How to Write a Privacy Policy for Your Nonprofit

This post was refreshed to include up-to-date resources and examples on June 15, 2020.

Nonprofit privacy policies are often an afterthought in the website world. That’s probably because they’re rarely viewed by visitors and are all too often stuffed with legal jargon that’s only loosely recognizable as English.

Privacy policies outline what information you’re collecting from website visitors, the collection methods and how you use the information that you collect. While your nonprofit’s privacy policy will likely be one of the least viewed pages on your website, it’s still important you have a good one for a few reasons.

Benefits of a Nonprofit Privacy Policy

I’m not a lawyer, so don’t consider this legal advice. But here are a few reasons your privacy policy is worth some forethought:

It shows transparency and builds trust.

If a visitor wants to know the details of your policies they’ll be able to find them easily. And even some visitors who don’t want to read the policies in their entirety will take comfort in the fact that you’re making them available.

It helps you plan ahead.

Sure, it helps your visitors know what to expect. But it also helps you think through what information you’ll be collecting and the policies surrounding keeping that data safe. Planning ahead can help you avoid situations you don’t want to mess with down the road.

It provides basic legal protection.

Hopefully this will be a non-issue for your organization. But if you ever end up in a dispute involving your website, having a privacy policy will likely be quite helpful. Again, not a lawyer, but this just makes sense (assuming you’ve actually adhered to the policies you’ve outlined).

Write Your Privacy Policy in Plain English

While there are lots of online privacy policy generators and templates floating around out there, we’d recommend giving it a shot yourself first. Sure, look at examples from other organizations in your space, but it should be incredibly specific to your organization and how you collect and use information through your website.

Drop the legal jargon

It doesn’t inspire much confidence. Instead, write your privacy policy in plain, understandable language. Your privacy policy is a whole lot less valuable if no one can understand it.

Ask a Lawyer to Review It

After you’ve written it, have a lawyer review it. Tell them you don’t want to infuse it with jargon. You just want to make sure you haven’t omitted anything major.

Information to Include in Your Privacy Policy

You’ll need to tailor your privacy policy to your organization and website, but here are some pieces of information to get you started:

What information are you collecting from visitors? This can range from emails to credit card information to IP addresses to the pages they visit on your website.
How are you collecting this information? Think about forms, cookies, log files or other collection methods that happen in the background of a website visit.
Can this information be used to identify individuals, or is it aggregated and anonymous, or (more likely) is it both? Throughout the policy, it’s important to distinguish between the two.
How will you use the information you collect? For example, for marketing purposes, to improve user experience or send a newsletter that the visitor requested.
Where do you store information and for how long?
Who will be able to access this information? For example, your staff members, marketing consultants, third party services, etc.
Will you share this information with any other parties, like law enforcement, other nonprofits, partners or the person themself?
Is your website integrated with any third party vendors that have access to visitor data, such as Google Analytics, MailChimp, OptinMonster or Salesforce?
How will you protect their information? Do you have security measures in place?
How will you notify visitors of changes to your policies?
Who should someone contact with questions about your privacy policy?

Be as clear as you can when walking through the information you’re collecting, collection methods and data uses. Don’t be sneaky about it, but it’s okay to give yourself a little bit of wiggle room. Otherwise, this document could get out of hand pretty quickly.

For example, you might say you use website information to better target your marketing efforts, rather than going into detail on all the information that includes and exactly how you target these more specific groups of visitors.

GDPR Compliance

In 2018, the European Union passed the General Data Protection Regulation (GDPR), which regulates the collection, storage and use of their citizens’ personal data. But it’s not just for organizations in the EU. Complying with these regulations will help your organization be more transparent and build trust through both your privacy policy and treatment of visitors’ personal data.

Check out our post on GDPR compliance for tips on how to comply and to access a simple tool to assess your website traffic from countries in the European Union.

Resources for Writing Privacy Policies

Here are a few helpful resources as you write up your privacy policy:

Understanding Privacy Policy – Some guidelines and recommendations directly from the Better Business Bureau.
How to Craft a Privacy Policy for Your Website – A clear, straightforward approach to drafting your privacy policy.
How to Add a Privacy Policy in WordPress – A guide to create and publish a privacy policy that’s specific to WordPress.

Have anything you’d like to add? Or a resource you found particularly helpful in drafting a privacy policy? Perhaps an example of a great or confusing privacy policy? Let us know in the comments below.

Comments

Am interested in this topic for my church in Maryland. I’m not a lawyer, but my understanding is nonprofits are not exempt from having a privacy policy.

