<img height="1" width="1" src="https://www.facebook.com/tr?id=632771302280516&amp;ev=PageView%20&amp;noscript=1">


Nonprofit CRMs: How to Navigate Data Privacy and Compliance

By: Ron Barrett, COGENCY GLOBAL on Thu, Mar 28, 2024

What this is: Nonprofits increasingly rely on constituent relationship management (CRM) systems to collect, organize and manage data. However, in an age where privacy is a growing concern, it’s essential to safeguard personal information and maintain compliance with data protection regulations. 

What this means: In this guide, we’ll explore the steps your nonprofit should take to protect your database. Whether you use Blackbaud, HubSpot, Salesforce or another CRM provider, these insights will help you navigate the complex landscape of data privacy. 

Nonprofit CRMs Header Image

Understand Applicable Regulations 

On both a local and federal level, regulations have been put in place to ensure that donor data is handled responsibly. Compliance with these regulations is crucial for nonprofits to maintain trust with donors, mitigate legal risks and uphold ethical standards while engaging in fundraising and donor management activities. 

The most well-known regulations related to donor data include the: 

  • General Data Protection Regulation (GDPR): The GDPR is a European Union regulation impacting nonprofits that collect and process personal information from individuals residing in the EU. It grants individuals greater control over their personal information by requiring organizations to obtain clear consent for data collection, provide transparent data processing practices and allow individuals to access, rectify or erase their data upon request.  
  • California Consumer Privacy Act (CCPA): The CCPA is a California state law that provides California residents with specific rights regarding their personal information, including the right to know what personal information businesses collect about them, request deletion of that information and opt out of the sale of their data. 
  • CAN-SPAM Act: The CAN-SPAM Act is a US federal law that regulates commercial email communication, including fundraising emails sent by nonprofits. It requires organizations to include clear opt-out mechanisms, accurate sender information and truthful email subject lines to protect recipients from unwanted emails. 
  • Internal Revenue Service (IRS) Regulations: Nonprofits in the US are subject to IRS regulations that govern their tax-exempt status. While not focused solely on donor privacy, these regulations do require nonprofits to maintain accurate donor records and protect donor information. Violating these regulations could result in the loss of tax-exempt status. 

These regulations not only vary from one jurisdiction to another but are also subject to change. To ensure your nonprofit remains compliant, consider working with a nonprofit technology consultant. In most cases, these firms will identify the local and federal regulations that your organization must adhere to and adjust your data security measures accordingly.  

Implement Strong Data Security Measures 

Data security measures are your first line of defense for safeguarding donor information and are critical for nonprofits when it comes to their CRM systems. Here are 3 important data security measures nonprofits should take: 

  1. Access controls: Implement strict access controls to ensure that only authorized personnel have access to sensitive data within the CRM. This includes setting up role-based access permissions to limit who can view, edit or delete specific data. Review and update these rights as staff roles change. 
  2. Data encryption: Encrypt data both in transit and at rest. Use secure, encrypted connections (HTTPS not HTTP) for accessing the CRM online and encrypt data stored within the CRM database. Encryption safeguards sensitive information, such as donor data and financial records, from unauthorized access or breaches. 
  3. Regular audits: Monitor the CRM system for unusual activity and audit your security protocols to ensure your team is well-equipped to address any issues that may arise. For instance, in the event of a security breach, you should have a plan in place to disconnect compromised accounts and report the incident to an internal IT specialist or your CRM provider’s support team. 

Train your staff on data privacy and compliance best practices. Ensure that everyone who handles donor data is aware of their responsibilities and understands the importance of compliance. Conduct regular training sessions and provide resources to keep staff up to date on the latest regulations. 

logo-cogency-color-1Would you like to read more about building a foundation for your mission? Start with our Nonprofit Services Resource Center.

Obtain Proper Consent 

Consent records provide a clear audit trail that your nonprofit can use to prove its compliance with data protection laws and ethical data handling practices. To obtain proper consent, leverage: 

  • Explicit opt-in consent: Require donors to provide explicit and affirmative consent before collecting their information, whether that be through checkboxes on donation forms or online sign-up pages.  
  • Double opt-in: Implement a double opt-in process for online subscriptions or registrations. After donors initially provide their contact information and consent, send them a confirmation email containing a link or button to confirm their subscription. This ensures that donors genuinely want to share their data with your organization and reduces the risk of inadvertent sign-ups. 
  • A preference center: Offer donors a preference center where they can easily manage their data preferences. Allow donors to choose which data they share, update their contact information and unsubscribe from specific communication channels at any time.

For increased transparency, consider publishing a privacy policy on your nonprofit’s website that outlines the types of information that will be collected and the purposes for which it will be utilized, such as donor recognition or communication updates. Emphasize your commitment to safeguarding donor data to instill trust and assure donors of their protection. 

Document Data Handling Processes 

When you take the time to document how your data is handled, you can spot vulnerabilities and take proactive measures to address them before they escalate. Documentation can take the form of:  

  • Standard Operating Procedures (SOPs): Create detailed SOP documents that outline step-by-step procedures for handling donor data from collection to storage, access and disposal. These documents should include information on who has access to the data, how it is stored, how it is used and how long it is retained. 
  • Data flow diagrams: Use flow diagrams to illustrate how data moves between systems and identify potential vulnerabilities in your data handling processes. For instance, when documenting the migration of data between your online donation platform and CRM, you may discover inadequate authentication controls, which could lead to a data breach. 

Consult with your team to see if it’s within your budget to outsource these tasks to a professional consultant or IT security expert. Their oversight will ensure that the documentation is accurate.  

Remember, data privacy and compliance are complex matters. As you move forward, reach out to consultants, IT experts and legal professionals who specialize in protecting nonprofit CRMs. They can serve as invaluable partners in your journey toward maintaining the highest standards of ethical data management. 


What is one example of a common type of risk that could affect a nonprofit organization? 

Cybersecurity violations. Your nonprofit likely collects and stores a lot of data about its donors, fundraising campaigns and performance metrics. If this data is left vulnerable due to gaps in security practices, breaches can occur that expose sensitive information about your organization and its supporters. To read more on this topic, check out our article, Understanding Nonprofit Risk Management: 3 Things to Know.

How is California’s Assembly Bill 488 meant to impact cause marketing? 

In a substantial improvement to charitable solicitations law, California passed a comprehensive statute (Assembly Bill 488), which partially took effect on January 1, 2023. Seeking to combat fraud and misleading solicitations in the domain of online charitable campaigns, the law introduces new rules for "charitable fundraising platforms," encompassing cause marketing campaigns and some commercial co-venture (CCV) initiatives. The regulatory landscape of CCVs (AKA charitable sales promotions) and cause marketing activities in California is experiencing a noteworthy change. Companies conducting these campaigns online with nonprofits (defined by the new law as “recipient charitable organizations”) need to be aware of the updated legislation’s impact. For more, read our article, California’s Platform Fundraising Law: Impact on Cause Marketing. 

What is an example of a situation in which your nonprofit would be required to conduct an independent financial audit? 

Your state requires an audit for charitable solicitation registration or renewal. Most states have a threshold of revenue or contributions received annually that triggers their nonprofit audit requirement, and there are some exceptions to these rules. Make sure your organization follows the most up-to-date regulations for the state(s) where it’s registered. Learn more by reading our article, Independent Financial Audits: An Overview for Nonprofits. 

This article is provided for informational purposes only and should not be considered, or relied upon, as legal advice. 

Topics: Nonprofit Registration and Compliance, Nonprofit