Principles for A Privacy-Protective Organization:

If you work at a nonprofit or civil society group, you can help protect the digital privacy of your clients and supporters in a number of ways. Not all of the advice may apply to you, but all of the principles should be helpful for thinking about how to move towards better privacy practices. 

If you’re a small organization or just getting started thinking about privacy:

This guide is intended for organizations to improve their privacy practices, with particular respect to marketing and analytics. But because many organizations may also want to consider privacy practices more holistically, our first two principles and steps should be widely applicable regardless of what tracking you may be doing.

Create a security plan:

Approach this as a necessary exercise with your team and ask yourselves: What data do we have that’s private or ought to be protected? Who do we want to protect the data from? How likely is it we will need to protect that data? And lastly, what are the consequences if we fail? This short guide will walk you through how you might think about who your data may need to be protected from, and why.  

Take stock of what protections are already in place, and what protections need to be added:

It helps to start by thinking about the basics. Who has access to user or supporter data? Is that data encrypted in transit and at rest? Do you have strong, unique passwords protecting the accounts that can access this data? Is two-factor authentication turned on for platforms where it’s possible? And we're not even touching everything here: there's a lot to factor in for data security. If you're new to any of these terms, we recommend reading at least a few of the guides linked below. If you work at a larger organization or outsource tech work, ask your tech support and web development teams about what protections exist for user data.

If you are a more resourced organization, or one that knowingly collects marketing or user information:

Only collect data you actually use:

For many companies, “collect it all, we’ll figure out how to monetize it later” is the guiding data collection practice. But for nonprofits that care about respecting user privacy, we recommend the opposite approach: if you aren’t using the data, you likely don’t need it.

As an example, many mailing platforms make it easy to “split” test, or “A-B” test, different versions of an email, to see which is most effective. To determine this, they generally employ a variety of tracking methods. Invisible tracking pixels inside of emails are used to tell a mailing platform the IP address of the recipient and the time of day that an email was opened. Links in emails automatically include a redirect that allows the platform to determine which IP clicked which link, when, and how often. Among other things, this also lets a client automatically send additional emails to recipients who do, or don’t, open or click certain emails. But if you aren’t using A-B testing, and you aren’t using automated follow up emails, it is less important to use these features and collect this data.

Many, many sites, organizations, companies, and people don’t use anywhere near all the data that they collect for any real insights. It’s simply a default, and the most popular analytics tools, like Google Analytics, and the most popular mailing platforms, like Mailchimp or ActiveCampaign, implement these sorts of tracking automatically. Using the most common web tools, unfortunately, means that even a privacy-focused organization is likely collecting (or contributing to the collection of) huge amounts of data about their users. While many companies and organizations would be satisfied with anonymous, aggregate data about their website visitors, or getting general insights about email usage rather than granular data about each specific recipient, these unfortunately aren’t options in most tools. We list some of the ways to turn on these features below.

If you’re going to collect data, consider using anonymous defaults where you can: Imagine you want to know where traffic to your website comes from, or how many people click a link in an email that you send. You can still learn this while respecting user privacy. Switching to aggregate, anonymized options for visitor counting will still tell you how many people came to your site from another site. Appending parameters to links in an email can usually tell you how many recipients clicked the link, without honing in on who specifically clicked it, or when. When EFF is interested in knowing how many people click a link in our email that goes back to our website, we can add a parameter—like “?utm_source=JuneEFFector”—to that link, and find that out via our otherwise anonymous analytics tool.

As another example, The Internet Archive found that while they preferred to use no open tracking in their emails to subscribers, too many unreachable email addresses had been added to their list over the years, and some email addresses had even become spam traps. To continue working with their email service provider, they needed to activate some tracking. They needed email open data to know whether an email address was still active or not; but they didn’t need or want gender, age, or demographic data. They settled on informing users that their email open rates are being tracked, and offering the alternate option to sign up for plain-text versions of their emails, which won't transmit any data at all.

Rethink your data retention policy:

If you do collect data, consider automatically deleting it as often as reasonable. As an example, it can be helpful for us at EFF to know what parts of our site are popular, and to have some logs to respond to issues or bugs. Still, we assume we only need detailed data for seven days to deal with these, and by default we only store visitor IPs while actively troubleshooting. Otherwise, we generally only log (again, for up to seven days) a single byte of the IP address, as well as the referrer page, time stamp, page requested, user agent, language header, website visited, and a hash of all of this information. After seven days we keep only aggregate information from these logs, which gives us basic information about what pages are being viewed and where users came from. We also geolocate IP addresses before anonymizing them and store only the country. 

