Nonprofit websites are riddled with ad trackers
Such organizations often deal in sensitive issues —and many are feeding data about site visitors to corporations
State-level privacy laws miss nonprofits
While health data is governed by HIPAA, and FERPA regulates educational records, there are no federal laws governing how websites track their visitors. Recently, a few states—California, Virginia, and Colorado—have enacted consumer privacy laws that require companies to disclose their tracking practices and allow visitors to opt out of data collection.
But nonprofits in two of those states, California and Virginia, don’t need to adhere to the regulations.
Sen. Ron Wyden (D-OR), who has proposed hisown federal privacy legislation, said that nonprofits accrue a large amount of potentially sensitive data.
“Nonprofits store incredibly personal information about things we’re passionate about, from political causes and social views to which charitable causes we care about,” Wyden said in an emailed statement. “If a data breach reveals someone donates to a domestic violence support group or an LGBTQ rights organization or the name of their mosque, any of that information could be incredibly private.”
Nonprofit leaders, however, argue that they lack the infrastructure and funding to comply with privacy law requirements and must gather and share information on donors in order to survive.
“One of the most substantive and impactful uses of data by nonprofits has been our fundraising,” said Shannon McCracken, the CEO of The Nonprofit Alliance, an advocacy group made up of nonprofits and businesses. “Without the ability to cost-effectively reach prospective new donors and current donors, then nonprofits can’t continue to be as impactful as they are today.”
But purposeful or not, privacy experts say, nonprofits are feeding personal information to data brokers and tech giants like Facebook and Google.
“A nonprofit might share your phone number and name with LiveRamp. Tomorrow, a for-profit entity can then reuse that same data to target you,” said Ashkan Soltani, a privacy expert and former chief technologist at the Federal Trade Commission. “The data flows that go into these third-party aggregators and data brokers come often from nonprofits as well.”
Soltani, who was appointed executive director of the California Privacy Protection Agency on Oct. 4, helped draft the California Consumer Privacy Act, which was originally introduced with the nonprofit exemptions.
Many major nonprofits work with data brokers to help organize and analyze their data, Jan Masaoka, CEO of the California Association of Nonprofits, said.
“People that have big donor lists use them extensively, pretty much all of them use one of the services,” Masaoka said. “They don’t keep it in-house, pretty much everybody keeps it with one of these services.”
She noted that Blackbaud is a company that nonprofits often turn to. Theregistered data broker’s marketing material promotes aco-op databasethat combines donor data from more than 550 nonprofits with public information on millions of households.
Blackbaud didn’t respond to a request for comment.
Because of a lack of funds, nonprofits also rely on third-party platforms—which also happen to be data brokers—to manage their data’s security and privacy, McCracken said. But these kinds of companies aren’t immune to cyberattacks either: Blackbauddisclosed a ransomware attack in 2020in which hackers stole passwords, Social Security numbers, and banking information, according to aSecurities and Exchange Commission filing. Hundreds ofcharitable organizations, schools, and hospitalswere affected, along with more than 13 million people, according to the Identity Theft Resource Center.
“They rely on this kind of problematic ecosystem to achieve their work, and as a result, they share number lists, email addresses, or browsing behavior with third-party advertising companies and subject their members to risk,” Soltani said.
The exception
Unlike its predecessors in California and Virginia, Colorado’s privacy bill doesn’t have an exemption for nonprofits.
In both California and Virginia, the bills’ main supporters gave nonprofits an exemption as a political maneuver. Alastair Mactaggart, a real estate developer and founder of Californians for Consumer Privacy, who was the driving force behind the California Consumer Privacy Act, said his proposal was already facing opposition from tech giants and didn’t want a political showdown with nonprofits, too.
“You gotta take the first step, so we figured this was the one that would be the easiest to bounce off,” Mactaggart said. “Eventually, I hope that the big nonprofits are included as well.”
David Marsden, the state senator who introduced the Virginia Consumer Data Protection Act, echoed that sentiment, reflecting that the law wasn’t perfect but still a good start.
“Does this pick up everybody that it should, or exempt everybody who needs an exemption? Probably not, but it comes pretty close,” Marsden said. “We were able, with this bill, to get it passed without people getting up and objecting to what we were trying to do.”
Colorado state senator Robert Rodriguez, who co-sponsored the state’s privacy bill, said he didn’t include an exemption for nonprofits because he felt that any entity that had data on more than 100,000 people should have to follow privacy protections. He also didn’t understand why other states had exemptions.
“Someone that has over 100,000 records is a good size,” he said in an email. “They should have some protections or requirements to follow.”
This article by Alfred Ng and Maddy Varner wasoriginally published on The Markupand was republished under theCreative Commons Attribution-NonCommercial-NoDerivativeslicense.
Story byThe Markup
Get the TNW newsletter
Get the most important tech news in your inbox each week.
