ICF Internet Fundraising Guidelines | Introduction
UK charities have been using the Internet since the mid-1990’s. Today, the number of charities using the Internet in increasingly diverse ways is mushrooming, and with it grows the range and number of online fundraising opportunities that they are being offered. Charity web sites spring up in different ways, and very often the 'advisor' or the 'expert' being used can have little or no knowledge of the charity and its fundraising practice. It is therefore timely that charity fundraisers are given some guidelines on best practice and the opportunity to take a full and informed role in the development of their organisation's online conduct.
The committee which developed this guide brought together a wide range of relevant skills. These included legal, consultancy, online donation handling, online event management, trading, research, and web publishing. Fundraisers and suppliers/agencies were both represented.
The guidelines presented here address Internet fundraising in two parts. Firstly, they cover your charity's own organisation's web presence in terms of its web site(s) and e-mail communications. Secondly, they cover relationships with third parties who provide charities with a wide range of online services. They are designed to be used by all members and affiliates of ICF.
A basic awareness and experience of the Internet is assumed but otherwise the guidelines are designed both for those new to using the Internet to fundraise and for those with more experience.
Many of the guidelines will be familiar, since rules covering data protection, trading, contracts and other legal requirements apply as much to online fundraising as to traditional fundraising. Ethical considerations are included also but for the largest part the guidance is of a practical nature.
The Internet is a vast field and, whilst not every aspect can be covered here, in their entirety the guidelines may still appear onerous to some organisations. Not all of what is contained here will apply in every case.
The guidance can easily be prioritised into what is law, what is specifically recommended by the ICF and what is understood to be best practice. Charities must balance the information offered here with their organisation's overall context and priorities and form their own judgements. Nevertheless, we would caution ICF members and affiliates to pay attention to the fact that managing your charity's Internet presence and fundraising is also about managing your charity's reputation and risk. Charities have been known to mischaracterize their relationship with a dotcom as philanthropic or to fall into unrealistic contracts but, as with any contract for service, charities should consider all their online agreements carefully and enlist the advice and expertise of relevant people where they have any doubts or concerns. There can simply be no replacement for due diligence in both the short and the long run for any charity embracing the web.
Finally, these guidelines focus explicitly on fundraising using the web and e-Mail and do not specifically address other new media issues and channels such as digital TV, mobile telephones and handheld devices. The advice here is intended to be general enough to be useful when considering other media. We have made every effort to avoid built-in obsolescence wherever possible.
We would encourage anyone who has a query, an issue or an addition to these guidelines to contact the ICF. It is our intention to ensure this document is updated at appropriate intervals, to keep pace with the inevitable changes in online fundraising practice.
FUNDRAISING USING YOUR CHARITY'S INTERNET PRESENCE
OnLine handling of personal data
The capture and handling of personal data online can be a sensitive area, particularly when it comes to the methods used to capture information on visitors. Transparency is usually the best policy. The Data Protection Act 1998 specifically covers the handling of personal data using the Internet.
Do not use unencrypted pages for taking credit card payments or donations. Do not use unencrypted e-Mail to send or receive credit card payments or donations and actively discourage people from e-Mailing their credit/debit card numbers to your charity. State clearly on your Web site, e-Mail list or other communication how you will use individuals' personal data e.g. to mail or e-Mail supporters with information related to your charity or other organisations' sites, products or services to contact supporters in the event of a necessary communication exchange requested by you or initiated by your charity, such as to confirm or check supporters' donation details to use in aggregate form, that is not personally identifiable, for analysis to help your charity improve its services and products. Ensure that any consent obtained complies with the Data Protection Act 1998. Explain clearly how individuals may edit or delete their details at any time, or request such changes. Personal data should either be held offline and not on the live Web server or be held securely behind a firewall or in a non Web-accessible database to prevent unauthorised access. ICF recommends that you be as transparent as possible, for example in declaring how you intend to use personal information collected by your charity's Web site. Cover how your visitors' movements/activities are tracked (if at all) and whether income is generated simply by clicking through links to commercial participators. Fundraisers should at no time use or encourage unsolicited commercial e-mail (spam), where individuals have not given their consent for their details to be released or used. Fundraisers should understand that currently even the use of legitimate e-Mail lists purchased from third parties can cause donor resentment and damage public confidence in the sector.
