Donors put a lot of trust into your organization every time they donate. Make sure their trust isn’t misplaced by following all the donor management requirements that apply to you.
All nonprofits will have three categories of compliance to contend with: state, federal, and data protection. There is a lot of overlap between these categories because they’re all designed with one purpose in mind—donor protection.
Compliance With State Laws: The Charleston Principle
One of the biggest questions that leaders have about nonprofit compliance is “where do we have to register?” The rise of online giving has made the answer to that question a lot more complicated.
For example, let’s take a Maryland-based nonprofit that’s collecting donations from all over the US. So, is it enough to just register in Maryland? Do you need to register where you collect the most donations or in any state where you have a physical presence? To simplify the answer to that question, the National Association of State Charity Officials established the Charleston Principle.
The Charleston Principle is technically a guideline for state officials. It tells these officials that they must enforce the laws “against any entity whose internet solicitations mislead or defraud persons.” So, if a person in Maryland claims a Texas-based nonprofit fraudulently collected a donation from them, Maryland officials need to respond.
What does that mean for your nonprofit? Basically, if you solicit donations in a state, you must register there. This registration is required regardless of where you’re headquartered or if your payment platform is registered separately. Many states have laws that require nonprofits to register before they even solicit donations in that state.
State laws will also affect the types of fundraisers you can hold. Raffles, casino nights, or anything involving games of chance may be banned under state or local ordinances.
It’s impossible to cover all the nuances and different laws between states. However, as long as you know where you are, you’ll know where to go for answers.
Compliance With Federal Requirements
“Tax-exempt” doesn’t mean “exempt from filing.” Your federal donor management requirements will involve accurately reporting your donations so you can keep that tax-exempt status. Most nonprofits are expected to file annual returns, with some exemptions available for religious organizations, certain trusts, governmental units and institutions, and foreign entities. For a complete list of those exempt from filing annual returns, the IRS provides guidance here.
For those that aren’t exempt, a 990-series form of some type will be required. Even the EZ version is pretty detailed, so it’s definitely not a DIY project. To handle your annual reporting you’ll need three things: an attorney to make sure your forms are in order, an accountant to make sure the numbers are right, and a CRM to hold all the financial data you’ll need for compliance.
Donor Management Requirements for Protecting Donor Info
The Internet hasn’t just made nonprofit registration more confusing, it has also ushered in a new era of data compliance. Your donors trust you with a lot of sensitive information, and it’s up to you to protect it. That’s easier said than done when globally, we produce 2.5 quintillion bytes of data every day!
All that data is crossing domestic and international borders and encountering different regulations, requirements, and standards along the way. Three big ones may apply to you: the Payment Card Industry Data Security Standard, the General Data Protection Regulation, and the California Consumer Privacy Act.
Payment Card Industry Data Security Standard (PCI DSS)
Any time your donors make a card payment to your organization, they’re sending highly sensitive data through whatever platform or processor you’re using. The PCI DSS—or simply PCI—is a set of standards that governs how you handle that data. It was established by the PCI Security Standards Council, a group made up of industry leaders like Visa, Mastercard, American Express, Discover, and JCB. It lists 12 standards for handling these payment cards:
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open and public networks.
5. Use and regularly update antivirus software.
6. Develop and maintain secure systems and applications.
7. Restrict business access to cardholder data to need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security.
That may seem like a lot, especially if you don’t have a lot of familiarity with the ins and outs of payment processing and gateways. That’s why many organizations choose to outsource their PCI compliance to third parties with more resources and expertise.
Neon One provides PCI-DSS Level 1 compliant web software and payment processing to support our clients. We offer a free nonprofit PCI compliance program that you can learn more about in this article.
General Data Protection Regulation
The GDPR was the European Union’s answer to scattered data regulations across countries. These provisions apply to any organization that collects the data of EU residents, regardless of where they are based. The information does not have to be connected to a payment or transaction, either. Any personally identifiable information you collect on individuals in the EU falls under the GDPR.
This is a massive law, with 99 separate articles, but the most important for nonprofit compliance are the seven principles relating to the processing of personal data in Article 5.
- Lawfulness, fairness, and transparency: Data is processed per the law.
- Purpose limitation: Data is collected for a “specified, explicit, and legitimate” purpose.
- Data minimization: Only as much data as is needed for the task is collected.
- Accuracy: Reasonable efforts are made to keep data up-to-date and accurate.
- Storage limitation: Data is stored in a secure manner and disposed of when not needed.
- Integrity and confidentiality: Processing is done in a manner that ensures data is protected from unauthorized access.
- Accountability: The person in charge of the data will show they are compliant with the above six provisions.
The GDPR is the broadest, most comprehensive data protection law in existence. It’s also only a few years old and many major companies have run afoul of it, with the highest fines reaching into the hundreds of millions. Nonprofit leaders need to tread carefully around any constituent relationships and data they have from EU residents to avoid those risks.
California Consumer Privacy Act (CCPA)
The CCPA applies to for-profit organizations that do business with California residents, even if they have no physical presence in the state.
However, the “for-profit” restriction doesn’t immediately exempt nonprofits. If a nonprofit is owned by a for-profit enterprise, it may be bound by the CCPA.
In addition, there’s a good chance that your vendors and business contacts are required to adhere to the CCPA, so it’s best to understand the basics. The California Attorney General’s office lists four:
- The right to know: Individuals have a right to know what details businesses collect on them.
- The right to delete: Individuals should be able to have personal information collected about them removed.
- The right to opt out: Individuals should have the right to opt out of data being collected about them at all.
- The right to nondiscrimination: Businesses can’t discriminate against individuals who assert their rights under the CCPA.
While most nonprofits won’t have to deal with the CCPA directly, it’s good practice to adopt those standards in the best interest of your constituents. You can include consent details and opt-out opportunities in your online forms and websites to put control in the donor’s hands. You can also track consent responses in your donor database so you can stay in compliance. To learn more about nonprofit CCPA compliance, you can visit our CCPA Compliance for Nonprofits resource page.
California isn’t the only state with its own data protection act. Similar laws have been passed in Illinois, Nevada, Colorado, and Utah—and more are probably coming. That’s why every good compliance program will have a compliance officer in charge of keeping up to date on these laws and rolling out changes to data policy as they go into effect.
How Neon CRM Helps With Your Nonprofit Compliance
One of the best ways to handle your legal donor management requirements is with a comprehensive CRM, powered with a donor database that allows you to keep track of compliance at an individual level. These systems will also be indispensable for annual filing because they allow you to easily track your donations, manage receipts, and create reports. Compliance isn’t an easy matter to comprehend, and it’s easy to lose sight of how it protects your donors. A good CRM can help you realize the value that compliance brings.
Join the discussion in our Slack channel on connected fundraising