By Cheryl R. Olson, CPA, CGMA and
Co Author Paul L. Havel, Intellectual Property Team Leader, Miller Nash Graham & Dunn LLP
(This article was originally published on 2/1/2016 by NetRaising | a web consultancy. It was updated on 7/29/2020 to reflect the latest guidance and information.)
You’ve created the perfect website. You’ve spent countless hours with website designers and consultants. You’ve spent weeks writing and rewriting content, perfecting your message, choosing the right graphics, and making sure your website tells your story.
For example, if your website has social networking elements or content contributed by users, you may want to include a disclaimer that states each person is responsible for the content that they contribute or post and that you do not review, endorse, or approve of their content. In addition, you may want to reserve the right to remove content that is offensive.
Limitation of Liability
Limit your organization’s liability in certain situations, again depending on the sophistication of your website and what your website contains and allows.
Website Copyright/DMCA Policy
This policy is intended to provide a legal safe harbor under the Digital Millennium Copyright Act (DMCA) to protect online service providers from copyright infringement liability resulting from certain acts by their users. The DMCA requires you to appoint an agent and register that agent with the U.S. Copyright office. The agent is the designated individual at the organization to receive complaints regarding copyright infringement. Below are links to read more about copyright infringement:
Set Governing Law and Venue
Set Forth the Permissible Use of the Website
Viewing content, downloading for personal use, linking, etc.
There are many federal and state statutes that govern data privacy; below are examples of what some of these laws cover:
Children’s Online Privacy Protection Act (“COPPA”)*
COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age and on operators of websites or online services that have actual knowledge that they are collecting personal information online from a child under 13.
Computer Fraud and Abuse Act (“CFAA”)
The CFAA prohibits intentionally accessing a computer without authorization or in excess of such authorization.
Fair Credit Reporting Act (“FCRA”)
The FCRA promotes the accuracy, fairness, and privacy of information in the files of consumer reporting agencies. It grants certain rights to consumers and places specific burdens on those furnishing or using consumer reports.
California Online Privacy Protection Act (“CalOPPA”)
California Consumer Privacy Act (“CCPA”)
The CCPA took effect on January 1, 2020. This regulation grants California residents new rights in connection with their “Personal Information.”
Family Educational Rights and Privacy Act (“FERPA”)
FERPA protects the privacy of student education records and gives parents certain rights with respect to their children’s education records, including the right to inspect and review them.
Health Insurance Portability and Accountability Act (HIPAA)
Provides security and privacy protections in order to keep patient’s medical information safe.
General Data Protection Regulation (“GDPR”)
The GDPR came into effect in May of 2018 and provides EU citizens with significant control over their personal data. The law applies to any organization in or outside of the EU that offers goods or services to EU citizens; nonprofits could be considered to provide goods or services by holding conferences or meetings in the EU or monitoring the online behavior of EU residents who visit its website.
- What kind of information does the organization collect?
- How is the information collected?
- How does the organization use the data collected?
- How does the organization protect the data collected?
- Does the organization share the collected data with others, and if so, what is shared and with whom?
- Do users/customers of the organization have control over their personal data, and if so, what kind of control do they have?
- How long will the organization retain the consumer’s data?
Additionally, California’s newer privacy law, the CCPA, mandates that certain businesses collecting personal information of California residents afford those individual the following additional rights:
- the right to know what data is collected about them;
- the right to know whether there data is sold and to whom;
- the right to access their personal information
- the right to opt out of the sale of their personal information; and
- the right to equal treatment if they exercise their rights. These rights must be made clear in a company’s privacy notice.
Although the regulation does not expressly apply to nonprofits, there are a few exceptions where nonprofits will be required to comply:
- If a nonprofit is controlled by a for-profit business, or vice versa;
- If a nonprofit enters into a joint venture with a for-profit business that is subject to the CCPA; or
- If a nonprofit engages with a business that must comply with the CCPA, and the covered business requires the nonprofit to comply. Nonprofits are likely to start seeing CCPA language more often, as covered entities will need to ensure that nonprofits are able to assist them with compliance if needed, as required by the regulation.
On an international scale, nonprofits need to keep the GDPR in mind. Unlike the CCPA, the GDPR directly applies to nonprofits that collect or otherwise process information relating directly or indirectly to identifiable individuals in connection with the offer of goods and/or services to EU residents. Nonprofits commonly collect personal information from donors, volunteers, constituents, vendors, and even from individuals who simply want to know more about their organization. Personal Information under the GDPR is defined so broadly that even the collection of data through cookies or data analytics falls within the scope of the regulation.