Acceptable Use Policy
In using the Internet to fundraise and conduct other activities charities will give Internet access to paid staff and volunteers. In doing so charities should act to protect both the organisation and individuals from any use or misuse of this access. Charities should seek legal advice on establishing such an Acceptable Use Policy.
Such a policy could include the following issues:
Whether personal use of the Internet is acceptable, and if so at what times. Instruction in responsibilities with regard to adhering to copyright and other intellectual property legislation. Whether access to certain Internet resources e.g. pornographic Web sites are not permitted from a charity PC / Mac or other access device. Staff should be expected to monitor and respond to e-Mail messages within a set period. Compliance with requests to remove e-mail addresses and other personal data from your charity's database. The transmission of e-Mail that may be deemed harassing, libellous, defamatory, obscene, threatening, abusive or hateful to recipients. Avoidance of propagating chain e-mail letters, virus warnings, and other inappropriate attachments.
The more advanced the site, the more chance that all sorts of different copyright works have been used e.g. photographs, music, film, sound, graphic design and animation. Check you have the necessary global permission to use any copyright works not created by employees of the charity.
If your Web site has been designed by an agency, get them to warrant that the site does not infringe any third party rights and that you have the necessary licences to use all the software involved in running the site. Some specialist software companies will give permission free of charge to charities.
Check as well that all assets and integral components e.g. scripts, used to create the sites are assigned to you on delivery; this should be clearly stated in the contract. For example, components could include copy, code, programs, images and sound files. However, this may not be always possible. Some companies share code across clients, and therefore cannot assign the intellectual property rights to a single client. In these instances, you should insist that your charity is given a lifetime licence to use the code and develop it 'for non-commercial gain'. It is also handy to ask for a detailed style sheet of the site's design so that you know which fonts and colours have been used.
You could should not infringe someone else's intellectual property in other ways e.g. words used as metatags can infringe registered trade marks (so ensure that you have permission to use them) linking to other sites without permission could give rise to copyright infringement claims. It is good practice to seek such permission. You might also choose to ensure that external sites linked to on your charity's site should open in a new, separate browser window, so that you do not alter the external site's page layout in any way.
If your Web site includes a chatroom, or noticeboard, guestbook, or archived copies of e-mail discussion lists, then you could be held liable if you allow libellous statements to be published on the site, however temporarily.
ICF recommends that you speak to your legal advisor and your charity's insurance company to establish what kind of AUP best suits your charity. This will help you to identify areas where you need to protect yourself or your staff and limit any liability you may have. In most cases you can assume your Internet activities are excluded from your insurance cover unless you have asked explicitly for them to be assessed.
Minimum legal statements for a Web site ICF recommends that all applicable items from numbers 1 to 6 should be included on your web site and that a copyright symbol should appear on every relevant page.
Company registration number Privacy policy Security statement (on personal data handling) Copyright statement.
Terms and conditions of use, and disclaimers e.g. regarding accuracy or currency of data, and external links to third-party Web sites.
Charities should also consider displaying prominently and consistently their logo or trademark, together with the logos of any relevant membership organisations or kitemarks to which they belong or subscribe.
If your organisation is a registered charity with gross income in the last financial year of more than £10,000, then its status as a registered charity must be stated in English on all documents soliciting money (Charities Act 1993 Section 5). It is sensible to assume that documents soliciting money include web-sites and emails soliciting money. Anyone who designs a site and fails to include this is guilty of an offence and liable to a fine of up to £1,000. The charity number should also be included as a matter of course, as this will give some donors a sense of security that their money is going to a regulated charity. Of course, some charities may wish to have the site owned by their trading subsidiary.
Remember that codes of practice such as the British Codes of Advertising and Sales Promotion apply equally to the Internet. Charities that are companies should also show their registered company number, status and registered office address.