For analytics, we use an open source platform called Matomo that has privacy-protective options, like data anonymization and automatic log deletion, which is free if it’s self-hosted. There are plenty of other free and paid platforms available with similar privacy protections. (This is not an endorsement of any particular tool—it’s just a note that we use such tools, and you should be able to find one that suits your purpose.)

Regardless of what you’re collecting, the data should have a clear expiration date, and you should not collect or store supporter or visitor data you don’t actually need.

Tell Users what data you’re collecting and why:

Websites, social media platforms, and all sorts of other online tools silently sweep up huge amounts of information after “informing” users in lengthy terms of service or legalistic privacy policies, or in misleading popups that imply data collection is either required or good for the user. Key to keeping your visitors’ data safe is letting them know what information you are collecting, in clear and certain terms. Eliminate “dark patterns” that might lead users into saying “yes, please collect my data,” without really meaning it, or that push for a certain choice. Then make it clear to users who are (for example) signing up for an email list, or just visiting your site, how you’re protecting their privacy, or how any data collection you’re doing works. They’ll thank you for it.  

Don’t share the data unless you have to:

Don’t share the data you collect more than necessary, and only with trusted and vetted partners. Before you share data with anyone, you should set up guidelines for how that data will be handled, and you should consider setting up your own guidelines as well. If you use third-party software to store your data, confirm how that data is handled, and change the default to be more privacy-protective if possible. If you partner with other organizations, ask them about their privacy and data protection policies. If you upload donor lists to Facebook for ad targeting as a way to find similar people or to advertise to those donors, remember that this is risky, and could give more information to Facebook than they already have.

a series of cursors, each a different color, starting with black and ending with purple. this is a section break

Actionable Recommendations For Respecting Digital User Privacy

If you manage your own website and email list, you should be able to follow many of the below tips yourself. However, a few of the suggestions can be difficult without some technical knowledge, so if you have a marketing or web team (or an “accidental techie” who manages this) you might instead pass these instructions on to them. 

An easy way to get started is to simply install EFF’s Privacy Badger browser extension to see what tracking your site uses. Remember: What we call tracking a lot of platforms and sites call analytics. But to show you that data, they have to collect it. 

Note: these recommendations were written in August of 2022. How things are tracked changes often changes, and if you find that any of these suggestions are inadequate or no longer effective, please let us know by emailing nonprofitprivacy@eff.org. We hope to make a revision with suggestions.

Advertising:

Online advertising is often extremely privacy invasive. The best thing you can do for privacy is to opt your organization out of the online surveillance ecosystem. But if you can’t do that entirely, you can rethink how you track the effectiveness of the ads you use, and what tracking is required to do so. 

Quick Ways to Protect Privacy:

  • Check to see if your site has ad trackers installed. You can use EFF’s Privacy Badger tool to do this. For even more detailed information on trackers on your site, you can use The Markup’s Blacklight Tool. (Note that not all results are something to worry about—you should look carefully into the results to determine if they are collecting or sharing sensitive data. For example, some sites that use software to allow users to copy form data from one form field to another, such as reusing your contact information in a shipping address field, may appear in Blacklight as “We found this website capturing user keystrokes.”)
  • Facebook tracking pixels send Facebook detailed information about the actions that visitors on your site take, even if they aren’t logged in to Facebook. The Markup and Reveal recently released a report showing that of nearly 2,500 crisis pregnancy centers, at least 294 shared visitor information with Facebook, sometimes including information such as a visitor scheduling an appointment. The Markup also released a separate report criticizing Facebook for receiving medical information from hospital websites. This is dangerous, and unnecessary. EFF has used Facebook ads minimally in the past, and we have done so without adding any tracking to our site, or uploading our own list of supporters or donors to Facebook.
  • If for some reason it is necessary for you to use a Facebook pixel, you can reduce the amount of data it collects and transmits to Facebook in three ways
    • First, only place the pixel on necessary or relevant pages, such as those with ongoing advertising traffic. Create a “wall” between all of the pages that collect supporter or client information and those that are landing pages for advertising you might be doing. This way, you can track the effectiveness of your advertising without using pixels or tracking code across your site.
    • Second, turn off Automatic Configuration, which stops button click and page metadata from being transmitted
    • Third, make sure Advanced Matching is off. (This feature allows the tracking pixel to look for recognizable form fields and other sources on your website that contain information such as first name, last name and email address, and transmits that information along with the event, or action, that took place.)
  • Regardless of the previous tips, you should not upload lists of supporters or donors to Facebook or other advertising platforms. This is frequently done to create Custom or Lookalike audiences on an advertising platform, or to exclude supporters who have already expressed interest or donated from your ads. It can be difficult to know whether you are giving user data to a third-party platform that did not already have it, so it is best not to upload it, ever.