The GDPR grants the following rights to EU residents:
- the right to be informed about data collection, sharing, etc.;
- the right to access their data;
- the right to correct their data;
- the right to delete their data;
- the right to restrict the processing of their data;
- the right to data portability (i.e. transferring their data to another entity);
- the right to object to the processing of their data; and
- the rights related to automated decision making related to their data, including profiling.
There are many complexities to each of the regulations noted above, and nonprofits should seek counsel to ensure they are properly complying.
For those nonprofits who process credit card transactions on their own for purposes of donations, event participation, etc., Payment Card Industry Data Security Standard (“PCI DSS”) will apply. PCI DSS is a set of rules and regulations relating to cardholder data implemented to reduce credit card fraud. Requirements for compliance vary widely depending on the types of processing you do and the volume of credit card transactions processed. Utilizing a third party to handle your credit card transactions is a good idea for nonprofits.
Regardless of the type of organization or what your website does, it should always include a notice about copyright protection. For example, “Copyright Symbol ©, Organization Name, Year 2019.”
Sections 504 and 508 of The Rehabilitation Act of 1973 require many government sites, as well as the sites of organizations receiving federal funding, to be accessible. One feature of an accessible site is to have access keys to various parts of the pages. Adding an accessibility key can be helpful so that new customers know which keys do what on your site. Accessibility information pages can also include links to contact pages when a page is inaccessible or help finding alternatives for things like videos or audio streams. Learn more »
Abuse or Complaints Contact Information
While a complaint or feedback system is not part of a website’s legal content, it can be useful, especially for sites that get a lot of user interaction. Feedback links can help customers by giving them a place to complain before they go to a lawyer, thus reducing legal issues.
Patents, Trademarks, and Other Corporate Policies
If your website or organization has relevant patents and trademarks, you should have a page that details them. If there are other corporate policies that you want your customers to know about, you should have pages for those as well.
An organization’s anti-discrimination policy, also called an equal opportunity employer policy, covers practices related to hiring, promoting and terminating employees. Based on some state and federal laws, certain types of employers are required to have this policy. In addition, certain funding sources, such as the U.S. Department of Education, require non-discrimination language. Some funding sources specify where the language needs to be, such as on program materials and/or on the organization’s website, so be sure you’ve read through the requirements in accepting funds. Even if not required, this is a good policy to have in place.
Website Finance Basics for Nonprofits
While not required, having your financial information available on your website is a common industry best-practice.
You are required to have your IRS Form 990, 990-T and Form 1023/1024 available for public inspection per the Internal Revenue Service. Many organizations post those documents on their website. While not required, it is a best practice. You might also look at your organization’s IRS Form 990, Part VI, Section C, Question 18 and see if you checked the box that says “it’s on our website.”
Although nonprofit organizations aren’t required to prepare an annual report, they are a valuable communication tool to share the accomplishments of the organization. By having the resource on your website, you can share your successes beyond your existing supporters.
Audited Financial Statements
Some organizations are cautious about sharing financial information, but posting your audited financial statements to your website is another great way to show that the organization is transparent. GuideStar is another vehicle that gives you the opportunity to share financial information beyond the IRS Form 990.
Today, many organizations are now posting their financial policies on their website, such as their Fiscal Policies Manual, Gift Acceptance Policy, Operating Reserve Policy, and Investment Policy for greater transparency.
In addition to posting financial policies, more organizations are starting to post their governance documents on their website as well. One document that is seen most often on a website is the Code of Ethics Policy. Additionally, some associations are posting all of their key governance policies, beyond the Code of Ethics Policy, on their website, including Bylaws, Committee Charters, Board Governance Policy, Conflict of Interest Policy, Public Reporting and Transparency Policy, Whistleblower Policy, Document Retention and Destruction Policy, and Executive Compensation Policy. Other organizations are including their key operational policies, such as Personnel Policies and Nondiscrimination Policy.
In the age of free and quick information, your website is often the first place the media, watchdog groups, donors, and curious citizens will go. Make sure the organization has designated someone to stay on top of required and recommended information that should be included on the website and that all of the information is kept accurate and current.
© Clark Nuber PS, 2020. All Rights Reserved