Setting up secure/encrypted online donation systems
Authorising payment by credit or debit card securely on the Internet requires expensive, complex hardware and software systems. It is much easier and substantially less expensive to contract a third party to authorise credit and debit cards online for your charity.
Before you can accept credit/debit card donations via the Internet you should have:
A bank business account
An online merchant ID (arranged by the bank)
Optional onlineBACS authorisation for paperless direct debit
A Web site
These are not essential, but will reduce costs and increase the number of suppliers who will deal with you if you have them. Once these elements are in place, you will need to set up a secure payment system, where credit/debit cards are authorised online.
There are more than a dozen companies that securely authorise credit card payments/donations via the Internet in the UK. Some companies will charge a set up fee (anywhere from between £100 to £2,000), others will not. Most companies will charge between 0% and 5% of each donation to maintain the service: 5% is the commercial rate and 2% is the average charity rate. If you receive a free service, you might not be entitled to much support.
See Appendix 1 for a checklist on selecting a secure online credit card handling supplier in terms of range of services, security, handling of fraud, administration and reporting. ICF recommends that you read the contract with your Internet credit card payment provider carefully. Check to see where you are required to indemnify or otherwise protect the company against any legal action or injury. Consider your rights and responsibilities, the company's and the customer's. Do not sign anything with which you are not entirely happy. If in doubt, ask the service provider to give you examples of what particular clauses could apply and ask if any cases have arisen already.
Trading selling goods or services via the Internet
Current legislation prohibits the sale of charity society lottery tickets via the Internet. This is because the lotteries legislation prohibits sale of society lottery tickets by machine. If you are selling goods via the Internet (for example, you have included your usual catalogue on the charity's Web site), then you must make sure you comply with The Consumer Protection (Contracts Concluded by Means of Distance Communication) Regulations 2000. These came into force on 31st October 2000.
If you are advertising fundraising events run by the charity's trading subsidiary (such as challenge events) or if you are advertising merchandise sold through the trading subsidiary, you do not necessarily need a separate site for the trading company's activities (though there may be VAT benefits to doing this). But the relevant pages should make clear they are activities carried out through the trading company. The charity should recover from the trading subsidiary a proportion of the costs involved in setting up and servicing the site.
Global issues
One of the difficulties with the Internet is that while you could (and should) make sure that your Web site complies with all relevant UK law, it currently seems an impossible task to ensure a Web site complies with the laws of every country from which it could be accessed. However, some countries (and in particular some US states) are taking active steps to require Web sites accessible by their nationals to be compliant with their local laws.
Ways to minimise risk include:-
make clear that your site is only intended for fundraising in the UK
ensure you can react quickly if a problem arises and you need to change the content of your site.
FUNDRAISING USING A THIRD-PARTY'S INTERNET PRESENCE
Practical
Charities are receiving offers from third-party organisations such as companies and non-profits to provide online fundraising services. These include online shopping malls, cause related marketing programmes, online events management, donation handling services and many other services.
To assess the benefits of proposals from such third-party organisations it is worth considering the following:
Avoid signing exclusivity agreements as these can limit your charity's options. Is the organisation's contract flexible enough to cover your charity's requirements and concerns? Will the organisation adapt it to meet your needs? Would you as an individual buy in to the proposed service? Can you work with the staff at the organisation? With new start-up companies without a track record, this can be one of the few key elements on which you can judge them. Will the site be accessible to people with disabilities using the Web? Do not deny yourself a large market: for example, 1.7 million people in the UK have serious uncorrectable sight loss. Is the organisation aware of the Web site amendments required to address this issue, and will they undertake to address them? Promote accessibility of all fundraising materials to all Internet users irrespective of disability. Ensure reasonable backward compatibility of material with regard to browser software and type of hardware. This is most easily done by providing a text only version of the site. RNIB publishes guidelines at www.rnib.org.uk/access. Alternatively, sites can be checked using a free service from CAST.
Conduct due diligence checks to find out if the organisation and its business are sustainable. How is it funded? What commitments does it owe to its financial backers and shareholders? Is its business plan realistic? Seek references from the organisation's bank and from other participating charities and business partners where possible. What does the organisation ask of participating charities in terms of marketing? Is the marketing planned by the organisation realistic and sustainable? Avoid organisations that expect charities to conduct all the marketing activity on their behalf. Can the organisation provide you with statistical reports on the number and quality of visitors generated by its marketing? How will you allow your charity's name and brand to be used by the organisation in its efforts at audience acquisition?
