Law Enforcement and Government Demands Policy

1. Introduction

GoFundMe Group, Inc. and its subsidiaries and affiliates (collectively, “GFM“) are committed to maintaining the privacy of employees, customers, and other individuals (collectively, “Data Subjects“) and adhering to the data privacy regulations that apply in the many jurisdictions in which it operates while also making reasonable efforts to cooperate with appropriate law enforcement requests for assistance and information. Therefore, GFM’s business records and other non-public or confidential information about its employees, customers, or other individuals (collectively, “Records“) will generally not be released without proper legal process. This Law Enforcement and Government Demands Policy (“Policy“) establishes the principles that GFM will follow when responding to national security, law enforcement, regulatory, and other legal requests and is intended to guide GFM employees and representatives regarding situations in which Records may be properly disclosed to law enforcement agencies, supervisory authorities, and other government entities (collectively, “Government Authorities“).

2. Scope

This Policy applies to all GFM departments and employees, as well as contractors, temporary employees, outside consultants, or other representatives working on behalf of GFM who possess, control, or otherwise have access to Records. 

3. Production for Valid and Binding Orders Only

As a general rule, GFM will only respond to formal, legitimate, and applicable court orders, subpoenas, search warrants, or other legal demands compelling the production of Records (collectively “Orders“) by Government Authorities. Other than in circumstances in which Government Authorities provide sufficient information to demonstrate that an emergency involving imminent threat of death or serious injury to any person, terrorism, cyber-terrorism, kidnapping, contagious viruses or any other emergency as deteremined in good faith by GFM in consultation with the Legal Department and the Trust & Safety Team requires disclosure of specific Records without delay (“Exigent Circumstances,” discussed further below), GFM will not engage in the production Records where: 

  • The Order is non-binding. GFM will not provide Records in response to informal or other non-binding inquiries. GFM will inform the requester of its Policy on this issue.
  • The Order is extra-territorial. GFM will consider as extra-territorial and non-binding any requests to a specific GFM entity in a different jurisdiction than the requesting entity. GFM will inform the requester to utilize mutual legal assistance treaties (“MLATs“), the Hague Evidence Convention, or other comparable arrangements to seek the Records. Extraterritorial requests will be handled in accordance with Section 11.
  • The Order has a legal defect. GFM will not provide Records in response to an Order that is improperly served, overly broad, or otherwise subject to material legal defect. GFM will decide whether to seek a clarification of the Order or resist the Order.  

4. Assessment of Privacy Law Considerations

Even if an Order is valid and binding as per Section 3, GFM will seek to avoid production where such activity would create a material risk of non-compliance with applicable privacy, data protection, and other data regulations (“Privacy Law“). In evaluating these Privacy Law risks, GFM will consider the Privacy Law obligations applicable to: (i) the specific GFM entity that is served with the Order; (ii) the specific GFM entity that is the contracting party with the Data Subject to whom the Records relate; and (iii) the relevant Data Subject. 

5. Potential Conflicts

In potential conflict situations, where a valid and binding Order to produce Records would create a material risk of non-compliance with applicable Privacy Law, GFM will make a strategic decision as to whether and/or how to respond. The decision will take into consideration the likelihood and severity of the legal, reputational, business, and other consequences of non-compliance with the Order on the one hand, and of non-compliance with Privacy Laws on the other hand. 

6. Service of Process within Corporate Structure

Due to strict Privacy Law requirements in the various jurisdictions where GFM operates, Orders must be served on the GFM entity that controls the requested Records. Orders served on one entity pertaining to Records held by another parent, subsidiary, or affiliate entity will not be honored. In some cases, this may mean that multiple Orders must be served on various GFM entities to obtain all potentially relevant information. Although a Point of Contact (defined below) from one GFM entity may assist Government Authorities in identifying a Point of Contact at the correct entity, a Point of Contact from one entity may not handle or respond to Orders relating to Records held by another entity.

7. Procedure for Handling Records Requests

When a Government Authority presents an oral or written Order to a GFM employee or representative, the employee or representative should refer the Government Authority to the GFM Legal Department or its designees at GFMLegal@gofundme.com (“Point of Contact“).

A Point of Contact who receives a request for Records from a Government Authority shall conform to the following procedures: 

7.1. Basic Form 

Except for Exigent Circumstances, all Government Authority requests for Records must be submitted in writing. The written request must include the following information to allow the request to be verified:

    • Name of the Government Authority;
    • Name and title of the individual submitting the request;
    • Contact details of the Government Authority (e.g., email and phone number); and
    • Verifiable physical return address.

7.2. Unique Identifiers

Orders must include identifiers unique to the specific Data Subject(s) and sufficient information to accurately and narrowly identify the Records to be produced. Data Subject name without additional information (e.g., date of birth, contact details, job title or function for employees) is not a sufficiently unique identifier that would allow GFM entities to identify a Data Subject.

7.3. Scope

Orders should be as narrow and specific as possible to avoid misinterpretation, delay, or objections in response to overly broad requests. Orders should provide enough details to produce only information related to the Data Subject(s) at issue. Orders for information not included within the body of the signed subpoena, search warrant, or court order will be disregarded.

7.4. Content

Requests for content (e.g., employee disciplinary or medical records, employment-related communications, verbatim records of customer or other third party communications, recordings) should be in the form of a search warrant supported by probable cause which has been approved by a court or a comparable mandatory Order under applicable law.

7.5. Examination Procedure

The Point of Contact shall examine Orders for legal defects, including: (i) the manner in which it was served; (ii) the breadth of the request; (iii) its form; or (iv) an insufficient showing of good cause made to a court. If a material defect exists, the Point of Contact shall determine whether to seek clarification of the Order or whether to resist the Order, consulting with supervisory counsel or outside counsel as necessary.

8. Form of Delivery (Electronic Delivery)

In the United States:  GFM will accept service of Orders electronically by web form here from law enforcement agencies only provided that they are received from an official law enforcement email account or fax number; no physical delivery is necessary in these cases. GFM will accept subpoenas or orders for production by any competent court by web form here.  Alternatively, GFM will accept service to GFM’s registered agent for service of process.

Elsewhere in the World:  GFM will not accept service of Orders electronically, unless GFM’s prior written consent is obtained in each instance. Instead, service shall be accepted only when pursuant to Sections 3 and 11. 

9. Protective Orders

If disclosure is required, the Point of Contact should consider whether it is appropriate to ask the Government Authority and/or any relevant court to enter a protective order to keep Records confidential and limit their use. For example, the Point of Contact might consider doing this in circumstances where Records include GFM trade secrets or other proprietary and confidential information.

10. Production Procedures

If proper to produce Records in response to an Order, the Point of Contact will review the information that may need to be produced in response to the Order before releasing the Records, and will follow the Order strictly with the intent to avoid providing any information that is not specifically requested in the Order, including, where deemed appropriate by the Point of Contact, by redacting portions of the Records. The Point of Contact may also consider whether to seek a reduction in the Order’s scope with the Government Authority.

11. Extraterritorial Requests

Where an Order from a Government Authority in one jurisdiction seeks to compel the production of Records held or controlled in another jurisdiction, the Point of Contact shall examine whether there are any jurisdictional limitations applicable to the Order and/or whether the production of the requested Records would give rise to potential issues under Privacy Laws, anti-investigatory or blocking statutes, or other local Records production restrictions (“Data Restrictions“). The Point of Contact’s review of these issues typically will involve analysis of applicable Data Restrictions (which may require that the Government Authority utilize MLATs or similar agreement), as well as terms in the relevant GFM privacy policies and procedures. Unless Exigent Circumstances exist, it is the policy of GFM not to respond to an Order that exceeds the jurisdictional reach of the requesting Government Authority, and not to violate applicable Data Restrictions when responding to Orders.

Moreover, except in Exigent Circumstances, data shall not be moved from one controller or jurisdiction to (or in) another to facilitate access by Government Authorities. In situations where an applicable Order without legal defect would require the production of Records in a manner that is contrary to applicable Data Restrictions, the Point of Contact shall determine how to respond, consulting with supervisory counsel or outside counsel as necessary. The GFM entity subject to such an Order shall encourage the Government Authority to utilize any MLATs or other comparable arrangements that would facilitate the production of the requested information in a manner that is consistent with any applicable Data Restrictions.

12. Exigent Circumstances Procedure

As noted above, Exigent Circumstances are circumstances in which the Government Authority provides sufficient information to the Point of Contact such that the Point of Contact, in consultation with the Legal Department and the Trust & Safety Team, believes in good faith that an emergency involving imminent threat of death, terrorism, kidnapping, contagious viruses, or serious physical injury to any person required disclosure of specific Records without delay. A law enforcement officer seeking to demonstrate that Exigent Circumstances exist must be able to sufficiently verify his/her identity (i.e., present a badge or other appropriate government identification) and the nature of the Exigent Circumstance.

In cases of Exigent Circumstances, GFM is permitted, but not required, to voluntarily disclose information, including Records, to law enforcement. Any such disclosure should be narrowly tailored to address the Exigent Circumstances that justify the disclosure. Likewise, GFM may decline or defer the production of Records in response to a valid and binding Order if GFM believes that such production could give rise to serious physical injury to any person or other Exigent Circumstances are apparent. 

13. Data Subject Notification and Consent

GFM reserves the right to notify Data Subjects about whom Records are being sought in response to an Order, except where providing such notice is prohibited by the Order itself or by law. GFM also reserves the right to seek Data Subject consent to disclosure of the relevant Records.

In any case in which an Order is made for Records pertaining to one or more Data Subjects, the Point of Contact should determine whether notice to the Data Subject is permitted, and if so, whether it is appropriate. Factors to consider include whether the request relates to a current or former employee or other Data Subject with whom GFM has or had a relationship, whether current contact information for the Data Subject is available, and whether the Point of Contact believes that providing notice could create a risk of injury, death, or other serious matter. The Point of Contact may consult with supervisory counsel or outside counsel as appropriate in making this determination and may consult as to whether the release of Records would be valid and replace the need for an Order. Whenever possible, GFM will honor verifiable Data Subject consent for the release of Records pertaining to that Data Subject. No Order is required in such situations.

14. Preservation Requests

Requests to preserve information from a valid legal authority should be directed to a Point of Contact. Any such preservation request should be made in writing and contain the identifying characteristics listed in Procedure for Handling Records (Section 7 above). Preservation requests must include sufficient information to accurately and narrowly identify the information to be preserved. In most cases, Data Subject name without additional information (e.g., date of birth, contact details, job title or function for employees) will not be sufficient to allow GFM to identify the Data Subject.

Upon receipt of a properly completed preservation request, the Point of Contact shall coordinate with the Head of IT to ensure that any responsive Records are stored only for periods required by applicable law or 90 days. Following the expiration of applicable retention periods, the preserved material will be routinely deleted, unless an extension request is received from the Government Authority.

15. Court Orders for Witness Testimony

GFM shall not waive service requirements for subpoenas or other court orders seeking witness testimony. Any such court orders must be served either personally upon the person to whom it is directed or upon the applicable GFM registered agent for service of process; electronic means are not acceptable. GFM shall resist subpoenas for witness testimony that are served with fewer than 10 business days’ advance notice.

16. Civil Subpoenas

In the United States:  Civil subpoenas can be served physically on the relevant GFM entity or its registered agent for service of process, by via this web form. A Point of Contact should review any civil subpoena to confirm that its service was proper, it is legally binding, and its scope is reasonable. Civil subpoenas from one jurisdiction served on a GFM entity in another jurisdiction will normally be non-binding. The Point of Contact may consult with a supervisory counsel or outside counsel as appropriate when making these determinations. 

Elsewhere in the World:  GFM will not accept service of civil subpoenas electronically, unless GFM’s prior written consent is obtained in each instance. Instead, service shall be accepted only when pursuant to Sections 3 and 11.  

17. Confidentiality

GFM recognizes and values its customers’ and employees’ legitimate expectations of confidentiality. In connection with any Order, GFM employees and representatives:

  • Must only access and process Records on a “need to know” basis and with proper approvals.
  • Must only utilize approved GFM systems for the storage and processing of Records. 
  • Must not discuss, reveal, or otherwise provide access to any Records outside of GFM, except as permitted in this Policy.
  • Must not speak publicly about business-related topics that may involve the release of Records.

18. Penalties for Violation of this Policy

To the extent permitted by applicable law, employees and representatives shall be held responsible for violations of this Policy; discipline for violations may be up to and include termination for cause.

19. Questions and Contact Details

If you have any questions about this Policy, you may contact GFM by emailing GFMLegal@gofundme.com.