July 29, 2020

By Cheryl R. Olson, CPA, CGMA and
Co Author Paul L. Havel, Intellectual Property Team Leader, Miller Nash Graham & Dunn LLP

(This article was originally published on 2/1/2016 by NetRaising | a web consultancy. It was updated on 7/29/2020 to reflect the latest guidance and information.)

You’ve created the perfect website. You’ve spent countless hours with website designers and consultants. You’ve spent weeks writing and rewriting content, perfecting your message, choosing the right graphics, and making sure your website tells your story.

But what about that legal mumbo jumbo every website seems to have? No one reads that stuff, right? Do you really need to create a Terms of Use page for your website? While it may not required by law, some legal mumbo jumbo is really smart to have, and we encourage you to consider, in consultation with your legal counsel, including your customized version of the following example “legal statements” on your nonprofit website

Terms of Use

The terms of use page sets the rules for using your website. Again, these are not required by law, but every website should have a terms of use. These terms are intended to be a contract that governs the relationship between the website owner and each website user. Terms of use can vary drastically, depending on what information is on your website and what website functions are offered.

For example, if your website has social networking elements or content contributed by users, you may want to include a disclaimer that states each person is responsible for the content that they contribute or post and that you do not review, endorse, or approve of their content. In addition, you may want to reserve the right to remove content that is offensive.

If you are providing your own content, you may want to let your users know that, while they have a license to view your content, they may not reproduce it, distribute it, or otherwise use the content in any other way without your prior written consent. A terms of use policy serves to benefit you because it sets forth conditions of use, various disclaimers, and other language protecting you as the website operator or owner. The terms of use will be the contractual relationship between you and a user should a dispute arise.

The sophistication of the terms of use will depend upon the sophistication of your organization. Here are some of the key items in a website terms of use:

Limitation of Liability

Limit your organization’s liability in certain situations, again depending on the sophistication of your website and what your website contains and allows.

Website Copyright/DMCA Policy

This policy is intended to provide a legal safe harbor under the Digital Millennium Copyright Act (DMCA) to protect online service providers from copyright infringement liability resulting from certain acts by their users. The DMCA requires you to appoint an agent and register that agent with the U.S. Copyright office. The agent is the designated individual at the organization to receive complaints regarding copyright infringement. Below are links to read more about copyright infringement:

Set Governing Law and Venue

Your terms of use should also mention where your website is operating in terms of the governing law. For example, “These terms of use are governed by the laws of Oregon.” You can also set the “venue” for any disputes, which would likely be in the state in which you reside.

Set Forth the Permissible Use of the Website

Viewing content, downloading for personal use, linking, etc.

Privacy Policies

There are many federal and state statutes that govern data privacy; below are examples of what some of these laws cover:

Children’s Online Privacy Protection Act (“COPPA”)*

COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age and on operators of websites or online services that have actual knowledge that they are collecting personal information online from a child under 13.

Computer Fraud and Abuse Act (“CFAA”)

The CFAA prohibits intentionally accessing a computer without authorization or in excess of such authorization.

Fair Credit Reporting Act (“FCRA”)

The FCRA promotes the accuracy, fairness, and privacy of information in the files of consumer reporting agencies. It grants certain rights to consumers and places specific burdens on those furnishing or using consumer reports.

California Online Privacy Protection Act (“CalOPPA”)

A California state law that requires commercial websites and online services that collect “Personal Information” of California residents to include a privacy policy on their website.

California Consumer Privacy Act (“CCPA”)

The CCPA took effect on January 1, 2020. This regulation grants California residents new rights in connection with their “Personal Information.”

Family Educational Rights and Privacy Act (“FERPA”)

FERPA protects the privacy of student education records and gives parents certain rights with respect to their children’s education records, including the right to inspect and review them.

Health Insurance Portability and Accountability Act (HIPAA)

Provides security and privacy protections in order to keep patient’s medical information safe.

International Issues

General Data Protection Regulation (“GDPR”)

The GDPR came into effect in May of 2018 and provides EU citizens with significant control over their personal data. The law applies to any organization in or outside of the EU that offers goods or services to EU citizens; nonprofits could be considered to provide goods or services by holding conferences or meetings in the EU or monitoring the online behavior of EU residents who visit its website.

If you collect any information from users, you should have a privacy policy. Organizations can use the following questions to craft an appropriate privacy policy:

  1. What kind of information does the organization collect?
  2. How is the information collected?
  3. How does the organization use the data collected?
  4. How does the organization protect the data collected?
  5. Does the organization share the collected data with others, and if so, what is shared and with whom?
  6. Do users/customers of the organization have control over their personal data, and if so, what kind of control do they have?
  7. How long will the organization retain the consumer’s data?

Some states may actually require a privacy policy. The California Online Privacy Protection Act basically says that, if you are a nonprofit with a website and you want to do some type of commerce with a resident of the state of California through that website, then your organization is required by California state law to post your privacy policy on your website.

Additionally, California’s newer privacy law, the CCPA, mandates that certain businesses collecting personal information of California residents afford those individual the following additional rights:

  1. the right to know what data is collected about them;
  2. the right to know whether there data is sold and to whom;
  3. the right to access their personal information
  4. the right to opt out of the sale of their personal information; and
  5. the right to equal treatment if they exercise their rights. These rights must be made clear in a company’s privacy notice.

Although the regulation does not expressly apply to nonprofits, there are a few exceptions where nonprofits will be required to comply:

  • If a nonprofit is controlled by a for-profit business, or vice versa;
  • If a nonprofit enters into a joint venture with a for-profit business that is subject to the CCPA; or
  • If a nonprofit engages with a business that must comply with the CCPA, and the covered business requires the nonprofit to comply. Nonprofits are likely to start seeing CCPA language more often, as covered entities will need to ensure that nonprofits are able to assist them with compliance if needed, as required by the regulation.