Is there a limit on the number of charities or the number per market sector? On some sites this will increase income for participating charities, on others it will limit it. Does the organisation's site take other forms of online payment in addition to credit cards e.g. direct debit payments from bank accounts? This could expand the number of supporters likely to make an online transaction at the site. Have they taken into account tax efficiency issues and are they able to offer online tax reclamation of any donations? What is unique about the organisation's offer? Why should your charity work with them and not similar online fundraising companies? With regard to trading Web sites, does the organisation offer a customer charter covering issues such as their delivery commitments and their returns and/or refund policy? Is this acceptable? What is the revenue split in shared revenue schemes between the organisation and your charity? How long will it take the money to reach your bank account? Does your charity incur any costs e.g. for marketing, bank fees, receipts of acknowledgements to donors? Does your charity need to consider acquiring insurance or indemnities with regard to liability? Consider preparing a response to offers and enquiries from Internet fundraising companies. Set out your fundraising plans and minimum requirements from organisations you are prepared to work with. For example, do you have ethical trading criteria? What documents do you expect to see from an organisation? This checklist will help you assess approaches made. A response to an approach from an online fundraising organisation could be: Compare the proposal with your charity's checklist e.g. exclusivity, financial data, ethical concerns, your fundraising priorities. Educate them and request that they submit a proposal specifically for you. Evaluate the proposal and decide on the options available. If you decide to continue, perform due diligence and sign a contract that reflects your charity's requirements. ICF recommends that you take care not to confuse offers and arrangements with dotcoms or commercial services providers as philanthropic initiatives. Avoid services where the company cannot offer you some evidence of its sustainability and audience potential. These things can be more time-consuming and wasteful than they appear at first!
Contracts
Contracts can be time-consuming and difficult to understand. The Internet arena is no exception. All the more reason to exercise due diligence and consult with others to ensure that you are comfortable with what you are signing up to and that you are being treated fairly.
ICF recommends that you show any agreement to your charity's compliance officer, financial director, legal firm or insurance company before signing. Consider drawing up your own contract or seek amendments to the standard contract offered by the organisation.
Avoid signing Non Disclosure Agreements. Consider offering written confirmation that all conversations, whilst active, are commercial and in confidence and will not be shared. Contracts with online fundraising organisations may need to comply with the Charities Act 1992 and its definitions of commercial participator or professional fundraiser. In these cases, the obligations to make statements and have agreements covering minimum terms will apply.
Be clear what your charity's liability could be should anything go wrong. A formal agreement should specify the degree of liability which the Internet-based service provider assumes to the donor, the charity and third parties for information, transaction handling and losses related to the Internet-based service provider's administration of a donation. Consider financial losses and brand reputation. Include a termination clause in the Service Level Agreement, such that the contract can be terminated if customers are not receiving a sufficiently high quality of service. Immediate termination should come into place if the partner brings the charity's name into disrepute, and income from existing customers should still be protected even though the active agreement fails. Contracts should specify explicitly data ownership, not only of standard personal data but also of related data e.g. tracking of individuals' preferences and movements throughout a site via cookies and other methods. Contracts regarding licensing or syndicating content should include delineating responsibility for a charity's content on an external/third-party site. In certain cases, service level agreements should be established. These should make clear issues such as:
Will you have a dedicated account manager?
If yes, how many other accounts does s/he manage?
Can you speak directly to the technical support team?
What levels of service are guaranteed?
How are you compensated if they are not met?
How important is your organisation to the supplier? If your business accounts for less than 0.1% of the supplier's turnover, you are unlikely to receive a premium service so you might do better with a smaller supplier.
The level of service, security and customer care offered by online credit/debit card processors varies dramatically. When choosing an online credit card processor, it would be advisable to ask the following questions:
Range of services
1. Do they process both credit and debit cards, including Switch cards? It is advisable to go with a supplier that processes both.