Could you point us to resources oriented to helping non profits develop privacy policies, addressing situations such as:

BASIC USES:
We maintain a database on members and visitors, but it is available only within the church building, and the data itself is limited to things like name, address, phone, email, for each person and child when made available to us. The completeness of information is determined by the family. Part of system keeps track of contributions, and access is severely limited to people recording incoming data, and to one person responsible for issuing receipts. It is not available to other staff, and not to members or visitors. We don’t take credit card information. We have paper copies of contributions my check, kept for some limited amount of time. We don’t share data with third parties. We might share contract information with known members or attenders with each other, eg names and addresses for social purposes, or for a particular purpose.

BASIC QUESTIONS OF RESOURCES
-How does the prospect of cloud storage for data backup affect what should be in the policy? What content raises the need for a privacy policy. What content does not trigger a requirement for a privacy policy

David Hartstein on April 17, 2017

Hi Dale. Thanks a lot for the comment. Unfortunately I’m not aware of any resources that offer legal advice specifically geared towards nonprofits when it comes to creating a Privacy Policy. We’ve done our best in this post to sum up some things to consider, but given the nuance of every individual organization’s situation we always recommend consulting an attorney if you’re concerned about protecting yourself.

Typically if you’re going to be collecting any sort of information from visitors, you’ll want to explicitly outline what you’ll collect, how you’ll collect it, how you’ll use it and how you’ll keep it secure. Cloud storage would probably mostly fall into the “how you’ll keep it secure” bucket, but depending on the details, could factor into how you write up other portions as well.

I’d recommend taking a crack at writing your Privacy Policy yourself in terms that you’d want to read. You can then ask an attorney to read it over and let you know if there’s anything that needs to be adjusted. I’d also suggest checking out the resources we’ve linked to above. Most of the meat in a Privacy Policy will be the same for both for-profits and nonprofit organizations. You’ll just need to adapt them to be tailored to your situation.

I hope that helps. Thanks again for commenting!

I was actually looking for the exact thing. There are only a few posts about nonprofit’s privacy policy. Writing a business plan for a nonprofit can be daunting and you might not even know how to start if you don’t have a guide.

David Hartstein on October 3, 2017

Glad to hear the post was helpful Ryan!

Dale Orwig on April 17, 2017

Am interested in this topic for my church in Maryland. I’m not a lawyer, but my understanding is nonprofits are not exempt from having a privacy policy.

Could you point us to resources oriented to helping non profits develop privacy policies, addressing situations such as:

BASIC USES:
We maintain a database on members and visitors, but it is available only within the church building, and the data itself is limited to things like name, address, phone, email, for each person and child when made available to us. The completeness of information is determined by the family. Part of system keeps track of contributions, and access is severely limited to people recording incoming data, and to one person responsible for issuing receipts. It is not available to other staff, and not to members or visitors. We don’t take credit card information. We have paper copies of contributions my check, kept for some limited amount of time. We don’t share data with third parties. We might share contract information with known members or attenders with each other, eg names and addresses for social purposes, or for a particular purpose.

BASIC QUESTIONS OF RESOURCES
-How does the prospect of cloud storage for data backup affect what should be in the policy? What content raises the need for a privacy policy. What content does not trigger a requirement for a privacy policy

- David Hartstein on April 17, 2017
  
  Hi Dale. Thanks a lot for the comment. Unfortunately I’m not aware of any resources that offer legal advice specifically geared towards nonprofits when it comes to creating a Privacy Policy. We’ve done our best in this post to sum up some things to consider, but given the nuance of every individual organization’s situation we always recommend consulting an attorney if you’re concerned about protecting yourself.
  
  Typically if you’re going to be collecting any sort of information from visitors, you’ll want to explicitly outline what you’ll collect, how you’ll collect it, how you’ll use it and how you’ll keep it secure. Cloud storage would probably mostly fall into the “how you’ll keep it secure” bucket, but depending on the details, could factor into how you write up other portions as well.
  
  I’d recommend taking a crack at writing your Privacy Policy yourself in terms that you’d want to read. You can then ask an attorney to read it over and let you know if there’s anything that needs to be adjusted. I’d also suggest checking out the resources we’ve linked to above. Most of the meat in a Privacy Policy will be the same for both for-profits and nonprofit organizations. You’ll just need to adapt them to be tailored to your situation.
  
  I hope that helps. Thanks again for commenting!
Ryan Stewart on October 1, 2017

I was actually looking for the exact thing. There are only a few posts about nonprofit’s privacy policy. Writing a business plan for a nonprofit can be daunting and you might not even know how to start if you don’t have a guide.

- David Hartstein on October 3, 2017
  
  Glad to hear the post was helpful Ryan!