Fundraising and Privacy in Canada: Five Things to Know

FRANÇAIS

Billions of data points containing personal information crisscross the internet every hour. Search a recipe for pineapple upside down cake and an advertisement for a pineapple sale at your local market appears on your Facebook page five minutes later. User data is a commodity. Yet, for fundraisers, respecting donors’ privacy is vital in creating a sense of trust between organization and donors. It’s not only best practice, but is part of AFP’s Code of Ethical Standards, a commitment to which is part of being a member of AFP.  

In 2021, the Office of the Privacy Commissioner of Canada published updated guidelines for organizations subject to the Personal Information Protection and Electronic Documents Act or PIPEDA. PIPEDA applies to any organization that collects, uses, or discloses personal information during commercial activities, which includes the “bartering or leasing of donor, membership, or other fundraising lists.” Charities and nonprofits are not exempt from PIPEDA.

Here are some best practices to help fundraisers in Canada with respect to privacy.

1. In addition to federal legislation, most provinces and territories have legislation similar to PIPEDA that apply to charities. It’s important to become aware of the legislation. A PIPEDA memo from May 2020 states that it’s possible that, “one part of an organization’s activities, such as collecting personal information within a province, may be subject to a provincial privacy law while another part, such as disclosure across provincial borders, may be subject to PIPEDA.”
    
2. Understand the impact of AI on privacy. The impact of AI and the ethics of AI in nonprofit communications was identified earlier this year as one of the trends in Canadian fundraising—and there are privacy implications. “The sector is still figuring out how to ethically incorporate artificial intelligence into its operations,” Daniel H. Lanteigne, ASC, C.Dir., CFRE, CHRP, vice president of talent, strategy, and impact at BNP Philanthropic Philanthropique and vice chair, membership of the Association of Fundraising Professionals (AFP Global), told AFP Daily in February. “But time is running out for organizations that have not brought this issue to their boards.”
   
   “As AI becomes more integrated into modern workplaces and social settings, individuals and organizations will need to be aware of the legal implications of using these new technologies, whether as a provider or a client,” explained lawyers Esther Shainblum and Cameron A. Axford in a Privacy Update published in January 2024 by Carters Charity & NFP Law Update.
    
3. Following privacy regulations is not only a legal requirement but also essential to maintain the trust and loyalty of donors. “In today's landscape, donors are increasingly concerned about the use of their personal identifiable information by charities, or any other organization,” says Carolina Bendaña, director, media and data services at Stephen Thomas Ltd. “Therefore, it's imperative that we make all policies and regulations clear and readily available to donors.”
    
4. Establish a Data Protection Policy that outlines why and how donor data is used and how that information is protected. By publishing it on your website, your organization is showing accountability and transparency. “The way we handle donor communications plays a significant role in donor retention,” says Bendaña. “Having a designated team that can provide general information about where a donor's name was obtained, the frequency of communications, opt-out procedures, and where to find the privacy policy is crucial,” Bendaña explained. “Unfortunately, sometimes charities fail to provide this level of transparency and engagement, leading to complaints and requests for suppression from further communications. By ensuring transparency and respecting donors' preferences, we not only fulfill our ethical and legal obligations, we also safeguard our fundraising efforts.”
    
5. Don’t think a cyber-attack can’t happen to your charity. Plan for it. Cyberthreats are real and often happen to charities. “Charities continue to fall victim to cyber-attacks, partly because they believe it will not happen to them, partly because criminals know they are not well protected, and partly because charities have a much harder time justifying the expenditure on cyber security products,” says Ioan Marc Jones in Charity Digital, “and cybercrime disproportionately hits small organizations.”

For charities, data often includes personal information about their supporters. Knowing the vital role that supporters play in charities, protecting their information is an essential for fundraisers. If an organization is fundraising, ensuring the privacy of their donors is an important part of the job.