Hedgeman Law Firm logo

Business Instinct. Legal insight.

Schedule A Consultation At 518-752-3111

Donor Privacy Laws: What Every Nonprofit in New York and Virginia Needs toKnow

Donor Privacy Laws: What Every Nonprofit in New York and Virginia Needs toKnow

by | May 15, 2025 | Business

Donor Privacy Laws

In today’s digital age, donor trust is everything. Whether you’re a grassroots nonprofit or a multimillion-dollar foundation, your supporters want to know one thing: Is my personal and financial information safe with you?

Donor privacy laws—at both the federal and state levels—exist to answer that question with a resounding “Yes.” But the reality is more complicated. Nonprofits must navigate a patchwork of regulations that vary by jurisdiction, especially when operating in multiple states like New York and Virginia. Failing to comply doesn’t just risk penalties—it can damage your reputation and erode donor confidence.

Let’s break down what donor privacy means legally, what’s required federally, and how the laws differ between New York and Virginia.

What Are Donor Privacy Laws?

Donor privacy laws govern how nonprofit organizations collect, use, store, and disclose information about their donors. This includes names, contact details, donation amounts, and in some cases, credit card or bank information.

  • At their core, these laws aim to:
  • Protect personal donor data
  • Ensure transparency around fundraising practices
  • Prevent coercion or misuse of donor relationships
  • Maintain public trust in charitable institutions

There are no comprehensive federal laws specifically dedicated to donor privacy for nonprofits, but a mix of IRS rules, constitutional protections, and emerging state laws now shape how nonprofits must behave.

Federal Guidelines on Donor Privacy

While there’s no standalone federal donor privacy statute, nonprofits still face federal obligations:

IRS Form 990

Public charities must file IRS Form 990, which includes a list of large donors on Schedule B. However:

  • Public charities are not required to disclose donors publicly (Schedule B can be redacted).
  • Private foundations, on the other hand, must publicly disclose donor names and amounts.

In 2020, the IRS rolled back donor disclosure requirements for certain nonprofits (e.g., 501(c)(4)s), but the rule was challenged in court and remains controversial.

First Amendment Protections

In Americans for Prosperity Foundation v. Bonta (2021), the U.S. Supreme Court ruled that requiring charities to disclose donor identities to government agencies without a compelling reason violates the First Amendment. This landmark decision has shaped how far regulators can go in demanding donor data.

New York State: Stricter and More Transparent

NY has long been a leader in nonprofit oversight, including donor privacy.

New York CHAR500 Filing

All nonprofits soliciting in New York must register with the Charities Bureau and file annual CHAR500 forms. If a nonprofit files a Schedule B with the IRS, it must also submit that form to the state.

Until 2021, New York required full, unredacted donor data to be submitted, but following the Bonta decision, the Attorney General updated requirements:

Nonprofits may now redact donor names and addresses from Schedule B unless there’s a specific investigatory need.
New York may still request this information confidentially if needed for enforcement.

Data Breach Notification Law

New York’s SHIELD Act expands the definition of private information and applies to any organization that holds private data of NY residents—even nonprofits.

Nonprofits must implement “reasonable safeguards” for donor data, including:

  • Secure storage and transmission
  • Access controls
  • Incident response plans

Failure to notify affected donors after a breach can result in penalties and litigation.

Virginia: A New Player in Data Privacy

Virginia’s Consumer Data Protection Act (CDPA) took effect in 2023 and is one of the most comprehensive privacy laws in the U.S. While primarily aimed at for-profit businesses, nonprofits are exempt—for now.

So why should Virginia nonprofits care?

Many nonprofits work with vendors (e.g., CRMs, email platforms) that are subject to the CDPA.

There’s increasing pressure to self-regulate, especially from high-dollar donors and corporate partners.

Future legislation may narrow the nonprofit exemption.

Best practice for Virginia nonprofits: behave as if CDPA applies. Adopt donor privacy policies, honor donor data rights, and work only with third parties that meet security standards.

Best Practices for Donor Privacy Compliance

Regardless of your state, here are 7 best practices your nonprofit should adopt:

  • Create and publish a donor privacy policy on your website.
  • Never sell or trade donor data—and clearly state that in writing.
  • Allow donors to opt out of communications or being publicly recognized.
  • Redact Schedule B donor names if not required by law.
  • Limit staff access to donor data only to those who need it.
  • Encrypt sensitive data and train your team on cybersecurity.
  • Vet third-party vendors for compliance with applicable laws and standards.

Donor privacy isn’t just a legal issue—it’s a trust issue. New York nonprofits must meet stricter state standards, while Virginia organizations are watching the legal landscape shift around them. But wherever you’re based, respecting donor privacy is essential to sustaining relationships, protecting your mission, and staying compliant in a rapidly changing legal environment.

Need help reviewing your donor privacy practices or policies? Contact Hedgeman Law to help ensure you’re fully protected.

Newsletter Sign Up

By submitting this form, you are consenting to receive marketing emails from: Hedgeman Law Firm. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Practice Areas