Nonprofit Fundraising Compliance: 2026 State-by-State Guide

If your nonprofit accepts online donations from residents of more than one state, you are almost certainly subject to charitable solicitation registration requirements in 40 or more states. The forms, fees, and renewal cycles vary by state. The penalties for ignoring them are real. And no, the platform you take donations on does not handle this for you.

This guide maps the 2026 compliance landscape across three layers — state, federal, and platform — for executive directors and development directors who would rather get this right once than redo it under a state Attorney General inquiry.

Quick answer: Most nonprofits that accept online donations are required to register in 40 or more US states plus DC before soliciting in each state, under each state's charitable solicitation statute. The Charleston Principles (from the National Association of State Charity Officials, or NASCO) determine when online activity counts as soliciting in a given state. On top of state registration, federal IRS rules (Section 6115) govern what disclosures must appear on receipts, and state-level rules in Florida, New York, and Washington require specific mandated language on donation pages. Platforms like Stripe, Meta fundraisers, and GoFundMe do not register on your behalf. The most common mistake is treating compliance as a one-time launch task instead of an annual cycle.

What is nonprofit fundraising compliance?

It is the overlapping set of state, federal, and platform rules that govern how a 501(c)(3) is allowed to ask for and receive donations.

Nonprofit fundraising compliance is not one law — it is three layers stacked on top of each other:

• State-level charitable solicitation registration. 40 states plus the District of Columbia require nonprofits to register before soliciting donations from their residents. Each state is its own jurisdiction with its own form, fees, renewal cycle, and audit thresholds. The state Attorney General or a dedicated charities bureau usually enforces it.
• Federal IRS rules. 501(c)(3) status, Form 990 reporting, the substantiation rules in IRS Section 6115 (the language that must appear on a receipt over $75), and the rules around quid pro quo contributions all live at the federal level.
• Platform and processor terms. Stripe, PayPal, Meta fundraisers, GoFundMe, Classy, Donorbox, and the rest of the payment and peer-to-peer ecosystem each have their own terms governing who is the donor of record, who issues the receipt, and what data flows where.

A 501(c)(3) does not get to pick one of these and ignore the others. Mercy USA, an international humanitarian nonprofit headquartered in Plymouth, Michigan with donors across all 50 states, has to navigate all three layers every single year — state registration in every state where it solicits, IRS substantiation on every receipt, and platform terms on every donation method it accepts.

Where must a nonprofit register?

The default answer is: in every state where you solicit donations, which under modern interpretations of the Charleston Principles is effectively every state you reach online.

The Charleston Principles are guidance issued by the National Association of State Charity Officials (NASCO) on when online solicitation triggers state registration requirements. The simplified version: if you specifically target donors in a state (regional landing pages, geo-targeted ads, mailing lists segmented by state) or you receive substantial contributions from that state's residents, you almost certainly need to register there.

For most national nonprofits, that comes out to roughly:

• 40 states plus DC require registration. The list shifts as states update their laws, but the count has been stable in this range for years.
• About 10 states are conditional or do not require registration. Examples include Delaware, Idaho, Indiana, Iowa, Montana, Nebraska, South Dakota, Vermont, and Wyoming. Some have thresholds (no registration required below a certain gross contribution level); some have no registration at all.
• Five states are the high-enforcement watch list: California, New York, Florida, Illinois, and Pennsylvania. These states actively audit registered nonprofits, require independent CPA audits at specific revenue thresholds, and have publicly pursued enforcement against nonprofits that solicited without registering.

Engineers Without Borders USA, with donor activity across all 50 states and chapters at universities and professional firms nationwide, sits squarely inside the case that requires registration in nearly every state — not because it makes a strategic choice to register everywhere, but because its donor base and its online presence give it almost no other option.

Fees, renewals, and audit thresholds

Initial registration fees typically range from $25 to $300 per state, with annual renewals usually between $0 and $200+ depending on the state and the nonprofit's gross contributions. Several high-enforcement states trigger an independent CPA audit requirement at specific revenue levels — California's threshold has historically been around $2M in gross revenue; New York's has been around $1M. These thresholds change. Confirm the current numbers with each state's Attorney General office before filing.

What disclosures does every donation page need?

There is a federal baseline that applies everywhere, plus state-specific mandated language for a small number of states that you should treat as your minimum.

Federal baseline (IRS Section 6115 and Publication 1771):

• Tax-deductibility statement on receipts: a written acknowledgment of any single contribution of $250 or more, stating the amount of cash and a description of any non-cash property.
• Quid pro quo disclosure: if a donor receives goods or services in exchange for a contribution of $75 or more, the receipt must state the deductible amount (contribution minus the fair market value of goods/services received).
• Organization legal name, EIN, and 501(c)(3) status, ideally visible in the page footer as well as on the receipt.

State-specific disclosures (a non-exhaustive sample, current as of 2026 — verify each state's current language before publishing):

• Florida: "A COPY OF THE OFFICIAL REGISTRATION AND FINANCIAL INFORMATION MAY BE OBTAINED FROM THE DIVISION OF CONSUMER SERVICES BY CALLING TOLL-FREE WITHIN THE STATE..." (mandated language).
• New York: Specific solicitation disclosures plus the financial-report-on-request statement.
• Washington: Required statement that the registration with the Secretary of State does not constitute an endorsement.

On top of these, modern donation pages should also include privacy and data disclosures: a cookie consent banner that satisfies CCPA (California) and the EU GDPR if international donors land on the page, plus a clearly linked privacy policy explaining how donor data is stored and shared.

Does my donation platform handle compliance for me?

No. Stripe, Meta, GoFundMe, peer-to-peer platforms, and DAF sponsors each handle a specific slice of the data flow, but none of them register your nonprofit in any state on your behalf.

This is the single most common misunderstanding we see in compliance audits. Where the money flows determines who is responsible for what:

• Embedded donation forms (Stripe, Donorbox, Classy embedded on your site): your nonprofit is the merchant of record. You are responsible for state registration, IRS substantiation receipts, and disclosure language. The platform processes the payment and helps you report; it does not file for you.
• Meta / Facebook fundraisers: Meta collects donations through its own foundation (Network for Good or PayPal Giving Fund, depending on the year) and disburses to the nonprofit. The fundraiser donor's receipt comes from Meta's intermediary, not from your org. Your nonprofit's registration obligations still apply for the underlying solicitation if you promote the fundraiser, but the receipt and donor-data flow differs.
• Peer-to-peer platforms (Classy, Bonterra, Givebutter, Funraise): typically pass donations through to the nonprofit as merchant of record, so the same state registration and disclosure rules apply as embedded forms.
• Donor-advised funds (DAFs): the DAF sponsor (Fidelity Charitable, Schwab Charitable, Vanguard Charitable, community foundations) is the legal donor of record. The individual donor recommended the grant. The nonprofit acknowledges the DAF, not the individual, for tax purposes — though the individual often expects acknowledgment too.
• Crypto donations: typically processed through a specialized intermediary (Engiven, The Giving Block) that handles the conversion and disbursement; the nonprofit still owes substantiation receipts and any applicable state registration.

What does the annual compliance cycle look like?

Compliance is not a launch task. It is an annual cycle: inventory, file, disclose, track, renew, review.

The nonprofits we audit who keep this clean treat compliance as a recurring six-step cycle, not a one-time project:

1. Inventory donors by state. Pull last year's gross contributions and unique donor counts segmented by donor billing address. This is the data that determines where you must register.
2. File initial registrations in any state where you crossed a threshold and are not yet registered.
3. Maintain disclosure text on the donation page, receipt template, and any mandated state language. Update when a state changes its rule (Washington and Florida have updated mandated language in recent years).
4. Track gross contributions per state throughout the year. This sits in your CRM, not in the donation platform.
5. Prepare renewals and required audits at the right time. Most states have annual renewals due 4–6 months after the close of your fiscal year. CA and NY may require an independent CPA audit; budget the time and cost.
6. Review the calendar. Build the next year's compliance calendar in December for the year ahead. State Attorney General sites occasionally change form numbers, fees, and submission portals.

Center for Transforming Lives, a Fort Worth nonprofit serving more than 3,000 single mothers and their children a year, runs this kind of cycle as part of its annual operations — the same discipline that produces a clean Form 990 produces clean state registration filings.

What are the most common compliance mistakes?

The pattern we see most often in audits: nonprofits get the launch right and the renewals wrong.

The compliance mistake that costs nonprofits the most isn't usually a missed initial registration. It's a missed renewal that quietly lapses, and then a state Attorney General office reaches out about three years of unreported solicitation in their state. By the time we are auditing the donation page, the problem started in an unrelated calendar entry that nobody owned.

— Brent Lafreniere, Digital Director

The mistakes that show up over and over in the audits we run:

• Treating registration as a one-time event. The initial filing is the easiest part. Renewals are where compliance lapses.
• Assuming the platform handles it. Stripe, Donorbox, Classy, and Meta do not file state registrations for you. They process payments.
• Missing the state-mandated disclosure language after a state updates its requirement. Florida, New York, and Washington have all updated their language in recent years.
• Letting donor data drift away from registration data. If your CRM doesn't reliably show gross contributions by donor state, you can't tell where you need to register, and your annual filings get sloppy.
• Forgetting that promoted Meta fundraisers count as solicitation for the state the donor is in, even though the receipt comes from Meta's intermediary.
• Skipping the cookie / privacy disclosures. CCPA and GDPR are not state registration, but they are real compliance regimes with their own penalties.