Some accountability groups, such as the Charities Review Council may also require a privacy policy. One of its standards requires a privacy policy on the organization’s website or by request, which describes how donor information is collected and used, provides the opportunity for donors to “opt-out” of making their information available or shared, and includes a discontinue contact policy.

On an international scale, nonprofits need to keep the GDPR in mind. Unlike the CCPA, the GDPR directly applies to nonprofits that collect or otherwise process information relating directly or indirectly to identifiable individuals in connection with the offer of goods and/or services to EU residents. Nonprofits commonly collect personal information from donors, volunteers, constituents, vendors, and even from individuals who simply want to know more about their organization. Personal Information under the GDPR is defined so broadly that even the collection of data through cookies or data analytics falls within the scope of the regulation.

The GDPR grants the following rights to EU residents:

  1. the right to be informed about data collection, sharing, etc.;
  2. the right to access their data;
  3. the right to correct their data;
  4. the right to delete their data;
  5. the right to restrict the processing of their data;
  6. the right to data portability (i.e. transferring their data to another entity);
  7. the right to object to the processing of their data; and
  8. the rights related to automated decision making related to their data, including profiling.

There are many complexities to each of the regulations noted above, and nonprofits should seek counsel to ensure they are properly complying.

Data Security

For those nonprofits who process credit card transactions on their own for purposes of donations, event participation, etc., Payment Card Industry Data Security Standard (“PCI DSS”) will apply. PCI DSS is a set of rules and regulations relating to cardholder data implemented to reduce credit card fraud. Requirements for compliance vary widely depending on the types of processing you do and the volume of credit card transactions processed. Utilizing a third party to handle your credit card transactions is a good idea for nonprofits.

Copyright Notices

Regardless of the type of organization or what your website does, it should always include a notice about copyright protection. For example, “Copyright Symbol ©, Organization Name, Year 2019.”


Disclaimers are like a simplified version of a terms of use statement. They are common on websites where there may be user-submitted content that isn’t moderated by the site owners or where there are many links to external pages.

Accessibility Information

Sections 504 and 508 of The Rehabilitation Act of 1973 require many government sites, as well as the sites of organizations receiving federal funding, to be accessible. One feature of an accessible site is to have access keys to various parts of the pages. Adding an accessibility key can be helpful so that new customers know which keys do what on your site. Accessibility information pages can also include links to contact pages when a page is inaccessible or help finding alternatives for things like videos or audio streams. Learn more »

Abuse or Complaints Contact Information

While a complaint or feedback system is not part of a website’s legal content, it can be useful, especially for sites that get a lot of user interaction. Feedback links can help customers by giving them a place to complain before they go to a lawyer, thus reducing legal issues.

Patents, Trademarks, and Other Corporate Policies

If your website or organization has relevant patents and trademarks, you should have a page that details them. If there are other corporate policies that you want your customers to know about, you should have pages for those as well.

Anti-Discrimination Policy

An organization’s anti-discrimination policy, also called an equal opportunity employer policy, covers practices related to hiring, promoting and terminating employees. Based on some state and federal laws, certain types of employers are required to have this policy. In addition, certain funding sources, such as the U.S. Department of Education, require non-discrimination language. Some funding sources specify where the language needs to be, such as on program materials and/or on the organization’s website, so be sure you’ve read through the requirements in accepting funds. Even if not required, this is a good policy to have in place.

Website Finance Basics for Nonprofits

While not required, having your financial information available on your website is a common industry best-practice.

IRS Forms

You are required to have your IRS Form 990, 990-T and Form 1023/1024 available for public inspection per the Internal Revenue Service. Many organizations post those documents on their website. While not required, it is a best practice. You might also look at your organization’s IRS Form 990, Part VI, Section C, Question 18 and see if you checked the box that says “it’s on our website.”

Annual Reports

Although nonprofit organizations aren’t required to prepare an annual report, they are a valuable communication tool to share the accomplishments of the organization. By having the resource on your website, you can share your successes beyond your existing supporters.

Audited Financial Statements

Some organizations are cautious about sharing financial information, but posting your audited financial statements to your website is another great way to show that the organization is transparent. GuideStar is another vehicle that gives you the opportunity to share financial information beyond the IRS Form 990.


Today, many organizations are now posting their financial policies on their website, such as their Fiscal Policies Manual, Gift Acceptance Policy, Operating Reserve Policy, and Investment Policy for greater transparency.


In addition to posting financial policies, more organizations are starting to post their governance documents on their website as well. One document that is seen most often on a website is the Code of Ethics Policy. Additionally, some associations are posting all of their key governance policies, beyond the Code of Ethics Policy, on their website, including Bylaws, Committee Charters, Board Governance Policy, Conflict of Interest Policy, Public Reporting and Transparency Policy, Whistleblower Policy, Document Retention and Destruction Policy, and Executive Compensation Policy. Other organizations are including their key operational policies, such as Personnel Policies and Nondiscrimination Policy.

In the age of free and quick information, your website is often the first place the media, watchdog groups, donors, and curious citizens will go. Make sure the organization has designated someone to stay on top of required and recommended information that should be included on the website and that all of the information is kept accurate and current.

© Clark Nuber PS, 2020. All Rights Reserved

This article contains general information only and should not be construed as accounting, business, financial, investment, legal, tax, or other professional advice or services. Before making any decision or taking any action, you should engage a qualified professional advisor.