What We Do Services Products About Us Contact Us    
 

Educational Fundraising Whitepapers

Privacy Policy Summary & Law
January 2007

What: Mandatory compliance with privacy policy law
Who: Every nonprofit organization
When: Action should be taken immediately

For more information, please visit http://www.the-dma.org/privacy.


GENERAL INFORMATION
Every organization, including every nonprofit organization (NPO), must adhere to United States privacy legislation. It is therefore imperative that every NPO working with Papilia must create a privacy policy. The purpose of a privacy policy is to protect the Personally Identifiable Information (PII) that supporters provide to the NPO. Once the privacy policy has been established, it should be stated very clearly to supporters, so they will understand how the information they provide to the NPO is to be utilized.

The privacy policy should be posted in a prominent place on the NPO’s website, as well as on the My Website pages that NPO supporters access through the Papilia platform. Best practices dictate that the privacy policy should be referenced in all communications to supporters. For example, every email communication should include a link to the privacy policy where it resides on the NPO’s website. Direct mail pieces should include either the privacy policy URL, or occasionally, a hard copy of the privacy policy. Call center representatives (if applicable) and/or anyone who directly communicates with supporters should be prepared to handle inquiries regarding the location and content of the privacy policy.

THE CALIFORNIA ONLINE PRIVACY PROTECTION ACT
Effective July 2004, the California Online Privacy Protection Act requires operators of websites that collect PII from California residents through the Internet to conspicuously post on their website a privacy policy that complies with prescribed disclosures. PII is any piece of information which could potentially be used to uniquely identify, contact, or locate a single person. Papilia recommends that you follow California law for all websites and all supporters (regardless of state) in order to ensure compliance.

What is considered PII? What is not?

Items which are considered PII include, but are not limited to, a person's:
Full name (if not common)
National identification number
Telephone number
Street address
E-mail address
IP address (in some cases)
Vehicle registration plate number
Driver's license number
Face, fingerprints, or handwriting
Credit card numbers
Date of Birth

Information that is not generally considered PII:
First or last name, if common
Country, state, or city of residence
Age, especially if non-specific
Gender or race
Name of the school they attend or workplace
Grades, salary, or job position
Criminal record

Sometimes multiple pieces of information, none of which are PII, may uniquely identify a person when brought together; this is one reason that multiple pieces of evidence are usually presented at criminal trials. For more information on PII, please visit: http://en.wikipedia.org/wiki/Personally_identifiable_information

Privacy Policy Checklist:

- Identify the categories of PII that the NPO collects through the website or online service and the categories of third-party persons or entities with whom the NPO may share PII
- Describe how a consumer can review and make changes to his or her PII
- Describe how consumers can learn of changes in the NPOs privacy policy
- Identify the effective dates of the privacy policy

GENERATING A PRIVACY POLICY
The Direct Marketing Association website has a useful tool for generating a privacy policy. It can be found at: 

http://www.the-dma.org/privacy/creating.shtml

Please note: The above generator is tailored for commercial organizations, so some adjustment and approval will be necessary. It is also important for NPOs to get approval from their legal counsel before finalizing the content of the privacy policy. Once the privacy policy has been generated and posted, all supporters should be made aware of its existence. As mentioned above, best practices dictate that the privacy policy should be referenced in all communications to supporters.

While it is ultimately each NPO’s responsibility to comply with all laws, your Papilia Client Services Manager will follow up with you regarding your NPO’s privacy policy and encouraging compliance. We recommend contacting your NPO’s legal team for further direction. If you have any questions in the meantime, please do not hesitate to contact us.

top^