Fact Sheet 28:
Online Privacy for Nonprofits

Send to PrinterSend to Printer
Copyright © 2004-2016
Privacy Rights Clearinghouse
Posted April 2004
Revised April 2016
  1. What Kind of Information Is Posted Online? Conduct a Privacy Assessment
  2. Consequences of Not Getting Permission to Post Information
  3. Transferring Paper Files to Electronic Documents: Do They Belong on the Web?
  4. What to Include in Your Privacy Policy
  5. Special Considerations for Electronic Mail
  6. State and Federal Privacy Laws Regarding Online Privacy
  7. Protecting Personal Information from Hackers
  8. How to Get Consent from Members
  9. If Your Group Collects Information about Children
  10. Resources

Many clubs, homeowners' associations, parent-teacher associations (PTAs), public interest groups, and religious organizations are finding the Internet to be a powerful way to communicate with members, spread the word on current issues, sign up new members, and much more. It's increasingly common for groups to distribute newsletters by electronic mail and then post them on their web sites. Some organizations offer chat rooms where members and the public can share ideas about current issues and upcoming events.

While each of these uses offers great benefits to nonprofits, they all involve privacy concerns that should be considered when creating an online presence for your organization. The following scenarios tell the story:

Case 1: Paul volunteers evenings and weekends for the local Save the Wetlands organization. He is an engineer for a large housing developer which often is opposed to the activities of this and other environmental organizations. At the office Paul has kept quiet about his involvement. Recently the group decided to distribute its newsletter by e-mail rather than postal mail to save money and to reduce its use of paper. Without consulting the membership, the board also decided to post the newsletter on the organization's web site. Paul's employer inadvertently learned of Paul's volunteer activities when a search engine query found his name online on the club's newsletter. Paul was reprimanded by his supervisor. The unspoken message was that he would have difficulty advancing in the company.

Case 2: Barbara's church offers an online prayer circle on its web site. She submitted a prayer request for her husband, an alcoholic struggling to overcome his dependency. Her request included both her full name and that of her husband, plus details of his addiction and some of the family problems it has caused them. She was not aware that any query of their names on an online search engine could retrieve her prayer request. She was embarrassed when a relative contacted her to offer her sympathy.

Organizations that post any personal information on the web must develop policies that safeguard the privacy of those individuals. That includes names that are publicized in the group's electronic newsletter when posted on the web site. The keys to safeguarding personal information are to develop a privacy policy and to obtain consent from individuals before including their names on any documents that are posted on the group's web site. This is all the more important for groups that work with children and youth, such as sports and scouting clubs.

1. What Kind of Information Is Posted Online?
Conduct a Privacy Assessment

Virtually all nonprofits collect information about their members: name, address, home phone number, work phone number, e-mail address, information about dues and contributions, and committee memberships. Some organizations like youth sports clubs obtain dates of birth. And support groups might even obtain highly sensitive information on, say, members' medical status.

Many groups are organized around controversial issues involving the environment, political campaigns, sexual orientation, reproductive rights, religion, adoption, civil liberties, and a host of other public policy issues. Indeed, for every controversial cause there are several nonprofit groups that are organizing around the issue, each with its roster of members and its databases primed for fundraising campaigns.

It's perhaps an understatement to say that the collection of personal information forms the very foundation of a nonprofit's success and effectiveness. But what many organizations fail to realize is the importance of safeguarding such personal information.

Nonprofits have a duty to protect the personal information they collect and keep. But this responsibility is often overlooked until it's too late and a privacy breach exposes members to unwanted attention -- like Paul and Barbara in the hypothetical scenarios above.

We recommend that every nonprofit group adopt a privacy policy, discussed later in Part 4. But before developing your group's privacy policy, you first need to conduct a privacy assessment. This simply means taking a look at what kind of personal information you collect and what, if any, you post on your web site now or in the future.

What questions should we ask when we perform a privacy assessment?