2. Can they process donations of any amount? Or is there a minimum amount? It's advisable to go with a company that offers a zero floor limit. Does the usage charge increase for small payments?
3. Do they process in multiple currencies? If you choose to process only pounds (you are charged for each additional currency), this does not mean that people using foreign credit cards won't be able to donate, it just means that all donations will be made in pound amounts and the donor will have to do the maths. Do they charge extra for processing multiple currencies?
4. Can they process tax efficient donations e.g. Gift Aid donations? Very few online credit card processing systems are designed with charities in mind it is advisable to ensure that the company you chose can meet your special requirements.
5. Do they offer paperless direct debit? Very few online credit card processors currently do. This may also have a very high set-up and running cost.
6. Can they process transactions where donors have come straight into the donation page from an affiliated web site (this can cause security issues, so needs to be carefully handled).
Security
1. Do they process credit card payments for gambling or pornography web sites? The majority of online fraud occurs in these areas and charities may choose to avoid online credit card processors that are involved in these industries.
2. When credit card payments are processed, what kind of security is in operation? Is online live authorisation of cards (involving no storage of details) sent over a Secure Sockets Layer-encrypted (secure) link? Are all card details inputted on their site sent through both offline (expiry date and hot/stolen card server) and on-line (hot/stolen card server, sufficient funds, authorisation) to prevent use of stolen or lost cards on their site?
Can a maximum number of failed attempts to make a donation with one credit card be set?
Can a maximum number of successful donations made with one credit card be set?
Can a maximum number of failed attempts to make a donation from one IP address, which details the location of a specific computer, be set?
Is the donor's e-Mail address validated before the credit card is authorised?
Fraud
1. Credit card fraud is a major problem on the Internet. Fraudsters typically obtain credit from lists of stolen cards published on the Internet, or by using illicit programmes to produce lists of algorithmically allowable card numbers. Fraudsters use charity sites to test stolen credit card numbers, because they don't have to go through the lengthy process of purchasing a product. Once they have used you to authorise a card, they will abuse it on other sites.
2. It is currently against the Data Protection Act in the UK and Germany to capture and cross-reference someone's postal address with his or her credit card number on the Internet. As a result the billing address of credit cards used online are not verified by the online credit card processing company. Because this law has made online fraud in the UK and Germany easy, the credit card companies, banks and UK government are currently re-evaluating the law. It may be revoked in April 2002. In the mean time, if you plan to ship goods to someone who has purchased them via your Web site, you should always verify that the address provided is the billing address associated with the credit card.
3. When should you be suspicious that a donation could be fraudulent?
The same credit card number is being used from different countries.
The same e-Mail address is being used in conjunction with different credit card numbers.
The same postal address is being used in conjunction with different credit card numbers.
Many donations are made in rapid succession from the same IP address (an IP address details the location of a specific computer).
The donation is very small (£1 donations should be carefully examined).
A free web-based e-mail address is used, such as Hotmail. Many are legitimate, but when combined with any of the above the donation should be very carefully examined.
The e-mail address does not match the IP address of the machine the donation was made from.
4. If credit card fraud occurs, what can your online credit card processing company do to stop it? Can they:
Block the fraudster's IP address? Remember that the computer could be located in an Internet cafe, or large organisation such as AOL, or Wanadoo, where many computers can appear to have the same IP address. Block the fraudster's e-mail address? Most fraudsters’ use free, Web based e-Mail such as Hotmail some online credit card processors will send you a warning when a donation has been made by somebody using this kind of e-Mail address.
Implement an intelligent software system that develops a profile of typical donor behavioural patterns and warns you if a donor's behaviour varies from this norm?
If fraudsters continued to use stolen credit card numbers to purchase products or make donations to your organisation, can the online credit card processor implement what is known as a deferred payment system? Deferred payment systems ring fence funds that have been donated on the individual's credit card but do not actually debit the card for five days. During this time the charity can decide whether it thinks the donation is fraudulent or not. If the charity thinks the donation is fraudulent, it can un-ring fence the funds. If it thinks it is genuine, it can debit the card. However, fundraisers should be aware that this procedure could add significantly to the administrative burden.