If you have complete control of your website, you should also:

  • Remove all Meta/Facebook pixels you have on your site.
  • Remove Google tracking code from your site, and do not use Google Adwords if you can help it. Google’s business model is heavily dependent on user surveillance. On their own, Google Adwords or Google Analytics may not be particularly invasive, but when connected to one another and implemented on billions of websites, Google is able to collect and store huge amounts of data about where individuals go on the web—including to your site. If requested, Google may be required to hand over this data to law enforcement. Try to transition to an advertising model that does not rely on surveillance. (For some organizations, this is admittedly easier said than done.)
  • Remember: A plethora of other ad trackers and cookies exist beyond Meta and Google. You likely aren’t using them without knowing that, though.

a series of cursors, each a different color, starting with black and ending with purple. this is a section break

Websites:

Websites are likely where many users first interact with your organization. Because of this, they have the potential to collect an enormous amount of data on a wide variety of people interested in your mission–or to set a precedent for users by incorporating strong privacy.

Quick Ways to Protect Privacy:

  • Don’t use dark patterns. A dark pattern” is a user interface that has been crafted to deliberately push someone into making a choice that they may not otherwise make. Every time a website pre-selects “Sign me up to the mailing list” on a checkout page, or includes a popup declaring that “Marketing cookies help us to improve your experience,” it is using a dark pattern to push you towards giving up your data. You can see examples of dark patterns here. Instead, we recommend making it crystal clear what you are asking a user to do, and what effect it may have on them, and always giving them the option to opt in to data collection, rather than opt out.
  • Check to see if your site functions properly when being viewed on a VPN, or consider setting up a Tor Onion mirror of your site.
  • Don’t use captchas if you can help it. These are often difficult to solve if someone is using a privacy-protective browser.

If you have complete control of your website, you should also:

  • Deactivate or delete privacy-invasive analytics tracking code, tracking pixels, and cookies, and switch to privacy-protective analytics tools. Want to know what country your visitors come from? That’s great! So do we. Luckily, you can do this without Google Analytics. But because of its ubiquity, Google Analytics is installed on many, many websites. At EFF, we instead use an open source analytics platform called Matomo, which has a variety of privacy-protective options like custom data retention periods and aggregate data collection that anonymizes the data while still offering plenty of metrics. (This is not an endorsement of any particular tool—it’s just a note that we use such tools, and you should be able to find one that suits your purpose.) There are plenty of other privacy-respecting analytics platforms out there that will give you the basic information you need, while protecting much more user privacy. While Google Analytics does have an anonymous IP setting, other analytics platforms allow significantly more control over data collection and retention settings. Again, you can learn more about the tracking on your site with EFF’s Privacy Badger tool.
  • Ensure your site functions if cookies are blocked entirely by the user. Rather than (for instance) demanding that the user select a language before showing any content, a website should pick a language from hints in the client’s HTTP headers, and fall back to a reasonable guess. If any tracking cookies are used on your site, all users should be given the option to opt into them; they should be off by default. That opt in should be as clear as possible. You can check whether or not your site functions without tracking cookies by installing EFF’s Privacy Badger.
  • Don’t collect form data before it’s submitted. You likely aren’t doing this, but some third-party forms and plugins intentionally hide what data they’re collecting from users. For example, some online forms collect data even before users hit submit. Don’t do this—it’s creepy, and it violates user consent. These are used, for example, to email people who never completed a checkout process or signed up for an account. The Markup’s Blacklight tool may tell you whether or not such software is installed on your site.
  • Be sure that you aren’t using advertising trackers as well. You may not realize these are even on your site. They should be removed or carefully reconsidered. (See Advertising above for more information.)
  • Reject user-hostile measures like browser fingerprinting, which is becoming more common as cookies become less functional. It’s unlikely you’re doing this without knowing it, unless you have certain ad tracking set up on your site.

