Skip to content

Donor Privacy Policy: Every Nonprofit Should Have One

01.23.18 | Linda J. Rosenthal, JD

Which documents should your organization have in that expensive, “gold-embossed,” three-ring binder you ordered back in the day when you first got started? There are dividers for your articles of incorporation, your bylaws, and the minutes of the first meeting. Of course, you should keep it up to date with the minutes of each board meeting, along with formal resolutions adopted, and any amendments to the bylaws. What else should be included in your official organizational records?
In the “must-have” category are certain official corporate policy documents that the IRS strongly recommends you adopt and follow scrupulously. Check out our series When the Revenue Agent Comes Calling. The government auditor will have in hand IRS Form 14114 , Governance Check Sheet, and will ask to see your written conflict of interest policy, your document-retention policy and sometimes your whistleblower protection policy.
In the “should-have” category is a social media policy. and an employee handbook. If there’s an advisory board, a policy about that is useful. A donor privacy policy is a good idea, too.

Donor Privacy Policy

The Association of Fundraising Professionals (AFP) recommends adoption of a privacy policy for any organization that gathers personal information including names, addresses, and credit card information from donors and attendees at special events. It is a formal, written statement explaining how you use and protect donors’ private data.
There are two types of donor privacy policies: explicit or opt-out. An explicit policy tells donors you won’t sell or share their personal information without permission and gives donors the choice to let you use their data or not. An opt-out policy informs your supporters that you may use their information unless they specifically ask you not to do that.
The purpose of this policy is to engender trust and emphasize that the organization will not sell or share personal information without permission. “Having a donor privacy policy can allow the nonprofit to communicate to their donors the importance that they place on protecting their donor’s information.” Watchdog agencies and ratings groups check whether organizations have a donor privacy policy. For instance, Charity Navigator takes this factor into account for its “accountability and transparency score.”

Contents of Donor Privacy Policy

There is no prescribed length for a donor-privacy policy. It can be a simple paragraph. See, for instance, Charity Navigator’s policy which is posted on its website:

Our Commitment to Our Donors
We will not sell, share or trade our donors’ names or personal information with any other entity, nor send mailings to our donors on behalf of other organizations.
This policy applies to all information received by Charity Navigator, both online and offline, on any Platform (‘Platform’, includes the Charity Navigator website and mobile applications), as well as any electronic, written, or oral communications.
To the extent any donations are processed through a third-party service provider, our donors’ information will only be used for purposes necessary to process the donation.

Other organizations choose more detailed documents. For a longer policy, the Charities Review Council provides recommendations. First, it should be available in one of a number of ways: included in donor “giving envelopes” as well as on the group’s website, and printed out as a standalone document for any donor requesting one.
Second, it should:

  • Describe, specifically, which information – including “personally identifiable matter” – the organization collects from donors and how it’s collected.
  • Explain how the group uses donor information.
  • Give donors an “opt-out” choice or state that the charity doesn’t sell, trade, or share private data. Otherwise, explain which personally identifiable data the group may share with third parties, and why; and tell donors how they can access their data or change it.
  • List third-party websites and links on the organization’s website, and disclose if it uses “cookies.”
  • Describe security measures in place.

For an example of a longer donor-privacy policy, take a look at the one adopted by the National Council of Nonprofits.


By the way, that lavish corporate binder you felt pressured to buy isn’t needed; a simple, drugstore version is adequate. It’s a racket by the nation’s incorporation-service businesses from which they make gobs of money. (We admit: The nonprofit binders we supply to our clients are purchased through Amazon.)
Anyhow, it’s the twenty-first century; corporate records should be digitized and key documents posted on the website for the sake of transparency for your supporters and the general public.

Recent Insights

How can we help you today?

For Purpose Law Group