Guest Post: Top 10 Website Liability Issues for Nonprofits (Part 1)

By Deborah Shinbein
Deborah Howitt Shinbein, LLC

Most nonprofit organizations have a website through which they reach out to those who may be interested in donating, volunteering, or learning more about the nonprofit’s mission. However, operating a website without taking the necessary precautions can lead to significant liability.  This two-part article describes ten potential liability traps for unwary nonprofits, as well as recommendations regarding how to mitigate the risks.  However, this is merely a brief overview, and you should consult with an experienced Internet law attorney to evaluate the unique needs and liability issues for your organization’s website.

  1. Terms of Use. When creating a new website, the Terms of Use are often an afterthought.  Some entities go so far as to copy this crucial document from another website, do a “search & replace” on the company name, and post the terms on their own site, assuming “if it works for them, it will probably work for us.”  Other sites decide that they can live without Terms of Use altogether.  These are dangerous practices.  The liability protections and necessary terms for one site can be vastly different than for another site, depending on the site’s functionality, location, target audience, data collection and use practices, materials distributed, industry, and other factors.  In addition, directly copying the text from another site is copyright infringement.  In order to protect a site’s owner from liability, it is crucial that the site’s Terms of Use are carefully drafted to ensure they reflect the services or products offered by the nonprofit, the site’s functionality and content, requirements for using the site, overview and licenses regarding the site’s intellectual property, language necessary to form a binding agreement, disclaimers and limitations necessary to protect the entity and its directors, officers and employees from liability, and other contractual terms as applicable to the business.
  2. Privacy Policy. As with the Terms of Use, many sites merely copy this important policy from a third-party site and change the names.  Please be aware that the FTC does not hesitate to impose substantial fines, penalties, and burdensome compliance requirements on entities that fail to comply with their own privacy policies or applicable privacy laws.  The first step in crafting an adequate Privacy Policy is to analyze exactly what data is collected from the site’s users (both personally identifiable data such as the user’s name and email address, and non-personally identifiable data such as the referring URL and pages viewed within the site).   The policy should disclose how and when data is collected, used, stored, and shared, and how the user may change the data collected or have personal data deleted from the site’s records.  The FTC’s mantra is typically “do as you say and say what you do,” so rather than being concerned with what is “right,” focus instead on being accurate as to your actual data collection and use practices, and be sure to comply with your own policy.  There are also specific privacy related laws applicable to users in California, children under 13, international users, and laws specific to certain industries or types of data, so it is crucial to consult with an attorney experienced in data privacy laws.
  3. Copyright Infringement. Some nonprofits have an inadequate understanding of the “fair use” doctrine, and believe that because a third party’s photos, articles, or other material will be used by a nonprofit, they do not need to obtain the owner’s permission before displaying it on their website.  Others believe that providing credit to the source is all that is needed to feature a third party’s material on another site.  Both beliefs are wrong (although I must give the typical lawyer’s caveat of “it depends…”), and could lead to claims of copyright infringement if those approaches are followed.  Penalties for infringement in a civil suit can easily amount to hundreds of thousands of dollars (again, depending on the circumstances) and if the infringement is “willful,” criminal penalties (including imprisonment) may be imposed.  Before using a third party’s content on your site (or in your site’s RSS feeds, emails, social media platforms, or other means by which your site promotes its content) be sure to obtain a written license from the copyright holder specifically addressing all manners, media and formats of intended use.
  4. User Registration. If your site allows users to register (for example, to sign up for the site’s email newsletter) the site should take the additional step of obtaining “double opt-in” consent from the user before placing a user on its email lists.  “Double opt-in” means that the user must take two actions:  first, entering the user’s email address on the site where indicated, and then, after receiving a confirmatory email from the site (to the email address just entered), the user must either reply to the email or click on a link in the email, in order to actually be placed on the email list and activate the registration.  This process is strongly recommended to keep sites off of certain “spam black-lists”  to which major Internet service providers (“ISPs”) subscribe.  If a site inadvertently becomes labeled as a “spammer” and ends up on one of these lists, all emails originating from the site’s domain are often placed into the recipient’s spam folder, if not blocked by the ISP altogether.  Once a site is on one of these black-lists, it can be extremely difficult to clear its name and get off the list.
  5. “Full Disclosure” Failures. The scenario is common: a website posts a user testimonial, featuring a glowing review of the organization and describing how the organization has helped the recipient… a picture-perfect example of the nonprofit’s fulfillment of its mission.  However, imagine that the user failed to disclose that she is the daughter of the nonprofit’s executive director, a fact that, if known, would surely color the reader’s impression of the testimonial.  To avoid any impropriety (and to comply with the FTC’s Guidelines for Endorsements and Testimonials), nonprofits need to ensure that favorable online endorsements clearly disclose any fact that could impact the reader’s opinion of the review’s impartiality.  If someone receives anything for free or otherwise receives a benefit from or has a material connection with an organization that would not be apparent to the public, that connection or benefit must be publicly disclosed when the person gives a favorable endorsement online.  For example, if an endorser received a product (book, software, etc.) or service without charge as an incentive to write a review (assuming others typically pay for the same product or service), the freebie must be disclosed.  Similarly, if the testimonial is written by someone having a significant relationship with the organization (a current employee, relative of an officer, etc.), the relationship must be disclosed.   This requirement is extensive—the monetary threshold of the benefit received does not have to be significant, so keep this in mind for all online endorsements and testimonials.

Stay tuned for “Part 2” in which we’ll discuss user-generated content, data security, international users, domain name issues, and contract formation.

Deborah Shinbein has been helping clients with Internet, technology and media law matters for over 15 years. She held legal positions at The Walt Disney Company and, as well as at major law firms, before recently forming her own Denver, CO based law firm.  She has no affiliation with Schauble Law Group LLC. Feel free to send questions to or visit   

See Our Services