  • What personal information, if any, is posted on the web site? This can include the roster of the entire membership, board members, committee members, top donors, award winners, event planners, and so on.
  • What kind of personal information is posted -- name, address, phone number, e-mail address, committee participation?
  • Is the organization's newsletter posted on the web site, and if so, does it include individuals' names and other personal information?
  • Are names, telephone numbers, and e-mail addresses included in announcements for upcoming events?
  • Does the web site post information about those who signed in to attend a recent event or the minutes from meetings?
  • Do you list the names of members in captions of photos that your web site posts of, say, your most recent fundraising banquet?
  • Do you obtain consent from individuals before posting photos on the web site, whether or not their name is included in the photo caption?
  • Do you post the names of those who have donated to your organization?

Make a list of the kinds of personal information you post online. This will be important when establishing your privacy policy. Clearly organizations are proud of the activities they sponsor and their members' monetary and volunteer contributions. But posting information online can have unintended, harmful consequences that can be avoided.

2. Consequences of Not Getting Consent to Post Information

Well-meaning club leaders often do not realize that there are several ways in which an individual's privacy can be harmed if safeguards are not implemented to protect their personal information.

Here are some unintended consequences of posting personal information to your group's web site:

  • Members may be contacted by other organizations that want them to join, possibly resulting in membership migration.
  • If yours is a civic organization involved in legislative issues or setting public policy, politicians looking for financial support or endorsements may contact those you list on your site.
  • Some members may have personal safety considerations such as a stalking or domestic violence in which they must keep their location a secret.
  • Addresses, phone numbers, and e-mail addresses of members might be accessed to pitch commercial products and services.
  • Those who disagree with your organization's perspective may harass those whose personal information is posted online.
  • Some members, though supportive of your efforts and active in the organization, may not want to be publicly-affiliated with the positions espoused by the organization.
  • Members may have an unlisted or unpublished phone number that they want to keep private.
  • Posting personal e-mail addresses could cause individuals to receive unwanted e-mail solicitations and spam. If individuals' names are listed in the white pages of the phone book, just posting their name on your web site may enable others to access additional personal information.
  • Noting the names and other personal information about donors can lead to unwanted requests for other charitable donations.
  • Posting pictures of minors could lure online predators.

You would not want to lose members because of such privacy breaches. Keeping these considerations in mind and getting consent up front about how members want their information to be used will go a long way in keeping your members involved.

3. Transferring Paper Files to Electronic Documents:
Do They Belong on the Web?

When individuals give personal information on paper documents such as registration forms, membership subscription forms, fundraising forms, and event sign-in lists, they may not be aware that their information might end up in electronic files. Often these kinds of paper files are entered into computer databases for easier record keeping.

It's important to keep such data files separate from your web site. Do not make the mistake of posting confidential files on "nonpublic" portions of the web site. Just because there are no public links to such files does not mean that they cannot be found. A simple query on a search engine can retrieve files that you thought were in the background, only accessible to those in the know within your organization. There's a new sport in the hacker community called "google-hacking." Hackers look for documents that are squirreled away in the nonpublic parts of web sites by using generic search terms like "budget," "membership directory," or "confidential." When they find particularly sensitive information, they spread the word, enabling others to do the same.

Transferring personal information from paper files to an electronic format that might be posted to your web site should only be done in consideration of members' and attendees' express wishes. For instance, members may be fine with sharing information with other members via a paper membership directory, but would not want that information to be posted to your web site. Members may not object to having their name printed in a newsletter that is mailed in paper form only to other members, but they may not want to include their name in newsletters that are posted online and read by people outside of the organization. To be safe, get consent for both the print version and the online version.

The person in charge of privacy protection at your organization (yes, every organization should have one) should speak to the editors of all of the club's newsletters about these issues and make sure that they take the necessary steps to safeguard members' privacy. Remember, the Internet is a new technology for many, and your members may not know the full scope of what it means to have their information posted on your web site. A simple query in a search engine can retrieve the names of individuals posted on the most obscure club newsletter. It doesn't matter if the organization has a membership of 50 or several million. Personal names printed in club newsletters and posted on the web are easily found by Internet search engines.

Other ways in which personal information from paper files may end up on the Internet is in the tax, financial, and registration forms your group must file with the IRS and state government agencies. Such forms may require you to list your officers and directors. Others like the IRS Form 990 may require that you disclose employees' names and salaries. Often, organizations will list home addresses of officers, directors, and employees in the paper filings, unaware that these documents are posted on the Internet. We advise that you use your organization's address rather than home addresses.