Although online credit card processing companies are not liable for credit card fraud, it would be advisable to ensure that your contract with them states that they will do everything in their power to limit fraud and to co-operate with your bank and international police to track down fraudsters, once they have been identified.
5. If credit card fraud occurs, what should you do to stop it?
Report the stolen card numbers to your bank.
Reimburse the cards that have been fraudulently used.
Ask your online credit card processing company to block the fraudsters' e-mail and IP addresses.
Implement a deferred payment system if the fraud continues
Administration
What kind of online administrative systems are provided?
Can you edit the layout and content of your secure payment pages via the Internet? Can you use this system to launch one or more new appeals in a matter of minutes? How many appeals can you run simultaneously? Can they be different e.g. one-off donations, prompted levels of giving, direct debit/regular gifts? If you are a membership organisation, how many membership ID numbers can they provide you with? Can you view reports about the number, quantity, and origin (donor details) of donations online at your convenience?
Can you reimburse credit cards that have been fraudulently debited via the online system? Can you reimburse credit / debit cards for other reasons, not only due to fraudulent use? Can you utilise the deferred payment system online to un-ring-fence or claim donations? What kind of security at your charity and at the payment service provider is used to ensure that only authorised personnel have access to the above systems? Passwords? Certificates (digital)? Certain IP addresses only?
Reports
What kind of confirmation does a donor receive after having made a donation? An e-Mail sent instantly by the credit card processing system? Can this e-Mail be customised or changed? Can your charity do this over the Web? Is there a charge for this? How long does the change take to effect? Can different e-Mails be sent to different people?
How do they report back to you about donations:
Is an e-Mail sent to you every time a donation is made? Is a daily report e-Mailed to you about all the donations that have been made that day? Is a monthly report e-Mailed to you about all the donations have been made that month? What information is provided about donors? IP address? Resolved IP address? How are the donation reports formatted? It is advisable to ensure that the online credit card processing company can supply you with reports in a format that is compatible with your internal donor database so that every record does not have to be keyed in by hand.
APPENDIX 2
Glossary
Encryption: a method of encoding sensitive data, such as donor records and credit card numbers, so that it might be stored or transmitted safely.
Extranet: a private or restricted access computer network usually operated by an organisation. Unlike an intranet, an extranet is made accessible to other relevant organisations or individuals such as suppliers as well as to the organisation's employees.
Internet Protocol: a standard method of naming and identifying a particular computer connected to the Internet using a unique series of numbers. The shorthand IP is more common.
Intranet: a private restricted access computer network usually operated by an organisation. Information is stored and retrieved in the same method as the Internet but access is restricted usually to company employees.
IP: See Internet Protocol.
Meta tags: hidden information within a Web page that describes the content and other qualities of that Web page. The information does not appear when the Web page is viewed, but is used by search engines to interpret further the text content of Web pages.
Offline: not connected to the Internet or other computer network.
Online: connected to the Internet or other computer network.
Secure server: a server that features encryption facilities. Documents stored and information entered on a secure server can be encrypted and protected from unwanted access.
Secure sockets layer: a standard and widely used method of data encryption.
Server: computer that is connected to the Internet and on which documents are stored. It serves or publishes these documents when requested by other computer users.
Style sheet: a standard method of defining how text and graphics should appear on one or a series of Web pages, including font size, colour and alignment.
Web: See World Wide Web
World Wide Web: a method of storing and retrieving information, including text, graphics, video and sound. Relevant documents on multiple computers are linked using hypertext, a global standard method of connecting.
NOTE: The above document is published and issued by the Institute of Fundraising.
Please view this structred document at their web site.
/ Mac 
or other access device. Staff should be expected to monitor and respond to e-Mail messages within a set period. Compliance with requests to remove e-mail addresses and other personal data from your charity's database. The transmission of e-Mail that may be deemed harassing, libellous, defamatory, obscene, threatening, abusive or hateful to recipients. Avoidance of propagating chain e-mail letters, virus warnings, and other inappropriate attachments. 
Privacy policy
