Skip to main content
Nonprofit Web Design

Nonprofit Privacy Policy: What Your Website Legally Needs

July 17, 20266 min readBy Crystal Reyes
Hand-drawn line art of a padlock resting on a folded letter with a wax seal, a small eye with a line through it, green and gold pencil hatching

You collect email addresses. You process donations. You store volunteer contact information. You run Google Analytics.

Every one of those activities means you're handling personal data. And if your nonprofit website doesn't have a privacy policy, or has one that's outdated, you're exposed to legal risk and donor distrust.

The good news: getting this right isn't complicated. It just requires knowing what to include, where to put it, and how to keep it current.

Why Your Nonprofit Needs a Privacy Policy

Many nonprofit leaders assume privacy policies are only for big tech companies or e-commerce sites. That's not the case. If your website collects any personal information from visitors, you need a policy that explains what you're doing with it.

And you're collecting more data than you realize. Contact forms capture names, emails, and phone numbers. Donation pages process credit card details through third-party payment processors. Event registration forms collect addresses and dietary preferences. Email signup forms add people to your mailing list. Google Analytics tracks browsing behavior, location data, and device information.

Every one of those data points creates an obligation. Your visitors have a right to know what you're collecting and why.

The Legal Landscape for Nonprofits

Privacy law is evolving fast, and nonprofits aren't automatically exempt from everything.

State Privacy Laws

While the California Consumer Privacy Act (CCPA) generally exempts nonprofits from its core requirements, that exemption has limits. If your nonprofit shares branding with a for-profit entity or shares consumer data with a for-profit subsidiary, the CCPA may apply to you. Several other states have passed their own privacy laws with varying nonprofit provisions.

Beyond specific privacy statutes, general consumer protection laws in most states require honesty in how you represent your data practices. If you say you won't share donor data but then hand your list to a partner organization, that's a legal problem regardless of CCPA.

GDPR and International Donors

If any of your donors or website visitors live in the European Union, the General Data Protection Regulation (GDPR) applies to you. It doesn't matter that you're based in the United States. It doesn't matter that you're a 501(c)(3).

GDPR requires explicit consent before collecting data, clear privacy notices in plain language, the right for users to request deletion of their data, and breach notification within 72 hours. Penalties can reach up to 20 million euros. While enforcement against small U.S. nonprofits is rare, the legal obligation exists.

COPPA for Children's Data

If your nonprofit works with children and collects any information from kids under 13, whether through online program registration, youth ministry signups, or camp forms, the Children's Online Privacy Protection Act (COPPA) applies. This federal law requires verifiable parental consent before collecting children's personal information and imposes strict data security requirements.

What Your Privacy Policy Must Include

A complete nonprofit privacy policy covers seven key areas.

What Data You Collect

Be specific. Don't just say "personal information." List the categories: names, email addresses, mailing addresses, phone numbers, payment information, browsing data, device information, and anything else you gather.

How You Collect It

Explain the mechanisms: contact forms, donation forms, email signups, event registrations, cookies, and analytics tools.

Why You Collect It

State your purposes clearly. You collect email addresses to send newsletters. You collect payment information to process donations. You collect analytics data to understand how people use your site. Each purpose should be specific and honest.

Who You Share It With

This is where most nonprofits slip up. You need to disclose every third-party service that receives your visitors' data. That includes your payment processor (Stripe, PayPal, or Square), your email marketing platform (Mailchimp, Constant Contact), your analytics tools (Google Analytics), your CRM (Salesforce, Bloomerang, or Little Green Light), and your hosting provider.

If you share donor lists with partner organizations or sell mailing lists (please don't), that needs to be disclosed too.

How Users Can Opt Out

Give people a clear path to unsubscribe from emails, request deletion of their data, or update their information. Include a contact email or form where they can submit these requests.

Your Cookie Policy

If you use cookies, and you do if you run Google Analytics, explain what cookies are active on your site, what they do, and how visitors can manage them.

How You Protect Data

Briefly describe your security measures. You don't need to reveal technical details, but you should mention things like SSL encryption, secure payment processing, and access controls.

Where to Put Your Privacy Policy

Your privacy policy link needs to be in your website footer on every single page. This is the standard location visitors expect, and it's where regulators look.

Beyond the footer, link to your privacy policy from every form that collects personal data. Your donation form, your email signup, your contact form, your event registration page: each one should include a link or checkbox that references your privacy policy.

For more on structuring your nonprofit website content effectively, check out our guide on nonprofit website content strategy.

How to Write One in Plain Language

Your privacy policy should be readable by actual humans, not just lawyers. Write in the second person ("you" and "your"). Use short sentences. Avoid legal jargon wherever possible.

Instead of: "The Organization may process Personal Data for the purpose of fulfilling its legitimate interests in furtherance of its charitable mission."

Write: "We use your contact information to send you updates about our programs and fundraising campaigns. You can unsubscribe at any time."

Use headers to break up sections so visitors can quickly find the information they need. Most people won't read the entire policy, but they should be able to scan for specific answers.

Free Templates vs. Lawyer Review

Several reputable sources offer free privacy policy templates for nonprofits, including the National Council of Nonprofits and various legal aid organizations. These templates give you a solid starting point and cover the basics.

A template works well if your data practices are straightforward: you collect emails, process donations through a standard payment processor, and run basic analytics.

But if your nonprofit handles sensitive data (health information, children's data, financial details beyond basic donations), you should have an attorney review your policy. The same goes if you operate in multiple states or have international donors.

The cost of a legal review is typically a few hundred dollars. The cost of a data breach or regulatory complaint is significantly more.

Common Privacy Policy Mistakes

Copying Another Organization's Policy Verbatim

Every nonprofit's data practices are different. Copying a policy from a similar organization means you're likely describing data collection activities you don't do and failing to disclose ones you do. It also creates legal liability if the copied policy contains errors.

Not Updating When You Add New Tools

You added a chat widget last month. You switched email platforms in January. You started using a new donation processor. Each of those changes means your privacy policy needs an update. Set a calendar reminder to review your policy quarterly.

Not Disclosing Analytics and Tracking

Google Analytics collects a significant amount of user data, including pages visited, time on site, geographic location, device type, and referral source. If you use it (and most nonprofits do), your privacy policy must mention it. The same goes for Facebook Pixel, LinkedIn Insight Tag, or any other tracking tool.

Burying the Policy

If your privacy policy link is hidden three clicks deep in your site structure, it might as well not exist. Footer link, every page, visible font size. That's the standard.

Ignoring Mobile

Your privacy policy needs to be readable on a phone. If it's a wall of tiny text with no headers, mobile visitors can't realistically review it.

Your Next Steps

Start simple. Draft a policy that honestly describes what data you collect, why you collect it, who has access to it, and how people can opt out. Put the link in your footer. Then set a quarterly reminder to review and update it.

Your donors trust you with their money. Show them you take their data just as seriously.

Enjoying this article?

Get more like it delivered to your inbox. Practical web tips for nonprofits, churches, and community organizations.

Unsubscribe at any time. We value your privacy.

Continue Reading