Another common way that personal information finds its way onto the Internet is via annual reports and minutes of meetings. The best time to deal with the question of including personal information in such documents is when they are first created, not after they are posted to the group's web site.

Photographs of your members at events can be another way in which their privacy may be compromised. This can occur when a member's name is posted in the caption of the photo. In addition, if the individual's name is saved as part of the name of the graphic file, it might be discovered through search engines that locate images.

4. What to Include in Your Privacy Policy

Why should we develop a privacy policy?

Having a good privacy policy is the first step in gaining individuals' trust, expanding the reach of your organization, and indicating a level of professionalism. Recent studies have found that the top concern of people who use the Internet is privacy. Having a privacy policy on your site indicates that your organization has taken a proactive approach by establishing guidelines for protecting privacy and sticking to them.

Don't limit the scope of your privacy policy to the your web site alone, however. Take the opportunity to examine your organization as a whole, and consider your web site to be a part of the larger privacy policy. We limit our discussion here to web site policies and provide additional resources in Part 10 at the end of this guide.

What should be included in the privacy policy?

When creating a privacy policy, you should be as accurate as possible. Privacy policies should state what type of information is collected as well as who will have access to the information.

There are several different types of information that your web site can collect from its visitors, including the Internet Protocol (IP) addresses of web users, their browser information, and information obtained via cookies. Your organization should carefully consider whether it wishes to employ capabilities such as cookies. Such information does not necessarily identify visitors by name. Nonetheless, you should explain how you use such data, if at all. (See PRC's guide "Online Privacy: Using the Internet Safely" )

If you plan to use cookies or other information-gathering techniques, you should explain this in your privacy policy. Be sure to list what types of information your organization collects and exactly what it is used for. Explain if information is collected automatically from all visitors or only from specific users. For example, a site may collect information about viewers who reach the site through a specific link, but not through other channels. If your organization does not use cookies and collects no personal information from web visitors, explain this in your privacy policy too.

If you obtain personally identifiable information through online application forms, online surveys, interest lists, inquiry forms, and e-mail subscription forms, your policy must also describe what you use that information for, how long it is retained, how it can be updated or removed, and how it is protected from illegitimate access.

Your policy should explain who will have access to any information that is collected such as your web site administrator, organization staff, and board members. The policy should explain if information is shared with third parties or other members and for what purpose or under what circumstances. Providing those who give personal information the opportunity to opt in to the sharing of their information with third parties is a "best practice" that allows them to better control how their information is distributed.

Your policy should note whom visitors can contact with privacy concerns and how long it usually takes your organization to comply with a request for information removal. And don't forget to explain how individuals can access the information that you keep about them.

These are the basic elements of a good privacy policy, one that is specific to your web site. As we explained above, we advise that you adopt an overall privacy policy for the entire organization and all of its information-gathering functions, not just your web site. The larger policy will include information about how you handle paper and printed files in your office and whether you rent or sell your mailing list to other organizations. (See PRC's guide "Checklist of Responsible Information-Handling Practices".)

How should we publicize and disclose our privacy policy?

Your privacy policy should be prominently noted on the home page. Also, provide links to the policy on additional pages. Be sure to give it to new members when they first join. You may also want to mail it to your membership annually.

What if we change our privacy policy?

If you change your privacy policy, you should have an established procedure for notifying those who may be affected. This procedure, whether done by e-mail or letter, should also be a part of your privacy policy.

Should member information areas be password-protected?

You may want to consider having a password-protected section of your web site available only to members, or only to board members. You can use this section to allow members to see photos that members may not want to have viewed by the general public. Having a restricted part of your web site for members only will help keep a club-like feel for your organization, continue the easy communication between members, and yet still protect their privacy. It may also be an incentive for new members to join. One should note, however, that even with restricted access, you should still gain consent from members as to whether they wish to be listed where all other members can view their information.

What is the best way to keep the policy up to date?

Once your privacy policy is established, it is vitally important that your club, group, or organization adheres to the policy. A good privacy policy that is consistently followed is the first step in gaining your members' and visitors' trust and increasing your audience. If any changes are made to your policy, follow the procedures outlined in your policy for notifying those who may be affected.

Establish a periodic schedule to review your policy to make sure that its contents are still accurate, for instance, at a yearly board meeting or retreat. You will want to address any changes that result from new legislation, for example.

