"Click here to donate!" - Tax, Fundraising and Privacy Laws and Launching Your Nonprofit Website

November 11, 2022

By: Delaney M. R. Knapp, Thomas W. Simcoe, and Shannon A. Knapp

Launching a website is one of the most exciting steps in setting up a new nonprofit. But the launch also presents some big questions: What organizational information can or should be made public or kept confidential? Do we have to register our nonprofit somewhere before we can start fundraising? Should we be worrying about cybersecurity and privacy law compliance?

We’ve assembled answers to these and other common legal questions we hear from nonprofits when they are creating or updating their websites. Please note that since we are New York lawyers, the information below applies New York law unless we specifically indicate otherwise.

1. Can we put our bylaws on our website? Are we required to? 

Yes, you can, although you don’t have to, at least in New York. Many organizations choose to upload copies of their bylaws and other key documents (e.g., certificate of incorporation, conflict of interest and whistleblower policies) to their websites. In some cases, as with whistleblower policies, this form of “publication” is specifically contemplated by New York law. These documents are typically already publicly available and published on the website of the Charities Bureau of the New York Attorney General, so putting them on your website doesn’t create any new risk or confidentiality concerns. Further, taking the extra step to include them can demonstrate your nonprofit’s commitment to transparency, and may instill confidence in its governance and leadership.

2. How about our Form 990 tax returns? Is it safe to publish them?

Yes, you can publish them, and yes, it is “safe” – in the sense that it isn’t creating any new risk. Your nonprofit’s Form 990 information returns, like those virtually all tax-exempt organizations, will be publicly available on the Internal Revenue Service’s website and on third-party websites, such as Guidestar. As with your nonprofit’s bylaws, making your 990s easily available on your website can demonstrate that your organization values transparency. Making your organization’s 990s easily accessible also provides donors and stakeholders with information which may inform their giving decisions or generate interest in collaborative partnerships or projects.

3. Do we need to register our website before raising funds? 

Nonprofit websites typically offer options for making charitable contributions, including the use of “donate now” apps or links to third-party fundraising platforms. Charitable solicitation laws are state laws, and each state has its own specific requirements for when registration is required. However, most states require nonprofits to register with a regulatory agency (in New York, this is the Charities Bureau) before fundraising from donors in the state, regardless of whether the fundraising is done in person, by mail or online. In that sense, online fundraising is no different than other more traditional kinds of fundraising.

Unfortunately, registering charities is a time-consuming process. The need to register in some states can be clear, such as registering in: (1) your nonprofit’s home state; (2) states where your volunteers or employees are physically present and soliciting funds and (3) states where you receive large volumes or dollar amounts of donations. Whether you need to register in other states can be much more uncertain, especially when the donations that are coming from donors in multiple states through your website are small and you aren’t actively targeting donors in any particular state. As of this writing, the ability of state charity regulators to assert legal jurisdiction over out-of-state charities such that they can require charities to register (and take enforcement actions against them) is unclear. The National Association of State Charities Officials has provided guidelines on charitable solicitations using the internet, commonly referred to as the Charleston Principles. If your nonprofit is soliciting contributions online, it should begin tracking receipt of donations by state and should be working with its counsel to determine when donations from a given state are approaching a threshold where registration is required or appropriate.

4. What information should we include about being a 501(c)(3)? Is there any required language?

Including information about your organization’s tax-exempt status and, even better, posting a copy of its 501(c)(3) determination letter from the Internal Revenue Service, confirms for donors that their donations are tax deductible. There is no required language but using the correct terminology will provide clarity for donors and other visitors to your website and avoid creating inaccurate expectations. Here is an example of the information that you can include:

Newco Nonprofit has been recognized by the Internal Revenue Service as exempt from federal income tax under Section 501(c)(3) of the Internal Revenue Code. Your contribution to NewCo Nonprofit may be tax deductible. Talk to your tax advisor about whether you can claim a deduction for your gift.”

Note that this language is not a substitute for the donor acknowledgment letter required under the tax laws.

5. What should we say while our 501(c)(3) application is pending with the IRS?

We commonly recommend refraining from soliciting charitable contributions while your exemption application is pending. Although exemption, once obtained, will usually be effective retroactive to the date of your organization’s formation (ensuring that any donations that you have received in the interim are tax deductible), sometimes things can go wrong – for example, the IRS post-formation filing deadline for retroactive exemption can be missed, or the IRS can take the position that your organization’s purposes do not qualify as exempt under Code Section 501(c)(3). These issues are less likely if you are working with qualified tax counsel, but be aware that if they do arise they can cause real problems for your donors. From the state perspective, charities registration is typically required before you begin soliciting. In New York, Charities Bureau registration can now be completed prior to receiving 501(c)(3) exemption, but you should confirm that is the case in all states in which you plan to solicit contributions. 

