Donor Privacy Policy for US Nonprofits | Word & PDF Template

A donor privacy policy is a public-facing statement, usually posted on the charity's website and referenced on receipts, that describes how the organization handles personal information collected from donors and prospective donors. It is not the same document as a general website privacy policy, even though many small nonprofits collapse the two. The general policy covers anonymous browsing data, cookies, and analytics. The donor privacy policy covers identifiable financial and relationship data: who gave, how much, when, by which channel, and what restrictions they attached to the gift.

The scope is broader than people assume. It covers credit card and ACH information processed through a payment platform, mailing addresses captured at a gala, donor-advised fund recommendation letters, pledge schedules, planned giving inquiries, in-memoriam dedications, and the soft data your CRM builds over time (wealth scores, giving propensity, event attendance, board affiliations). All of that is personal information under modern US privacy statutes, and donors have started to ask about it.

The policy works on two levels. Externally, it is a contract of trust with the donor and a compliance artifact for regulators, accreditation bodies, and platforms. Internally, it is the operating manual your staff and contractors must follow when they receive, store, share, or destroy donor records. A policy that lives only on the website but contradicts what the development team actually does is worse than no policy at all, because the BBB Charity Standards treat the gap itself as a violation of donor trust.

US donor privacy law is a layered patchwork, not a single federal statute. At the federal level, the Internal Revenue Code governs what charities must disclose on their annual Form 990, and Schedule B of that return identifies major donors. After the Supreme Court's decision in Americans for Prosperity Foundation v. Bonta, 594 U.S. ___ (2021), states can no longer compel nonprofits to file unredacted Schedule B information as a condition of charitable solicitation registration. California, New York, and New Jersey have updated their attorney general requirements accordingly. Your donor privacy policy should reflect that donor names and addresses reported to the IRS are protected from public inspection under IRC §6104(b) and §6104(d)(3)(A).

The state layer is where most of the actual operational rules now sit. The California Consumer Privacy Act and its 2023 amendment under the California Privacy Rights Act exempt most 501(c) organizations, but the Colorado Privacy Act, effective July 1, 2023, contains no nonprofit exemption and applies in full to any charity processing personal data of Colorado residents above the statutory thresholds. The Virginia Consumer Data Protection Act takes a different path, exempting nonprofits but only until July 1, 2027, after which most charities will fall in scope. New York's SHIELD Act requires every organization holding private information of New York residents, nonprofits included, to implement "reasonable" administrative, technical, and physical safeguards and to notify affected donors after a security breach.

Above all of that sits the BBB Wise Giving Alliance accreditation framework. Standard 18(b) requires a clear, prominent, accessible written policy disclosing what is collected, how it is used, how donors can review and correct their data, how they can opt out of any external sharing, and what security measures are in place. The full text of this requirement is available in the BBB Wise Giving Alliance Standards for Charity Accountability. Major fundraising platforms, foundation grant officers, and corporate giving programs treat compliance with Standard 18(b) as a baseline due diligence checkpoint, and our nonprofit document library is built to align with it from day one.

The most common trigger is launching, or relaunching, an online giving page. Payment processors and platforms like Stripe, PayPal Giving Fund, Donorbox, and Classy now perform light compliance review during onboarding, and a missing or boilerplate privacy policy is one of the recurring reasons a charity application stalls. Boards that are pushing a year-end appeal often discover this in November, three weeks before they planned to go live, which is the worst possible timing.

The second trigger is multi-state charitable solicitation registration. Roughly forty US states require some form of registration before you ask their residents for donations, and a growing number ask registrants to attest that they maintain a donor privacy policy aligned with general fair-information principles. Charities that built their original policy a decade ago, before the Bonta decision and the Colorado Privacy Act, are now updating in batches as renewal windows open. Pair this work with a refresh of your governance package and your nonprofit bylaws and board templates, since the policy will reference board oversight responsibilities.

Major-gift cultivation and planned giving programs require the same document for a different reason: large donors, family offices, and donor-advised fund sponsors ask for it directly during diligence, often through a written questionnaire. The same applies when a foundation conducts a site visit or when a corporate sponsor signs a multi-year cause marketing agreement. One edge case worth flagging: peer-to-peer fundraising drives, where individual supporters create personal fundraising pages on your behalf, can expose donor data to a third-party platform you do not directly control. Your policy must address that delegation explicitly, or you inherit the platform's defaults whether you reviewed them or not.

A final, less obvious situation is a data breach response. The moment a charity discovers unauthorized access to donor records, the SHIELD Act timer and similar state breach-notification statutes begin to run. Without a written policy describing your incident response, you are improvising at exactly the moment when documentation matters most.

• The scope and definitions clause draws the line between general website visitors and identifiable donors, and lists the categories of personal information actually collected: contact details, payment data, gift history, communication preferences, public-recognition choices, soft demographic data, and any donor-advised fund or planned giving indicators. Vague language like "we collect information you provide" fails the BBB Standard 18(b) test and is rewritten with the specificity regulators expect.
• The purposes of processing section explains why each category is collected, separating fundraising operations, tax-receipt issuance under IRC §170, IRS reporting on Form 990, donor stewardship, and analytics. This separation matters because the Colorado Privacy Act and similar statutes require purpose-specific disclosures, not a single catch-all paragraph.
• The sharing and disclosure clause lists every category of third party who may receive donor data: payment processors, CRM and email service providers, mail houses, professional fundraising counsel under state registration laws, and auditors. It also states clearly that the charity does not rent, sell, or trade donor lists with other organizations unless the donor has affirmatively opted in, which is the language BBB Standard 18(b) and most state regulators expect to see.
• The donor rights clause describes how a donor can access their record, correct inaccurate information, request deletion subject to legal retention obligations, and opt out of solicitation channels. It is drafted to satisfy the access, correction, deletion, and opt-out rights now codified under the Colorado Privacy Act and similar laws, without overpromising rights the charity cannot honor across all states.
• The security and retention clause sets out the administrative, technical, and physical safeguards the charity maintains, in alignment with the New York SHIELD Act "reasonable safeguards" standard. It also fixes retention periods consistent with IRS recordkeeping rules under §6001 and with state charitable solicitation renewal cycles, so that the policy matches your document retention schedule rather than contradicting it.
• The changes and contact clause names a privacy officer, gives a working email and postal address, and explains how updates to the policy will be communicated. BBB Standard 18(b) expects the policy to be reissued in written form to donors at least once a year, and the template includes annual notice language that satisfies that expectation.

California. Although 501(c) organizations are largely exempt from the California Consumer Privacy Act under Cal. Civ. Code §1798.140(d), that exemption does not extend to any commercial co-venture, cause marketing arrangement, or for-profit subsidiary the charity controls. California also continues to require charitable solicitation registration with the Registry of Charitable Trusts under Gov. Code §12580 et seq., and the Attorney General's office now follows Americans for Prosperity Foundation v. Bonta by no longer compelling unredacted Schedule B filing. Charities operating in California should explicitly reference the redaction policy in their donor privacy statement, because California donors are the most likely to ask about it by name.

New York. The SHIELD Act, codified at N.Y. Gen. Bus. Law §899-bb, applies to any organization holding private information of New York residents, with no carve-out for nonprofits. Charities must implement reasonable administrative, technical, and physical safeguards and notify affected residents after a security breach under §899-aa. The Attorney General's Charities Bureau also publishes guidance on donor data handling that supplements the SHIELD Act baseline, and your employment policies for charity staff should reference the same safeguards for anyone with CRM access.

Colorado. The Colorado Privacy Act, codified at C.R.S. §6-1-1301 et seq., took effect July 1, 2023 and contains no exemption for nonprofits. Any charity processing the personal data of 100,000 or more Colorado consumers in a calendar year, or 25,000 consumers if deriving revenue from the sale of personal data, falls under the full set of CPA obligations: privacy notice, opt-out rights, right to correct, right to delete, and a controller-processor allocation. The template includes Colorado-specific language because boilerplate from a pre-2023 policy will fail a Colorado donor's data-rights request on its face.

Virginia. The Virginia Consumer Data Protection Act, at Va. Code §59.1-575 et seq., currently exempts nonprofits, but that exemption expires July 1, 2027 under amendments enacted by 2024 Va. Acts ch. 791. Charities with significant Virginia donor populations should begin updating their policy now rather than waiting for the sunset, since prospective application requires lead time for CRM and consent infrastructure.

You begin by selecting your nonprofit's legal name, state of incorporation, and EIN, exactly as they appear on your IRS determination letter and your most recent Form 990. The template then asks for the categories of donor data you actually collect, not the categories your CRM happens to support, because over-disclosure is almost as risky as under-disclosure. From there, the form walks you through your fundraising channels, your payment processor, and the third-party services that touch donor records, and it adapts the disclosure language to each combination.

The next stage covers donor rights and operational responses. You name a privacy officer, set a response window for access and deletion requests, and confirm the states where you actively solicit, so the template can layer the right state-specific paragraphs (Colorado, Virginia, New York, California) on top of the federal baseline. You also indicate whether your charity exchanges donor lists with any partner organization, because the answer determines whether your policy reads as a strict no-share document or a policy with affirmative opt-in cooperation. Once you confirm the inputs, the system generates an editable Word file and a finalized PDF, ready to upload to your website, send to your BBB Wise Giving Alliance reviewer, or attach to a charitable solicitation registration in a new state. You can also pair the export with a contractor agreement for your fundraising counsel so internal and external handling rules are aligned.

The most damaging mistake is copying a for-profit website's privacy policy and swapping the company name. A retailer's policy is built around marketing analytics and cookie consent under the CCPA business framework, not around donor stewardship, Schedule B confidentiality, or BBB Standard 18(b) opt-out language. Regulators recognize the template on sight, and so do experienced donors. The second recurring mistake is silence on list rental or list exchange: charities that do not exchange donor data still need to say so in writing, because BBB Standard 18(b) expressly tests for that disclosure, and donors increasingly assume the worst when the policy is ambiguous.

A third mistake is treating the policy as a static document. The 2021 Bonta decision, the 2023 Colorado Privacy Act, and the upcoming 2027 expiration of the Virginia nonprofit exemption are three concrete examples of legal shifts that should have triggered policy revisions, and many charities are still running policies dated 2018 or earlier. Annual review is the floor, not the ceiling. A fourth mistake, mostly seen at smaller organizations, is naming a privacy officer who has since left the board or the staff, leaving donor inquiries to bounce to a dead inbox; that single broken contact line is enough for a BBB Wise Giving Alliance complaint to escalate. The last mistake is failing to mirror the policy in your internal procedures: a public policy that promises 30-day response to access requests, with no internal workflow behind it, is a written admission of non-compliance. Your internal governance and compliance documents should reflect the same response windows the public policy commits to.