Where can I find sample privacy policies?

Several web sites offer sample privacy policies. Some include policies that are specifically for nonprofits and for web sites that are directed at children. For a list, see Part 10 at the end of this guide.

5. Special Considerations for Electronic Mail

What if we communicate with members through mass e-mail notices or e-newsletters?

If your organization sends e-mail messages or e-newsletters to members on a regular basis, you should make sure that the address list is hidden from other recipients. This will guard against people using the list to send spam as well as protect the privacy of your members. A common mistake is to send mass e-mails and forget to hide the list in the BCC address line (blind carbon copy). Better yet, invest in a broadcast e-mail program to ensure that recipients' e-mail addresses are not disclosed to others on the list. Be sure to read the privacy policies and terms of service of such companies and choose a service with a good privacy policy.

We advise that you obtain consent from members in order to contact them by e-mail. All mass e-mails should contain a functioning opt-out link or address. The person in charge of privacy at your organization should make sure that this link is working and that requests to be taken off the list are promptly addressed. You may also want to include the physical address of your club or organization and the name and e-mail address of the person in charge of any privacy concerns.

What if we post the personal e-mail addresses of members or board members on our web site?

If a personal e-mail address is posted on your site with the "@" sign printed, it is likely to draw unsolicited e-mail advertisements. Though the federal CAN-SPAM Act, which provides guidelines on commercial email, makes it illegal to harvest e-mail addresses from the Internet to send unwanted messages, the practice is still occurring. If members of your organization agree to allow their e-mail addresses to be posted, your organization should try to post them in a form that will not be recognized by "webbots" or "spiders." There are several ways to mask e-mail addresses such as using "(at)" instead of "@."

6. State and Federal Privacy Laws
Regarding Online Privacy

Are there any privacy laws about handling personal information online?

California computer security breach law. California has a law that affects any company, organization, or government agency that believes its electronic data files with personal information about Californians may have been compromised. In such cases, the organization must send those who are affected a notice about the security breach (California Civil Code Sections 1798.29 and 1798.82-1798.84). You can read about this law at http://www.oag.ca.gov/sites/all/files/pdfs/privacy/recom_breach_prac.pdf?.

The law covers any unauthorized acquisition of [unencrypted] computerized data that compromises the security, confidentiality or integrity of personal information. Personal information that triggers the notice requirement is name (first name or initial and last name) plus any of the following:

  • Social Security number,
  • Driver's License or California Identification Card number, or
  • Financial account number, credit or debit card number (along with any PIN or other access code where required for access to account).

California Online Privacy Protection Act. The more commercial your site, the more likely it will be subject to laws aimed at commercial sites. For example, California's Online Privacy Protection Act covers anyone who collects information via its web site from residents of California, including businesses that do not physically reside in California. This Act requires commercial web sites that collect personally identifiable information about individuals residing in California to conspicuously post its privacy policy on its web site. (California Business and Professions Code, Section 22575).The law requires commercial web sites to include four things in their privacy policy:

  • The type of information that is collected and with whom the information may be shared.
  • Whether or not subjects may review and update and/or change the information after it has been collected.
  • A description of the way in which the operator will notify persons when it makes any change to its privacy policy.
  • The date the policy is in effect.

Federal Trade Commission Act. The Federal Trade Commission Act covers all business' unfair trade practices but generally does not cover actions of non-profit organizations, However, a Supreme Court decision found that where there is substantial economic benefit to its members, the site may be deemed commercial and governed by the Federal Trade Commission Act (15 USC 45). (FTC v. California Dental Association 526 U.S. 756 (1999))

How commercial is your site?

In light of the laws explained above, your organization should evaluate how commercial the web site is.

  • Does your organization offer its members advantageous insurance policies and preferential financing arrangements?
  • Does it engage in lobbying, litigation, marketing, or public relations for the benefit of its members' interests?
  • Does it provide members with services such as job placement?
  • Does it provide members with seminars, training sessions, or publications at discounted rates?

Whether or not your organization's web site would be considered commercial, your best approach is to have a privacy policy as a good faith gesture and as a courtesy to your visitors. This will reduce your liability regarding the way in which your organization handles information, and will help your group avoid costly legal battles and public relations embarrassments.

7. Protecting Personal Information from Hackers

How can we protect the personal information we collect from hackers?