If you’re using a third-party website builder, adjust the default analytics settings.

  • Squarespace, Weebly, and other tools have a built-in analytics system, but often you can simply turn these off if you don’t need the information. Unfortunately, some third-party website building tools don’t offer direct access to delete data that the site collects. Here’s what we’ve learned about Weebly, Wix, Squarespace, and Wordpress:
    • At this time, Weebly and Wix do not allow users to turn off data collection. (We reached out to Weebly and Wix support to confirm this.) You may be able to reach out directly to the company to delete data that your site has collected. If you are using one of these, consider switching to a website platform that does allow data collection to be turned off.
    • Squarespace does allow turning off tracking and analytics, which they call Activity Log and Analytics. From the “Home” section, you can go to Settings, and then “Cookies and Visitor Data.” From there, turn ON “Disable Squarespace Analytics Cookies” and turn OFF Activity Log, as below.
    • Wordpress out of the box (aka “vanilla” Wordpress) does not come with analytics features. But many Wordpress installations often automatically collect analytics through a plugin called Jetpack. Deactivating and deleting Jetpack should turn off data collection. You can do this by visiting the Plugins section of the Admin settings inside your Wordpress installation. A variety of Wordpress plugins that collect and display analytics data with more privacy-protective options are available, but we have not carefully reviewed them. (Wordpress offers privacy suggestions for plugin developers that could also be applied to many nonprofits, as well.

a series of cursors, each a different color, starting with black and ending with purple. this is a section break

Email:

Many mailing platforms track who opens emails and who clicks on links inside of them by default, to give you insight into how ‘popular’ your emails are, or to trigger actions (it is possible to condition emails to be sent only to those who do, or don’t, click or open other emails). This tracking can even collect the rough location of email readers, potentially down to the street address.

In fact, this tracking has become ubiquitous. One report showed that two-thirds of emails received by users contained a spy pixel to track interactions. The information these trackers collect can sometimes be useful, but people on your email list deserve to hear from you without giving up their privacy. It’s unlikely that you can manage an email list without sharing your subscribers’ email information with your email service provider, but you can protect their privacy by minimizing the amount of information secretly collected by the emails that you send. 

Quick Ways to Protect Privacy:

  • You can track visits to your site from your emails in privacy-protecting ways. Turning off click tracking inside of your mail platform (like Mailchimp) doesn’t stop you from learning whether or not a link in an email to your own site is clicked. Instead, you can manually use UTM parameters in links in your emails, and most analytics platforms will allow you to view how users came to a page with that specific link. (For example, the link https://eff.org?utm_source=newsletter should tell us via our analytics platform how many visitors reached our homepage by clicking the link in the “newsletter.” You can simply add ?utm_source=email to links in your emails to see this information in your websites’ analytics platform.)
  • You can disable built-in email “open tracking” and “click tracking” in many popular mailing platforms, and should do so whenever you can. On some platforms this is difficult or impossible, however–if you aren’t sure how to do it, you may be able to contact support for your platform. It may also be possible to send plain text emails which (often, but not always) removes some tracking. Here’s what we learned about a few popular tools:
  • Mailchimp and EmailOctopus make not tracking your readers relatively painless. Here are instructions for turning off open tracking and click tracking in Mailchimp. Instructions for EmailOctopus are here.
    • Note: The Markup reported that Mailchimp, at least, has a probationary period during which turning off click tracking doesn’t immediately cause the click tracking to be turned off. You may want to send some test emails to confirm tracking is removed after disabling these features.
  • Other platforms like Campaign Monitor, Aweber, and SendGrid make it more difficult to turn off tracking, but it is possible.
  • GetResponse and SalsaLabs (which we spoke with via support), don’t seem to allow disabling tracking at all. The same is true for Constant Contact.
  • Not tracking email open rates can, unfortunately, sometimes cause list “hygiene” problems, because it becomes difficult to know whether email subscribers on your list are still interested. You can send occasional emails to ensure subscribers want to receive emails, either using open or click tracking, and informing people that the purpose of that specific email is to determine active subscribers. More information on how the Internet Archive dealt with this problem is in the Principles section. The essential point is to let users know when you are using tracking, and to do it in a limited way when possible.

a series of cursors, each a different color, starting with black and ending with purple. this is a section break

Servers and Online Architecture:

Servers for your website regularly process and collect data on your website’s visitors, but with some technical know-how, you can control how this is done.

