loader image

A Nonprofit’s Guide to Navigating Data Privacy Laws

by Jan 24, 2025Data for Nonprofits, Data Privacy0 comments

Over the past several years, it’s become increasingly clear that data is the key to stronger marketing and fundraising strategies. With data, you can learn about your donors, volunteers, and other supporters and apply that information to the messaging you send them for more personalized communications.

However, with an increased focus on data comes the need for more data regulations. 80% of adults worldwide are concerned about their online privacy. To protect them, data privacy laws governing how organizations collect and use data have become more prevalent.

This guide provides tips for navigating these data privacy laws and incorporating privacy into your data strategy to keep your organization compliant and protect constituent information.

1. Understand the laws that apply to your organization.

The first step in navigating data privacy laws is to review and comprehend them. While you should dig deep into the nuances of each law that applies to your organization, here is a brief overview of a few relevant data privacy laws:

  • General Data Protection Regulation (GDPR). GDPR is a data privacy regulation enacted by the European Union that applies to all organizations that process the personal data of people living in the EU. This regulation gives individuals the right to know how organizations use their personal data and access, correct, and delete their data if they wish. GDPR also requires organizations to obtain consent for data collection and report any data breaches.
  • California Consumer Privacy Act (CCPA). The CCPA is a state data privacy law, but similar to the GDPR, any organization with constituents in California must comply. The law gives California residents the right to know what personal data organizations collect from them, how they plan to use it, and whether they share data with third parties. They can also access their data, request data deletion, and opt out of the sale of their data.
  • CAN-SPAM Act. The CAN-SPAM Act is a U.S. federal law regulating commercial email communications. As Bloomerang’s email marketing guide explains, organizations must avoid deceptive subject lines, not use misleading information, provide their addresses, allow users to opt out and honor those requests, and clearly identify ads.
  • Health Insurance Portability and Accountability Act (HIPAA). HIPAA is a U.S. federal law regarding protected health information (PHI). The law limits how covered entities (such as healthcare providers) can use and disclose PHI and requires them to safeguard this data against security threats.
  • Children’s Online Privacy Protection Rule (COPPA). COPPA is a U.S. federal law that protects the personal information of children under 13. The law requires websites and online services to obtain parental consent before collecting personal information from children, allow parents to review or request the deletion of their children’s data, and maintain the confidentiality and security of this information.

Ensure everyone on your team—especially those working directly with constituent data—is aware of the privacy laws affecting your organization and what they must do to remain compliant.

2. Audit your database and data procedures.

Take stock of how you currently store and manage data to identify any compliance gaps. A data audit is an essential step in the data hygiene process, and regular audits will help you remain organized and compliant in the future.

To conduct a data audit, follow these steps:

  • Pinpoint what types of data you collect and how you use them. Get a general sense of the kinds of data you collect across communication channels and how your nonprofit uses this information. For example, you may collect names and contact information to stay in touch with supporters. Recording this information will help you more clearly explain to supporters how you use their data and stay compliant with regulations that require you to do so.
  • Note who has access. Not every team member necessarily needs access to all stored data. Take note of who currently has access to different data types and determine who actually needs this access to do their jobs effectively.
  • Identify sensitive data. Highlight sensitive information like health or payment data that requires extra protection. Then, analyze how you collect, store, and manage this data to ensure it meets industry standards and follows relevant laws.

During your data audit, you may notice outdated or unnecessary information in your database. Consider working with a data provider to fill information gaps and suppress unhelpful data, such as contact information for supporters on “Do Not Mail” lists, to round out your database and further protect data privacy.

3. Obtain consent for data collection.

Consent is a major focus for many data privacy laws. Ensure you explicitly obtain consent and follow supporters’ wishes by:

  • Allowing them to opt into data collection and communications. No matter whether a supporter has been subscribed to your newsletter for years or a social media follower since the beginning, you must always ask constituents if they’d like to opt into new data collection or communications before moving forward. For extra transparency, consider enabling a double opt-in process. For example, if a supporter signs up to receive text updates from your organization, you may send them a text message thanking them and asking them to reply “YES” to confirm their registration.
  • Letting them know how you plan to use their data. Supporters should be able to give you their informed consent, meaning they know exactly how you’ll use their data before they give it to you. List any possible uses for the data you’re collecting and refer supporters to your data privacy policy for more information.
  • Storing their preferences. Keep track of data collection opt-in and opt-outs in your constituent relationship management platform (CRM) to ensure you adhere to supporter preferences. You may also use a preference center that allows constituents to update their data preferences on their own.

While you can control whether you obtain consent for the data your organization collects, review any third-party data providers’ data collection practices to ensure your data partners comply with privacy laws and best practices.

4. Implement data security measures.

Protect supporter information from data leaks and fraud with proper data security measures. Take the following steps to ensure data security:

  • Choose secure tools. Any technology you use to collect, process, store, and manage data should have ample security measures in place. For instance, select a PCI-compliant payment processor that offers fraud management and protection.
  • Limit data access. Develop a data governance policy that limits data access to only those who need it. Use access controls and multi-factor authentication to verify the identity of users logging into your systems.
  • Leverage data encryption. Protect sensitive data like health and payment information using data encryption. That way, you can securely store and share this information as needed.

To build trust with supporters, feature your security measures on your website. You may even mention your efforts to protect sensitive data on your donation page to ease donors’ worries about entering their payment information.

Elevate your marketing and fundraising strategies with safe, secure, privacy-compliant data usage. Use resources like the International Association of Privacy Professionals (IAAP) U.S. State Privacy Legislation Tracker to stay updated on changing regulations. You should also regularly review and update your data privacy policies to ensure compliance.

Categories

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *