If you work at a nonprofit or civil society group, you can help protect the digital privacy of your clients and supporters in a number of ways. Not all of the advice may apply to you, but all of the principles should be helpful for thinking about how to move towards better privacy practices.
This guide is intended for organizations to improve their privacy practices, with particular respect to marketing and analytics. But because many organizations may also want to consider privacy practices more holistically, our first two principles and steps should be widely applicable regardless of what tracking you may be doing.
Approach this as a necessary exercise with your team and ask yourselves: What data do we have that’s private or ought to be protected? Who do we want to protect the data from? How likely is it we will need to protect that data? And lastly, what are the consequences if we fail? This short guide will walk you through how you might think about who your data may need to be protected from, and why.
It helps to start by thinking about the basics. Who has access to user or supporter data? Is that data encrypted in transit and at rest? Do you have strong, unique passwords protecting the accounts that can access this data? Is two-factor authentication turned on for platforms where it’s possible? And we’re not even touching everything here: there’s a lot to factor in for data security. If you’re new to any of these terms, we recommend reading at least a few of the guides linked below. If you work at a larger organization or outsource tech work, ask your tech support and web development teams about what protections exist for user data.
For many companies, “collect it all, we’ll figure out how to monetize it later” is the guiding data collection practice. But for nonprofits that care about respecting user privacy, we recommend the opposite approach: if you aren’t using the data, you likely don’t need it.
As an example, many mailing platforms make it easy to “split” test, or “A-B” test, different versions of an email, to see which is most effective. To determine this, they generally employ a variety of tracking methods. Invisible tracking pixels inside of emails are used to tell a mailing platform the IP address of the recipient and the time of day that an email was opened. Links in emails automatically include a redirect that allows the platform to determine which IP clicked which link, when, and how often. Among other things, this also lets a client automatically send additional emails to recipients who do, or don’t, open or click certain emails. But if you aren’t using A-B testing, and you aren’t using automated follow up emails, it is less important to use these features and collect this data.
Many, many sites, organizations, companies, and people don’t use anywhere near all the data that they collect for any real insights. It’s simply a default, and the most popular analytics tools, like Google Analytics, and the most popular mailing platforms, like Mailchimp or ActiveCampaign, implement these sorts of tracking automatically. Using the most common web tools, unfortunately, means that even a privacy-focused organization is likely collecting (or contributing to the collection of) huge amounts of data about their users. While many companies and organizations would be satisfied with anonymous, aggregate data about their website visitors, or getting general insights about email usage rather than granular data about each specific recipient, these unfortunately aren’t options in most tools. We list some of the ways to turn on these features below.
If you’re going to collect data, consider using anonymous defaults where you can: Imagine you want to know where traffic to your website comes from, or how many people click a link in an email that you send. You can still learn this while respecting user privacy. Switching to aggregate, anonymized options for visitor counting will still tell you how many people came to your site from another site. Appending parameters to links in an email can usually tell you how many recipients clicked the link, without honing in on who specifically clicked it, or when. When EFF is interested in knowing how many people click a link in our email that goes back to our website, we can add a parameter—like “?utm_source=JuneEFFector”—to that link, and find that out via our otherwise anonymous analytics tool.
As another example, The Internet Archive found that while they preferred to use no open tracking in their emails to subscribers, too many unreachable email addresses had been added to their list over the years, and some email addresses had even become spam traps. To continue working with their email service provider, they needed to activate some tracking. They needed email open data to know whether an email address was still active or not; but they didn’t need or want gender, age, or demographic data. They settled on informing users that their email open rates are being tracked, and offering the alternate option to sign up for plain-text versions of their emails, which won’t transmit any data at all.
