iAccording to Giving USA, charitable contributions in 2020 exceeded $470 billion, 70 percent of which came from individuals. Individuals deciding to donate to a particular organization may be considering factors beyond the organization’s particular mission, however compelling it may be. Misleading GoFundMe campaigns, FTC crackdowns on deceptive charities, and poorly run organizations are some of the reasons for increased scrutiny. One more reason is concern over how not-for-profit and charitable organizations handle donor personal information.
According to some reports, a third of donors perform research before donating. To assist these donors, several third-party rating sites, such as Charity Navigator, the Wise Giving Alliance, and CharityWatch, do much of the legwork for donors. They collect large amounts of data about these organizations, such as financial position, use of donated funds, corporate governance, transparency, and other practices. They obtain most of that data from the organizations’ Forms 990 and websites, where many organizations publish privacy policies.
Rating sites such as Charity Navigator base their ratings on comprehensive methodologies. A significant component of Charity Navigator’s rating, for example, relates to accountability and transparency, made up of 17 categories. A review of an organization’s website informs five of those 17 categories, namely (i) board members listed, (ii) key staff listed, (iii) audited financials published, (iv) Form 990 published, and (v) privacy policy content. Charity Navigator explains why it considers website privacy policies and which policies receive the highest rating:
Donors can be reluctant to contribute to a charity when their name, address, or other basic information may become part of donor lists that are exchanged or sold, resulting in an influx of charitable solicitations from other organizations. Our analysts check the charity’s website to see if the organization has a donor privacy policy in place and what it does and does not cover. Privacy policies are assigned to one of the following categories:
Yes: This charity has a written donor privacy policy published on its website, which states unambiguously that (1) it will not share or sell a donor’s information with anyone else, nor send donor mailings on behalf of other organizations or (2) it will only share or sell personal information once the donor has given the charity specific permission to do so.
Opt-out: The charity has a written privacy policy published on its website which enables donors to tell the charity to remove their names and contact information from lists the charity shares or sells. How a donor can have themselves removed from a list differs from one charity to the next, but any and all opt-out policies require donors to take specific action.
No: This charity either does not have a written donor privacy policy in place or the existing policy does not meet our criteria for protecting contributors’ personal information.
The privacy policy must be specific to donor information. A general website policy which references “visitor” or “user” personal information is insufficient. A policy that refers to donor information collected on the website is also not sufficient as the policy must be comprehensive and applicable to both online and offline donors. The existence of a privacy policy of any type does not prohibit the charity itself from contacting the donor for informational, educational, or solicitation purposes.
Regulatory compliance obligations for websites have expanded in recent years, with privacy policies among the requirements. Even a website compliant with applicable regulation, however, may not derive an optimal score with Charity Navigator. For example, in many cases, website privacy statements need only apply to data collected on the website, not elsewhere at the organization. Also, website regulations do not require donors be specifically addressed. The point reduction for non-conforming privacy policies is relatively small for Charity Navigator, but can have an impact. Rating company CharityWatch reports on privacy policies “as an informational benchmark” but does not factor that information into its ratings.
The extent to which donors might direct their charitable dollars away from organizations without optimal ratings on privacy is unclear. At the same time, quickly posting a privacy policy to enhance a third-party rating in the hope of driving additional donors is probably not a prudent response. Not-for-profit, charitable organizations want to be sure their website privacy policies are compliant and consistent with their practices involving data, while also positioning them well to maximize donations in support of their mission. Drafting and maintaining these policies takes considerable care and attention.
