Donors trust you with sensitive information: their names, addresses, giving history, sometimes financial data. That trust is sacred. You're legally and ethically obligated to protect it.
Privacy law is complicated and varies by state and country. But the principles are simple: collect only what you need, protect what you collect, and respect donor wishes about how their data is used.
Legal Framework
No federal privacy law for donors (yet). Nonprofits aren't regulated the same way as banks or healthcare providers. But state laws are increasingly strict. California, New York, Colorado all have privacy laws requiring nonprofits to secure personal data and notify people of breaches.
FTC Safeguards Rule. If you collect personal information, the FTC expects you to protect it with reasonable security. Vague, but you're expected to do better than nothing.
State breach notification laws. 50 states require you to notify people if their personal data is breached. Most require notification without unreasonable delay.
International: GDPR (Europe) requires consent before collecting data from EU residents. If you have international supporters, learn GDPR (see Chapter 5.3 Lecture 7).
The Privacy Practices You Must Have
Privacy Policy
Post a clear, simple privacy policy on your website explaining: what data you collect, how you use it, who you share it with, how long you keep it, and how people can access/delete their data.
Say what you mean. "We collect your name, email, and giving history to communicate about our mission and provide tax receipts." Not "We collect information to improve our services."
Consent
Get explicit consent before using data for secondary purposes. Someone donates. You should send them receipts and thank-you messages. That's expected. But do you want to add them to your email newsletter? Ask first. Do you want to use their story in a fundraising letter? Ask permission.
For general donor communication: implied consent is usually fine (they gave a donation, they expect to hear from you). For everything else: ask explicitly.
Data Minimization
Collect only what you need. You need donor's name, address, email, phone, giving history. Do you need their employer? Political affiliation? Wealth estimate? Collect only what directly serves your mission. Everything else is risk.
Retention Limits
How long do you keep data after someone stops giving? Most nonprofits keep it indefinitely (in case they return as a donor). That's reasonable. But if someone asks to be deleted and isn't a current/lapsed donor, delete them (or anonymize so you can't identify them).
Write a retention policy: active donors forever, lapsed donors for 5 years after last gift, prospects for 2 years after last engagement, then delete.
Access and Deletion Rights
A donor should be able to: ask what data you have about them, correct inaccurate data, and request deletion. Provide a way to do this (email address: privacy@[yourorg].org).
This is legally required in some states (California, Colorado). But it's also ethical. If someone asks "what do you know about me?" you should tell them.
Donor Privacy in Practice
CRM Security
Your CRM has all donor data. Protect it: access controls (not everyone can view all donors), encryption, backups, monitoring. (See Chapter 5.3 Lecture 1 for cybersecurity details.)
Data Sharing
Only share donor data with vendors who absolutely need it. If you use a mail vendor, they need addresses. They don't need email. Use contracts (Data Processing Agreements) that require vendors to protect data.
Never sell or license donor lists. Yes, you could make money renting your list to other nonprofits. Don't. Your donors gave to you, not to everyone. They trust you specifically.
Staff Access
Executive director doesn't need to see individual donation amounts. Finance staff doesn't need to see volunteer hours. Grant their access based on role, not position.
Public Disclosure
Some states require nonprofits to disclose certain donor information (Form 990 lists major donors). That's legal. Your CRM shouldn't be public. But government filings will be.
Responding to Data Requests
A donor asks: "What data do you have about me?" You have 30-45 days (varies by state) to provide it. Pull their record from your CRM and send it (usually email, sometimes with redactions if it includes other people's data).
A donor asks: "Delete me." Do it. Remove their record, or anonymize it so you can't identify them. Don't keep it "just in case."
A donor asks: "Don't email me anymore." Honor it immediately. Remove from email lists. (They can still give and volunteer, they just won't get newsletters.)
Incident Response: If Data Is Breached
If personal data is accessed without authorization:
- Immediately notify leadership and insurance
- Assess scope: what data? How many people? How did it happen?
- Notify affected people within 30 days (most states require this)
- Notify state attorney general (if required by your state)
- Document everything for legal/insurance
- Fix the vulnerability so it doesn't happen again
Notification should say: what happened, what data was involved, what steps people should take (monitor credit, change passwords), how to contact you with questions.
Third-Party Risk
Your vendors (CRM, email, payment processor) have your donor data. Require them to: have liability insurance, sign a Data Processing Agreement, disclose if they get breached, and allow you to audit their security.
Major vendors (Salesforce, HubSpot, Stripe) have this baked in. Smaller vendors: ask. If they won't sign an agreement or disclose their security practices, consider a different vendor.
Privacy by Design
When you're choosing new tools or updating processes, think privacy from the start. Don't collect extra data "just in case." Don't share data with vendors who don't need it. Don't keep data longer than needed.
Privacy isn't a box to check. It's a practice.
Key Takeaway
Donor data is a trust, not an asset. Protect it. Be transparent about how you use it. Respect donor wishes. Have clear policies for collection, use, sharing, and deletion. This isn't just legal compliance—it's how you show respect to the people who fund your mission.
Frequently Asked Questions
Is it okay to share a donor list with another nonprofit we partner with?
No, not without explicit permission. A donor gave to you, not to your partner. To share the list, you'd need to ask them: "Can we share your information with [partner]?" Some will say yes. Some no. Honor their choice. The shortcut ("we're partners, so it's fine") erodes trust.
Can we use donor data for peer-to-peer fundraising campaigns?
Yes, if you ask. "We'd like to ask major donors like you to host a fundraising event and invite their friends. Can we send you our toolkit?" Then send the toolkit with peer fundraising materials. You're not sharing their data with others, you're asking them to participate.
What's the difference between anonymized and pseudonymized data?
Anonymized: you remove all identifying information so you can't re-identify the person even with additional data. That's true anonymization (rare). Pseudonymized: you replace their name with an ID, but you still have the mapping (ID 12345 = John Smith). For compliance, pseudonymized data is often treated as personal data (you still have to protect it). True anonymization is hard to do correctly.
Should we encrypt donor email addresses?
Encryption is extra protection but makes email lists harder to use (you have to decrypt to send mail). For donor data in CRM: yes, encrypt. For email lists you send to regularly: no, you'd have to decrypt constantly (and decrypted data is vulnerable anyway). Use access controls instead: limit who can see the list, monitor who accesses it.
Is our donor database HIPAA-regulated?
Only if you're a healthcare provider or clearinghouse and you're handling patient health information. Most nonprofits aren't. But if you're a health nonprofit working with patient data, you might be. Consult a lawyer. Other nonprofits aren't HIPAA-regulated just for handling donor data (even if donors are sensitive about privacy).