Before you make a charitable donation, do you consider how the charity might make use of your personal information? In other words, do you check for a donor privacy policy? Did you realize that some charities don’t have a written privacy policy for donors, and that those charities may be selling or sharing your personal information with other third parties without you knowing it?
CharityWatch informs donors whether or not the charities we rate have a donor privacy policy. On charitywatch.org, we include this information with a charity’s Governance & Transparency benchmarks, and in our Charity Rating Guide & Watchdog Report, we use an eyeball symbol after a charity’s name to denote the lack of a privacy policy. Even though we do not factor donor privacy policy information into determining a charity’s letter grade rating or Top-Rated status, we believe donors should know if a charity has a privacy policy and should factor that into their giving decision.
Building Public Trust
By protecting the privacy of donor information, a nonprofit helps build public trust. Most nonprofits treat donor information with a high level of confidentiality. The Association of Fundraising Professionals (AFP), however, believes it is still necessary for nonprofits to establish a donor privacy policy to assure donors of their privacy when making a contribution.
The AFP has a Code of Ethical Principles and Standards of Professional Practice, which AFP members are required to sign annually. The AFP, along with the Association for Healthcare Philanthropy (AHP), Council for Advancement and Support of Education (CASE), and The Giving Institute, also developed “A Donor Bill of Rights.” Adopted in 1993, the Donor Bill of Rights was created “[t]o assure that philanthropy merits the respect and trust of the general public, and that donors and prospective donors can have full confidence in the not-for-profit organizations and causes they are asked to support.” The Donor Bill of Rights and the AFP Code each address donor privacy, including giving donors the opportunity for their names to be deleted from mailing lists (i.e., an opportunity to “opt-out”).
What Should a Donor Privacy Policy Contain?
According to the Association of Fundraising Professionals, a donor privacy policy should explain three things: (1) how donor information will be used; (2) if donor information is ever shared; and (3) how a donor’s name can be removed from the organization’s mailing list. A description of how donor information is collected also should be included. Donor privacy policies may also provide additional details, such as: the specific personally identifiable (e.g., full name, street address, email address, phone number, credit card information) and non-personally identifiable (e.g., year of birth, ethnicity, education level, web browser cookies, IP address) information collected from donors; for what purpose personally identifiable information may be shared; how and to what extent donors can access their personal information and/or change it; a description of the organization’s security measures; a description of any cookies used on the organization’s website. A donor privacy policy should be publicized on the nonprofit’s website, and a brief statement thereof should be included with direct mail solicitations on donation response cards.
CharityWatch’s Donor Privacy Policy Benchmark
In order to meet CharityWatch’s informational Privacy Policy benchmark, a charity must have a privacy policy (or policies) that apply to the collection of donor information both online and offline, and the charity must post the policy on its public website. As part of a charity’s Governance & Transparency benchmarks on charitywatch.org, CharityWatch also reports on the type of donor privacy policy a charity maintains, either: (1) no sharing, (2) opt-in, or (3) opt-out, as described below:
- No Sharing Policy: The organization will not share, sell, or exchange a donor’s information for third party fundraising or marketing purposes.
- Opt-In Policy: The organization will not share, sell, or exchange a donor’s information for third party fundraising or marketing purposes unless the donor explicitly grants permission for the organization to do so.
- Opt-Out Policy: The organization will not share, sell, or exchange a donor’s information for third party fundraising or marketing purposes if a donor opts-out of allowing the organization to do so. An opt-out policy needs to include clear instructions for how donors can opt-out in order to meet the benchmark.
Charities whose privacy policies lack clear information about how donors can opt-in or opt-out of personal data sharing will not satisfy CharityWatch’s Privacy Policy benchmark.