Nonprofit Privacy Policy: What Your Website Legally Needs

You collect email addresses. You process donations. You store volunteer contact information. You run Google Analytics.
Every one of those activities means you're handling personal data. And if your nonprofit website doesn't have a privacy policy, or has one that's outdated, you're exposed to legal risk and donor distrust.
The good news: getting this right isn't complicated. It just requires knowing what to include, where to put it, and how to keep it current.
Why Your Nonprofit Needs a Privacy Policy
Many nonprofit leaders assume privacy policies are only for big tech companies or e-commerce sites. That's not the case. If your website collects any personal information from visitors, you need a policy that explains what you're doing with it.
And you're collecting more data than you realize. Contact forms capture names, emails, and phone numbers. Donation pages process credit card details through third-party payment processors. Event registration forms collect addresses and dietary preferences. Email signup forms add people to your mailing list. Google Analytics tracks browsing behavior, location data, and device information.
Every one of those data points creates an obligation. Your visitors have a right to know what you're collecting and why.
The Legal Landscape for Nonprofits
Privacy law is evolving fast, and nonprofits aren't automatically exempt from everything.
State Privacy Laws
While the California Consumer Privacy Act (CCPA) generally exempts nonprofits from its core requirements, that exemption has limits. If your nonprofit shares branding with a for-profit entity or shares consumer data with a for-profit subsidiary, the CCPA may apply to you. Several other states have passed their own privacy laws with varying nonprofit provisions.
Beyond specific privacy statutes, general consumer protection laws in most states require honesty in how you represent your data practices. If you say you won't share donor data but then hand your list to a partner organization, that's a legal problem regardless of CCPA.
GDPR and International Donors
If any of your donors or website visitors live in the European Union, the General Data Protection Regulation (GDPR) applies to you. It doesn't matter that you're based in the United States. It doesn't matter that you're a 501(c)(3).
GDPR requires explicit consent before collecting data, clear privacy notices in plain language, the right for users to request deletion of their data, and breach notification within 72 hours. Penalties can reach up to 20 million euros. While enforcement against small U.S. nonprofits is rare, the legal obligation exists.
COPPA for Children's Data
If your nonprofit works with children and collects any information from kids under 13, whether through online program registration, youth ministry signups, or camp forms, the Children's Online Privacy Protection Act (COPPA) applies. This federal law requires verifiable parental consent before collecting children's personal information and imposes strict data security requirements.
What Your Privacy Policy Must Include
A complete nonprofit privacy policy covers seven key areas.
What Data You Collect
Be specific. Don't just say "personal information." List the categories: names, email addresses, mailing addresses, phone numbers, payment information, browsing data, device information, and anything else you gather.
How You Collect It
Explain the mechanisms: contact forms, donation forms, email signups, event registrations, cookies, and analytics tools.
Why You Collect It
State your purposes clearly. You collect email addresses to send newsletters. You collect payment information to process donations. You collect analytics data to understand how people use your site. Each purpose should be specific and honest.
Who You Share It With
This is where most nonprofits slip up. You need to disclose every third-party service that receives your visitors' data. That includes your payment processor (Stripe, PayPal, or Square), your email marketing platform (Mailchimp, Constant Contact), your analytics tools (Google Analytics), your CRM (Salesforce, Bloomerang, or Little Green Light), and your hosting provider.
If you share donor lists with partner organizations or sell mailing lists (please don't), that needs to be disclosed too.
How Users Can Opt Out
Give people a clear path to unsubscribe from emails, request deletion of their data, or update their information. Include a contact email or form where they can submit these requests.
Your Cookie Policy
If you use cookies, and you do if you run Google Analytics, explain what cookies are active on your site, what they do, and how visitors can manage them.
How You Protect Data
Briefly describe your security measures. You don't need to reveal technical details, but you should mention things like SSL encryption, secure payment processing, and access controls.
Where to Put Your Privacy Policy
Your privacy policy link needs to be in your website footer on every single page. This is the standard location visitors expect, and it's where regulators look.
Beyond the footer, link to your privacy policy from every form that collects personal data. Your donation form, your email signup, your contact form, your event registration page: each one should include a link or checkbox that references your privacy policy.
For more on structuring your nonprofit website content effectively, check out our guide on nonprofit website content strategy.
How to Write One in Plain Language
Your privacy policy should be readable by actual humans, not just lawyers. Write in the second person ("you" and "your"). Use short sentences. Avoid legal jargon wherever possible.
Instead of: "The Organization may process Personal Data for the purpose of fulfilling its legitimate interests in furtherance of its charitable mission."
Write: "We use your contact information to send you updates about our programs and fundraising campaigns. You can unsubscribe at any time."
Use headers to break up sections so visitors can quickly find the information they need. Most people won't read the entire policy, but they should be able to scan for specific answers.
Free Templates vs. Lawyer Review
Several reputable sources offer free privacy policy templates for nonprofits, including the National Council of Nonprofits and various legal aid organizations. These templates give you a solid starting point and cover the basics.
A template works well if your data practices are straightforward: you collect emails, process donations through a standard payment processor, and run basic analytics.
But if your nonprofit handles sensitive data (health information, children's data, financial details beyond basic donations), you should have an attorney review your policy. The same goes if you operate in multiple states or have international donors.
The cost of a legal review is typically a few hundred dollars. The cost of a data breach or regulatory complaint is significantly more.
Common Privacy Policy Mistakes
Copying Another Organization's Policy Verbatim
Every nonprofit's data practices are different. Copying a policy from a similar organization means you're likely describing data collection activities you don't do and failing to disclose ones you do. It also creates legal liability if the copied policy contains errors.
Not Updating When You Add New Tools
You added a chat widget last month. You switched email platforms in January. You started using a new donation processor. Each of those changes means your privacy policy needs an update. Set a calendar reminder to review your policy quarterly.
Not Disclosing Analytics and Tracking
Google Analytics collects a significant amount of user data, including pages visited, time on site, geographic location, device type, and referral source. If you use it (and most nonprofits do), your privacy policy must mention it. The same goes for Facebook Pixel, LinkedIn Insight Tag, or any other tracking tool.
Burying the Policy
If your privacy policy link is hidden three clicks deep in your site structure, it might as well not exist. Footer link, every page, visible font size. That's the standard.
Ignoring Mobile
Your privacy policy needs to be readable on a phone. If it's a wall of tiny text with no headers, mobile visitors can't realistically review it.
Your Next Steps
Start simple. Draft a policy that honestly describes what data you collect, why you collect it, who has access to it, and how people can opt out. Put the link in your footer. Then set a quarterly reminder to review and update it.
Your donors trust you with their money. Show them you take their data just as seriously.
Sources
- •California Consumer Privacy Act (CCPA) — California Department of Justice
- •General Data Protection Regulation (GDPR) — Official GDPR Portal
- •Children's Online Privacy Protection Rule (COPPA) — Federal Trade Commission
- •Complying with COPPA: Frequently Asked Questions — Federal Trade Commission
- •GDPR for Nonprofits — Whole Whale