From a CMS and platform perspective, the fix is structural: build the disclosure blocks into the donation page template once, and don't rely on staff to remember to paste them in. Build the per-state contribution report into the CRM dashboard so the renewal cycle isn't a guessing game. The tooling exists; most nonprofits just haven't connected it.

— Murad Bushnaq, CEO & Creative Director

How do I track compliance-related data without making the audit harder?

The analytics setup that helps you comply is also the analytics setup that doesn't get you in trouble for over-collecting donor data.

The compliance-friendly analytics stack is mostly about restraint. Use server-side tagging where you can. Honor consent state in GA4 events. Don't pass personally identifiable information into analytics tools. The same hygiene that satisfies CCPA and GDPR also produces cleaner reports for compliance reviews. Over-collection is a liability now, not an asset.

— Steven Calibo, Digital Strategist

Practical guidance from the analytics side:

• Use Google Analytics 4 with consent mode so visitors who decline tracking aren't passed through to analytics.
• Never pass PII (name, email, address) into GA4 event parameters. If a state Attorney General ever asks how you handle donor data, "we don't put it in analytics" is the right answer.
• Use the CRM as the system of record for donor state, gross contributions, and any data that informs registration. The donation platform exports get reconciled into the CRM weekly or monthly.
• Build a per-state contribution dashboard that updates automatically each month. This is what the executive director should see when deciding whether to add new state registrations.

Reviewed by our team

This guide was built from compliance audits we have run across our nonprofit client base, including organizations like Mercy USA, Engineers Without Borders USA, HomeFront, Fredericksburg Regional Food Bank, and Center for Transforming Lives. Each reviewer below brings a different lens.

Common questions about nonprofit fundraising compliance

Does my nonprofit have to register in every state my donors come from?

If you actively solicit donations from residents of a state — through your website, social media, email, or events — you almost certainly need to register there. The Charleston Principles (NASCO guidance) provide the framework. In practice, most national nonprofits register in 40 or more states plus DC. About 10 states are either conditional or do not require registration.

What are the Charleston Principles?

The Charleston Principles are guidance from the National Association of State Charity Officials (NASCO) on when online solicitation triggers a state's registration requirement. They are not binding law in every state, but most state regulators apply them as the operating framework for online fundraising.

How much does charitable solicitation registration cost?

Initial registration fees typically range from $25 to $300 per state, with annual renewals usually between $0 and $200+ depending on the state and your nonprofit's gross contributions. High-enforcement states may also require an independent CPA audit at specific revenue thresholds — an additional several thousand dollars per year. Confirm current fees with each state's Attorney General office.

What happens if my nonprofit does not register?

Penalties vary by state and range from fines to cease-and-desist orders to loss of state-level tax exemption. Several state Attorneys General have publicly pursued enforcement actions against nonprofits soliciting in their state without registering. Beyond legal risk, grantmakers and watchdog rating agencies (Charity Navigator, GuideStar, BBB Wise Giving) factor compliance into their evaluations.

Does Stripe, Meta, or GoFundMe handle compliance for my nonprofit?

No. Payment processors and platforms handle payment processing, fraud screening, and (in some cases) issuing receipts on behalf of an intermediary foundation. None of them file state registrations for you, draft your disclosure language, or determine where you must register. The nonprofit is responsible for its own compliance.

What is the most common compliance mistake nonprofits make?

Treating registration as a one-time launch task instead of an annual cycle. The initial filing is usually fine. The renewals lapse two or three years later, and a state Attorney General office eventually asks about the unreported solicitation in their state. Building a recurring six-step compliance calendar (inventory, file, disclose, track, renew, review) prevents almost all of it.

Want a free compliance audit of your current donation page and disclosure setup?

Our team runs the same audit framework on prospect sites that we use for our clients. We will review your donation page disclosures, your state registration coverage, your platform configuration, and your CRM data hygiene, then send back a prioritized punch list with the highest-risk gaps and the quickest fixes.

Request a free nonprofit compliance audit

Explore more nonprofit compliance and trust resources:

The Nonprofit Website Trust Checklist: 27 Things Donors Check Before Giving. The companion piece on what donors actually look for on your site before they give.

The Best Nonprofit CMS: 5 Essential Features to Look For. How to evaluate the platform underneath your donation page.

What is Website Accessibility? WCAG compliance for nonprofit websites — the other compliance regime most boards forget about.