It’s called the information age for a reason! Data is now the gold standard resource for decision-making in organizations of all shapes and sizes.
And nonprofits are no exception. Today, continually learning more about your donors, constituents, communities, and how they all engage with you can generate
a lot of data. This information likely includes names, addresses, email addresses, birth dates, payment information, donation histories, volunteer histories, and more.
But with the increased
importance of data to your strategies comes an increased responsibility to use data properly and respectfully, not to mention legally.
Digital privacy has become a major new fixture in public discourse across all sectors. Much discussion of digital privacy revolves around the buying and selling of data, which isn’t largely relevant to day-to-day nonprofit operations. Another aspect of data privacy involves how data can and cannot be used to market to donors, which is
much more relevant.
Although your nonprofit likely isn’t anywhere close to collecting large-scale location and engagement data to sell to other firms or push hyper-targeted ads like the tech giants, the point of regulations at any level is to protect consumers (or donors) and weed out bad actors. From
fundraising legal requirements to digital privacy laws, it’s important to understand the rules to which your nonprofit can be held accountable.
An attorney knowledgeable about data privacy matters will always be your best guide when navigating these rules, but there’s still plenty you can do to familiarize yourself with the landscape. Let’s review three of the most impactful digital privacy regulations and what they mean for nonprofits.
The CAN-SPAM Act was passed into US law in 2003, and it protects consumers from receiving emails that they never agreed to receive. It’s primarily intended to prevent spam email ads from commercial entities, but nonprofits are not exempt.
Full compliance is required for any emails you might send that promote products,
corporate partners, or any other commercial product or service. Full compliance
beyond
promotional emails is also highly recommended since it will cover your bases and signal respect to donors.
The CAN-SPAM Act requires that you verify all email recipients have “opted in” before you can send them any messages that fall under its purview. This hinges on the idea of “permission,” which takes two forms:
For both types of permission, you must give email recipients a clear opt-out option on all of your messages.
There are a few best practices you should abide by to stay compliant with the CAN-SPAM Act:
The European Union’s General Data Protection Regulations (GDPR) was implemented in 2018. It’s a sweeping set of laws that covers multiple aspects of data privacy and aims to give EU citizens more control over how their data is collected, tracked, and stored.
How does the GDPR relate to US-based nonprofit marketing and communications?
The rules of the GDPR apply to your nonprofit if EU citizens donate to your organization, sign up to receive your emails, or otherwise interact with your website. The world of online fundraising compliance is a legal gray area today (more on this below), so it’s highly recommended to err on the side of caution and pursue GDPR compliance on your website and in your email strategies.
To ensure general compliance with the GDPR, follow these best practices:
The California Consumer Privacy Act (CCPA) is a California law that was passed in 2018. It’s functionally very similar to the GDPR, setting comparable guidelines around how the personal data of California residents can and cannot be collected, used, and sold.
The law is aimed primarily at tech companies that sell personal data for profit, but the same logic applies here as it does to the GDPR. California has a very large population, so even nonprofits that aren’t based there have likely received donations from or engaged online with California residents.
The safest route is to ensure general compliance with the CCPA.
Follow the same best practices as listed above for the GDPR. Take extra care to do your due diligence and check for compliance whenever you work with third-party vendors or data marketing services that are required to be fully compliant with the CCPA.
All three of the regulations listed above are important to understand as they’re the most impactful and often serve as models for new digital privacy laws.
The worlds of digital privacy and nonprofit compliance in general are constantly evolving, so stay on top of developments and seek help when you encounter new scenarios or gray areas. For example, you might’ve never thought your nonprofit would need to understand and use waivers prior to the pandemic!
There’s another gray area that is particularly glaring for nonprofits: online fundraising compliance.
Your nonprofit is required to register to fundraise wherever you actively accept donations from donors. This is the
standard charitable solicitation registration process with which you’re likely already familiar—registering with your home state and other state governments as your fundraising operations expand.
But how does this process change when the internet allows you to accept donations from anyone, anywhere, at any time?
Consider how you may need to comply with the GDPR and CCPA even if you’ve never done business or fundraised in the EU or California. Expand this idea to the entirety of your fundraising. Nonprofits can’t control who visits their websites and feel inspired to donate online, so knowing where you’re technically required to be registered can be extremely tricky.
Unfortunately, the US regulatory framework for online fundraising is outdated in this regard, meaning there are no clearly defined rules as there are for email and data privacy.
If you conduct large-scale online fundraising campaigns, your safest bet is to proactively register in as many states as you’re able or think will be necessary. Start with those with the largest populations like California, Texas, Florida, and New York, and adapt to their
state-specific filing requirements. Nonprofit compliance services can handle these registrations and their renewals on your behalf, but your nonprofit should also regularly update any online donation disclosures. If you’re not registered to fundraise in a particular state, explicitly state that you cannot accept donations from that jurisdiction.
Key takeaways for both online fundraising and digital privacy compliance: The world of nonprofit compliance is complicated and constantly changing.
Stay on top of developments and changing laws at all levels, and seek the help of experts whenever needed. Nonprofit compliance experts, attorneys, and
technology consultants are all invaluable partners to have by your side as your organization grows over time.
If you have specific questions on these regulations, other digital privacy concerns, and how they might impact your nonprofit, your best first step is to reach out to an attorney knowledgeable in this field.
About the Author
Sharon Cody
Sharon Cody, J.D. is the Nonprofit Market Manager at Labyrinth, Inc., the leading provider of state charity registration services. Sharon is passionate about educating nonprofits and fundraisers on the role of state charitable compliance as both a best practice and an industry differentiator. She received her bachelor's degree from Rutgers University and her Juris Doctor from Penn State Dickinson School of Law. Sharon’s more than 30 years of experience as an attorney, charitable fundraiser, foundation executive, donor, and nonprofit board member give her unique insight on the use of fundraising compliance as a strategic tool to build trust, enhance reputation, and increase revenue.
Thank you for contacting us.
We will get back to you as soon as possible
CONNECT WITH US
Join our newsletter for up-to-date Information
Thank you to subscribing to our email list. You can view our most recent posts here.
All Rights Reserved | Cause Tech dba Achieve Causes