their personal information.
  • Simply state that if compelled by law to disclose sensitive information, then you’ll need to comply with such orders.
  • Give readers the option of verifying, correcting, changing or removing personal registration information. This can be done via a confirmation email after a user has registered on your site.
  • Provide a way for people to opt out of future communication. If someone wants to be removed, make it easy—you don’t want to be penalized for spamming people.
  • State that the policy will be updated periodically and how you will communicate such changes.

One key thing to remember in regards to privacy: Do not ask your visitors for intrusive or sensitive personal information unless it’s absolutely necessary. Internet users are getting savvier and more reluctant to provide sensitive information if they don’t understand the need for it. Whatever information you need to collect, be clear as to why and include how you will protect the data.


Article CategoriesTechnology | Marketing | Running a Nonprofit | Fundraising | Websites | All Articles

Firespring is always on the move. Register for one of our free educational webinars or find us in person at an upcoming event.