If you do collect data, consider automatically deleting it as often as reasonable. As an example, it can be helpful for us at EFF to know what parts of our site are popular, and to have some logs to respond to issues or bugs. Still, we assume we only need detailed data for seven days to deal with these, and by default we only store visitor IPs while actively troubleshooting. Otherwise, we generally only log (again, for up to seven days) a single byte of the IP address, as well as the referrer page, time stamp, page requested, user agent, language header, website visited, and a hash of all of this information. After seven days we keep only aggregate information from these logs, which gives us basic information about what pages are being viewed and where users came from. We also geolocate IP addresses before anonymizing them and store only the country.
For analytics, we use an open source platform called Matomo that has privacy-protective options, like data anonymization and automatic log deletion, which is free if it’s self-hosted. There are plenty of other free and paid platforms available with similar privacy protections. (This is not an endorsement of any particular tool—it’s just a note that we use such tools, and you should be able to find one that suits your purpose.)
Regardless of what you’re collecting, the data should have a clear expiration date, and you should not collect or store supporter or visitor data you don’t actually need.
Websites, social media platforms, and all sorts of other online tools silently sweep up huge amounts of information after “informing” users in lengthy terms of service or legalistic privacy policies, or in misleading popups that imply data collection is either required or good for the user. Key to keeping your visitors’ data safe is letting them know what information you are collecting, in clear and certain terms. Eliminate “dark patterns” that might lead users into saying “yes, please collect my data,” without really meaning it, or that push for a certain choice. Then make it clear to users who are (for example) signing up for an email list, or just visiting your site, how you’re protecting their privacy, or how any data collection you’re doing works. They’ll thank you for it.
Don’t share the data you collect more than necessary, and only with trusted and vetted partners. Before you share data with anyone, you should set up guidelines for how that data will be handled, and you should consider setting up your own guidelines as well. If you use third-party software to store your data, confirm how that data is handled, and change the default to be more privacy-protective if possible. If you partner with other organizations, ask them about their privacy and data protection policies. If you upload donor lists to Facebook for ad targeting as a way to find similar people or to advertise to those donors, remember that this is risky, and could give more information to Facebook than they already have.
If you manage your own website and email list, you should be able to follow many of the below tips yourself. However, a few of the suggestions can be difficult without some technical knowledge, so if you have a marketing or web team (or an “accidental techie” who manages this) you might instead pass these instructions on to them.
An easy way to get started is to simply install EFF’s Privacy Badger browser extension to see what tracking your site uses. Remember: What we call tracking a lot of platforms and sites call analytics. But to show you that data, they have to collect it.
Note: these recommendations were written in August of 2022. How things are tracked changes often changes, and if you find that any of these suggestions are inadequate or no longer effective, please let us know by emailing [email protected]. We hope to make a revision with suggestions.
Online advertising is often extremely privacy invasive. The best thing you can do for privacy is to opt your organization out of the online surveillance ecosystem. But if you can’t do that entirely, you can rethink how you track the effectiveness of the ads you use, and what tracking is required to do so.
Websites are likely where many users first interact with your organization. Because of this, they have the potential to collect an enormous amount of data on a wide variety of people interested in your mission–or to set a precedent for users by incorporating strong privacy.
Many mailing platforms track who opens emails and who clicks on links inside of them by default, to give you insight into how ‘popular’ your emails are, or to trigger actions (it is possible to condition emails to be sent only to those who do, or don’t, click or open other emails). This tracking can even collect the rough location of email readers, potentially down to the street address.
In fact, this tracking has become ubiquitous. One report showed that two-thirds of emails received by users contained a spy pixel to track interactions. The information these trackers collect can sometimes be useful, but people on your email list deserve to hear from you without giving up their privacy. It’s unlikely that you can manage an email list without sharing your subscribers’ email information with your email service provider, but you can protect their privacy by minimizing the amount of information secretly collected by the emails that you send.
Servers for your website regularly process and collect data on your website’s visitors, but with some technical know-how, you can control how this is done.
There are also steps users can take to protect their online privacy directly. You may want to offer this advice to them, if appropriate:
All of the steps it takes to become a more privacy-protective organization can seem overwhelming. It’s outrageous that a nonprofit interested in protecting privacy must jump through so many hoops to do so. Unfortunately, much of the online ecosystem has been built to monetize information, rather than protect it. And because the privacy practices we discuss here generally protect not the organizations who are direct customers of these ad tech, email, and website companies, but the people who visit and/or support the organization via its website, these infrastructure companies often don’t see privacy as their priority. But it should be.
Platforms should offer simple privacy settings, and assume users want them on by default. Rather than force users to navigate through complicated menus, or make changes for every email blast they send—or worse, navigate to other platforms entirely—infrastructure companies should make it clear and easy to turn off data collection, or turn on anonymous, aggregate collection. They should also be up front about what data is collected, both with their users and with the resulting emails or websites that include those tracking methods.
If you agree, you can help: ask the companies you work with to offer better privacy options. Features don’t get added without demand, so let’s demand it.
This list is just a starting point. It’s impossible to be comprehensive of all the ways that tracking should be minimized, especially as technology changes and new tracking methods are created. It’s also likely that we’ve missed some obvious tips or issues.Also, if you find that any of these suggestions are inadequate or no longer effective, please let us know. If you have suggestions or tools that have helped you protect privacy, or you think we’ve gotten something wrong, we’d love to hear from you! Send an email to [email protected] with more information, and thank you for joining us! We hope to offer revisions down the road.
Also, if you have had success with these or other privacy-protecting tips at your organization, please let us know! We’d like a future version of this guide to include case studies and examples. This is a first draft of recommendations as of August 2022, and we hope to offer a revision with more information.
Jump straight to the Online Privacy for Nonprofits Guide to Better PracticesToday, the vast majority of websites and emails that you encounter contain some form of tracking. Third-party cookies let advertisers follow you around the web; tracking pixels in emails confirm whether you’ve opened them; tracking links ensure websites…
The ease with which bad actors can find a worldwide market for malicious apps that spy on people’s digital devices is at the center of an Australian Federal Police case against a man who, starting at the age of 15, wrote a stalkerware application and sold it to 14,500 people…
When data broker SafeGraph got caught selling location information on Planned Parenthood visitors, it had a public relations trick up its sleeve. After the company agreed to remove family planning center data from its platforms in response to public outcry, CEO Auren Hoffman tried to flip the narrative:…
There’s a lot of discussion right now about how a federal privacy bill, the American Data Privacy Protection Act (H.R.8152), will affect state privacy laws. EFF has a clear position on this: federal privacy laws should not roll back state privacy protections. The ADPPA, as currently written, would…
In a letter to the Indian Government, EFF and partner digital rights organizations from around the world called on the Indian Ministry of Electronics and Information Technology to withdraw the so-called traceability requirement under its Intermediary Guidelines and Digital Media Ethics Code (2021 IT Rules). The Rules compel private end-to-end…
Case history:The Recording Industry Association of America (RIAA), using a controversial subpoena provision introduced by the 1998 Digital Millennium Copyright Act (DMCA), demanded that Verizon Internet Services reveal the identity of a Verizon subscriber who allegedly used KaZaA peer-to-peer software to share music online. Verizon refused to divulge the subscriber’s…
Panamá’s mobile internet service providers have improved their commitments to transparency and user privacy, according to the new edition of IPANDETEC’s ¿Quien Defiende Tus Datos? (“Who Defends Your Data?”) report. The third edition, published today shows general progress in companies’ data protection policies and their public commitment to…
Should the police be able to ask Google for the name of everyone who searched for the address of an abortion provider in a state where abortions are now illegal? Or who searched for the drug mifepristone? What about people who searched for gender-affirming healthcare providers in a state…
Here at EFF, we fight hard to ensure your security and privacy rights are maintained in the digital world. Back when we were founded in 1990, a dream of a world united by the internet was accompanied by forward-thinking visions of connected devices of all kinds making our lives more…
Back to top