If you have complete control of your website, you should make sure that:

  • Your site is available by default over HTTPS rather than unencrypted HTTP. The “https” one used to see in a browser means HTTP over SSL, or Secure Sockets Layer. HTTPS encrypts the communications between visitors and your website, making browsing more secure. If your site does not use HTTPS, you will likely see a “not secure” warning in a browser when visiting it. EFF has a tool to help you set up HTTPS if it’s not set up already: Certbot, which helps you walk through automatically getting free HTTPS certificates for your site.
  • Server logs are automatically and regularly deleted. Examine your overall retention policies, because now is the time to delete your logs. Think carefully about which precise pieces of data you really need (for example, if you need to check for abuse or for debugging). Then delete them regularly—say, every week for the most sensitive data. IP addresses are especially risky to keep. Avoid logging them, or if you must log them for anti-abuse or statistics, do so in separate files that you can aggregate and delete frequently. It may also take some technical expertise, and you should be careful that you aren’t deleting pertinent information that is necessary for the operation of your website or your organization.
  • For users who have a site hosted by a third-party, server architecture can be difficult to modify. We recommend reaching out to your host for support, or working closely with a technologist to determine what options you have to protect privacy on your backend.

a series of cursors, each a different color, starting with black and ending with purple. this is a section break

Additional Tips for Visitors to Your Website:

There are also steps users can take to protect their online privacy directly. You may want to offer this advice to them, if appropriate:

  • Install third-party tracker blockers like Privacy Badger, or Google’s own “Analytics Opt-out” extension.
  • Turn off Ad IDs on phones and tablets. We’ve got instructions here.
  • We have many more surveillance self-defense tips available at our Surveillance Self-Defense site.
  • Remind people not to incriminate themselves on intake forms or other communications via the site (or email). (Legal intake is different from other types of intake forms, as it is protected by the attorney-client privilege.) Consider adding something like: "This intake form is for unprivileged communications, and should not be used to discuss activities that may be unlawful in your location." This advice does depend on your threat model: in some cases, it is best to design a form that minimizes information that’s collected—for example, if people want to get information to find abortion services or where to obtain self-managed abortion pharmaceuticals. And in other cases, it is best to not use a form and have a phone call that is not preserved. 

a series of cursors, each a different color, starting with black and ending with purple. this is a section break

Companies Must Offer Better Privacy Options By Default

All of the steps it takes to become a more privacy-protective organization can seem overwhelming. It’s outrageous that a nonprofit interested in protecting privacy must jump through so many hoops to do so. Unfortunately, much of the online ecosystem has been built to monetize information, rather than protect it. And because the privacy practices we discuss here generally protect not the organizations who are direct customers of these ad tech, email, and website companies, but the people who visit and/or support the organization via its website, these infrastructure companies often don’t see privacy as their priority. But it should be.

Platforms should offer simple privacy settings, and assume users want them on by default. Rather than force users to navigate through complicated menus, or make changes for every email blast they send—or worse, navigate to other platforms entirely—infrastructure companies should make it clear and easy to turn off data collection, or turn on anonymous, aggregate collection. They should also be up front about what data is collected, both with their users and with the resulting emails or websites that include those tracking methods.

If you agree, you can help: ask the companies you work with to offer better privacy options. Features don’t get added without demand, so let’s demand it.

a series of cursors, each a different color, starting with black and ending with purple. this is a section break

Have Suggestions? We Want to Hear From You

This list is just a starting point. It’s impossible to be comprehensive of all the ways that tracking should be minimized, especially as technology changes and new tracking methods are created. It’s also likely that we’ve missed some obvious tips or issues.Also, if you find that any of these suggestions are inadequate or no longer effective, please let us know. If you have suggestions or tools that have helped you protect privacy, or you think we’ve gotten something wrong, we’d love to hear from you! Send an email to nonprofitprivacy@eff.org with more information, and thank you for joining us! We hope to offer revisions down the road.

Also, if you have had success with these or other privacy-protecting tips at your organization, please let us know! We’d like a future version of this guide to include case studies and examples. This is a first draft of recommendations as of August 2022, and we hope to offer a revision with more information.

Thanks to Digital Defense FundInternet Archive , The Markup, and Media Cause for their assistance with this guide.