The short answer to the question is to not store personal information on any computers connected to the Internet.

Providing a secure environment for individuals to purchase goods or membership online is imperative. To be able to do this effectively and securely requires using a Secure Socket Layer

"SSL" encryption certificate. Properly installed, the use of SSL means that the information sent by the individual to your web site will be encrypted enroute. When the web user is on the secure pages of your web site, a yellow padlock is displayed on the task bar at the bottom of the computer monitor.

But using SSL does not guarantee that the data files containing personal information are hacker-proof. It only ensures that when the information is transmitted, it is protected until it gets to its final destination. It's important to make sure that information is safe on the receiving end. If the computer that hosts your web site also stores personal information of those who provide personal information through your site, you may inadvertently be leaving that information open to hacking through the Internet portal. This could subsequently leave member information open to possible identity theft or credit card fraud and could necessitate a security breach notification noted in Part 6.

It is beyond the scope of this guide to explain how to make your web site and computer files hacker-proof. Computer magazines are a good source for current information. And many web sites provide useful advice. Here are two resources, for starters:

8. How to Get Consent from Members

The best approach to knowing more about how your members want their personal information to be handled is to simply ask them. We advise that you obtain consent from members and note their privacy preferences when they initially join and thereafter when they renew their membership and contribute to fundraising campaigns. Providing a way to opt out of having information disclosed on sign-in lists is also a good idea. Also, get individuals' permission when you want to post information about them in your newsletter or on your web site and when there are any changes made to your privacy policy that may affect a person's prior privacy preferences.

To gauge a person's privacy preferences, ask them fill out a form when they join. The form should include an opt-in style questionnaire like the following:

What may we include.

In paper member directory
mailed to members only:
 In member directory posted on web site:
Phone number  
E-mail address  
Committee memberships  
Photo, uncaptioned  
Photo, captioned  

Tell us what we may say about your donations and volunteer activities.

You may acknowledge me as follows:

Monetary donations: (Check Box) Volunteer activities: (Check Box)
In the paper newsletter mailed to members   In the paper newsletter mailed to members
In the e-mail newsletter   In the e-mail newsletter
In the newsletter posted on web site   In the newsletter posted on web site

Please give us additional instructions on how we should handle your personal information.

[Include space for written instructions here.] _________________________________

The questionnaire should include the name and contact information of the person in charge of privacy at your organization. And it should contain the specific web site address of your privacy policy. Consider attaching a paper copy of your privacy policy with the membership form and questionnaire.

9. If Your Group Collects Information about Children

What kinds of special considerations need to be made for children?

Organizations must be especially vigilant when collecting personal information about and from children. Under the federal Children's Online Privacy Protection Act (COPPA), any web site that knowingly collects information from children under age 13 and does not comply with the law can face serious sanctions, including fines, from the Federal Trade Commission (FTC).

COPPA requires anyone who collects information from children to disclose what type of information is collected and to attempt to gain parental consent. The organization must offer parents access to the information and an opportunity to change or remove the information. (See PRC's guide "Children's Privacy and Safety on the Internet: A Resource Guide for Parents")

While COPPA does not specifically apply to nonprofit organizations, there is  case law suggesting that if members of your club gain financial advantage from being members, it may be deemed a for-profit organization under federal law 15 USC 45, the defining statute for "non-profit organization" under COPPA. See the discussion above of commercial sites. FTC v. California Dental Association 526 US 756 (1999).

Moreover, if your club or organization is affiliated with a school, you may face additional requirements under laws such as the Family Educational Rights and Privacy Act. FERPA governs schools that receive federal government funding. The Department of Education has information on FERPA and how to be compliant.

In general, if your organization is geared towards children, it is advisable to err on the side of caution when considering collecting and posting personal information about minors, including photographs.

10. Resources

Federal Laws and Regulations

Federal Trade Commission

California State Laws

California Department of Justice’s Privacy Enforcement and Protection Unit

Privacy Rights Clearinghouse Fact Sheets

Other Resources

    The Privacy Rights Clearinghouse acknowledges the assistance of research associate Alaina Roche, Esq., in developing this publication.


    Content type: 
    Copyright © Privacy Rights Clearinghouse. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. For distribution, see our copyright and reprint guidelines. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse.