It’s All About the Information
Websites historically contained mostly static information. However, technology evolves, and today, nonprofits rely on their websites to interact with stakeholders for important operational tasks, including:
- soliciting and enrolling volunteers;
- acknowledging fundraiser registrations;
- accepting charitable donations; and
- collecting newsletter and email distribution list subscriptions.
In each of the above examples, website users provide what the law classifies as Personally Identifiable Information (“PII”), which correlates to and identifies a specific user of a nonprofit’s website. Site users generally provide PII voluntarily – names, birthdates, email addresses, and credit card numbers for donations are common examples of voluntarily provided PII.
Laws are geographical but because websites theoretically can reach wherever the web reaches, a nonprofit’s presence may, for some purposes, be global. While this represents great opportunity for organizations, it also raises significant compliance issues. Nonprofits must understand how various state, federal, and international laws govern the collection and use of personal information and what must be disclosed to web users visiting the website.
Legal Requirements for PII Protection and User Privacy
The handling of online users’ personal information varies widely within the United States. In some states, the mere accessibility of a site in a user’s state means the nonprofit is subject to that state’s laws. For example, the California Online Privacy Protection Act (“COPPA”) applies not only to websites whose operators and servers are based in California but also those whose operators and servers reach individual consumers residing in California. Given the statute’s broad application, most nonprofit websites likely would be subject to the provisions of COPPA. In Illinois, the unauthorized use of personal information may be considered a violation of the Illinois Consumer Fraud Act. In Dwyer v. American Express Company, for example, the court ruled that American Express engaged in manipulative and deceptive practices by sharing information on consumer spending habits without first disclosing an intent to use the information for that purpose to the consumers.
On the federal level, the Federal Trade Commission (FTC) governs a variety of entities that are “organized to carry on business for [their] own profit or that of [their] members.” 15 U.S.C.A. § 44 (West). Ordinarily the FTC does not monitor activities of nonprofit organizations, especially public charities. Section 501(c)(6) trade associations and section 501(c)(3) public charities that engage in certain commercial activities, however, may trigger additional regulatory requirements under FTC oversight.
In the international context, nonprofits should understand that the United States and the European Union (“EU”), and other countries, approach online privacy very differently. While U.S. laws accommodate freedom of individual expression, EU laws are often more demanding, stressing individual privacy rights of the users. In 2006, the EU established a standard called the “Right to be Forgotten.” Under the standard, individuals are entitled to have certain personal data deleted so that third parties can no longer trace them. For fifteen years, the US and the EU operated under a joint safe-harbor framework to protect US entities reaching into the EU to conduct website transactions. Last month, however, the Court of Justice of the European Union invalidated the framework. As a result of the decision, the rules affecting US/EU handling of personal information are currently uncertain.
Finally, most jurisdictions require websites that collect PII to meet the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS protocols involve sophisticated encryption and data storage requirements. While the laws governing security procedures for credit card processing are beyond the scope of this article, nonprofits should also be aware that these special legal restrictions exist.
- Information Categories. Nonprofit administrators using websites need to have a detailed understanding of the type of information collected and way it is collected. The policy adopted must inform users about the type of information the website is collecting. This will probably include both information that users voluntarily supply, and other information collected without their knowledge.
- Security. The policy should also advise users of the ways in which their information is encrypted or otherwise protected. Detail the manner in which information is stored and transmitted. If a nonprofit receives contributions via credit card on its website, ensure that such use complies with the special encryption and other requirements required by states’ laws.
- Uses. Explain to the users how the nonprofit will utilize the information it gathers. If the website intends to transfer user information to third parties, the nonprofit needs to disclose this so that users are notified of the type of the specific information which is being transferred and for what purposes. If the organization plans to use email addresses in its email distribution list, this should also be disclosed.
- User Control. Good privacy policies inform users of their rights with regard to an organization's use of personal information.
- Control over content. Inform users about the ways in which the nonprofit will manage the information its website collects. For example, if a user created a log-in ID for access to certain website features, inform the user about how that logon and related information may be deleted.
- Option to opt out. Notify users how they may opt out of the collection of their personal information. Be sure to include detailed procedures and any limitations on the opt out option. For example, depending on the way that a website collects analytics information, it may not be possible to opt out of the gathering of certain types of information. Users must be advised of this. Users should also be informed that continued use of the site constitutes the user’s consent to continue to have this type of information collected.
- Updates. Include a simple statement to inform users about the organization’s protocols for updating the policy, including information about how notice will be provided of the updates.
- Contact Information. A nonprofit should identify one to two persons who are well versed in the organization’s website and can answer specific questions and address issues that may be raised by users. Include at least one of these persons as a contact on the policy, particularly with regard to requests to opt out or other question.