6. OK, but people are beating down the door to give us money!

We get it! But we nonetheless recommend exploring other options in situations like these when feasible. For example, working with a fiscal sponsor can be a great way to “accept” donations while waiting for confirmation of 501(c)(3) exemption and charities registration. A fiscal sponsorship is a contractual arrangement involving an established 501(c)(3) nonprofit which provides its tax-exemption, charities registration and other benefits to another entity (in this case, your organization) to empower it to carry out its mission. During this time period, the fiscal sponsor can receive and administer charitable contributions on behalf of your organization until your nonprofit is able to do so lawfully on its own.

7. How much information can we supply about our Board leadership?

We recommend using ordinary safe practices when it comes to sharing personal information online, but ultimately you should include what you think will be most impactful. Organizations often include basic information about their governing board, including names, titles and sometimes contact information or photographs of directors, officers and executive staff. This can personalize the mission and activities of the organization, highlight the experience of its leadership and instill a sense of accessibility to those individuals managing and operating your organization.

8. What is a privacy policy, and do we need one?

A “privacy policy” is a document that describes an organization’s general practices concerning the personal information that it obtains in the course of its operations. These policies help website visitors understand what is happening with their personal information. Privacy policies have become increasingly important for nonprofits due to the proliferation of privacy laws, as well as the indication by the Federal Trade Commission (FTC) and other enforcement agencies that it is best practice to include privacy policies and similar notices on websites. Furthermore, consumer expectations (including donor expectations) regarding personal data privacy are rising in the wake of high-profile data breaches in both the for profit and nonprofit sectors. General public awareness and concern about corporate use of personal information is also intensifying. As a result, having a privacy policy is an important tool to build trust and transparency with your stakeholders, donors and other visitors to your website. It also demonstrates that your organization is concerned about privacy and the security of its data.

Privacy policies should be customized for each organization and site based on the specific data practices that are occurring. A privacy policy usually includes details about what personally identifiable information is being collected, how that information is stored and shared, to whom it is shared, how the information is used and additional privacy rights or information that may be relevant given the practices of the nonprofit and what laws the nonprofit is subject to.

9. What about “Terms of Use”?

A website "terms of use” (sometimes referred to as “terms of services” or “terms and conditions”) is intended to be a legally binding contract between a website’s owner and the website’s users. Establishing terms of use allows organizations to outline rules and regulations for website visitors. It also provides protection for organizations by limiting liability and providing recourse in case of misuse of the website or the information that it provides. Like a privacy policy, a terms of use needs to be customized for each organization and site. A typical nonprofit website terms of use will include sections outlining website visitor obligations, disclaimer of liabilities for the nonprofit, intellectual property information and guidance concerning online payments and donations, if applicable.

10. What should we do about protecting our information?

Beyond privacy policies and terms of use, an organization must make sure it has internal mechanisms in place to protect any information it collects, especially personally identifiable information. This includes, for example, cybersecurity safeguards, internal policies and procedures concerning data retention and destruction, data breach response and vendor due diligence. Failure to have proper internal mechanisms in place can lead to costly data breaches and litigation.

Vendor due diligence is also of particular importance. For example, Blackbaud Inc., a leading vendor of software and other products for nonprofits, experienced a massive data breach and ransom attack in 2020 that resulted in multiple class action lawsuits. Many high-profile nonprofits had sensitive donor information compromised as a result of the breach. Whenever possible, your nonprofit should ensure that the technology vendors it uses, including your website developer, have proper cybersecurity and data privacy practices and insurances in place, and that your contract with them adequately covers the associated risks. These efforts are just as important as your organization’s internal protection mechanisms.

11. What else do we need to know?

When launching your website, it is important to determine what, if any, laws affect the website, any personal information or donations collected, website accessibility, etc. There are numerous different regulatory frameworks or laws, including, but not limited to, state unfair and deceptive business practice laws, FTC best practices, the European Union General Data Protection Regulation (GDPR), the recently passed Colorado Privacy Law and the California Online Privacy Protection Act (CalOPPA) that require certain documentation or compliance efforts for organizations concerning data privacy and websites generally. We recommend talking to your trusted counsel to determine what laws are relevant for your organization.

If you have any questions related to your nonprofit organization’s website, or would like more information on how to incorporate these elements into your website, please contact Thomas W. Simcoe, Delaney M. R. Knapp, Shannon A. Knapp, or the attorney at the firm with whom you are regularly in contact.