(Note that EFF's Technology Projects, such as HTTPS Everywhere, Privacy Badger, and Certbot, have a different privacy policy, available here)
The Electronic Frontier Foundation (EFF) is committed to protecting the privacy and security of data shared with us by visitors to our websites, and by our members and volunteers, to the fullest extent possible while still ensuring our limited funds and resources can fully support our mission. EFF has established this Privacy Policy to explain what information we collect through our websites and how it is used, and what information is collected by third-party contractors and data processors, as well as protections for our members’ and donors’ personal information.
In this policy, "EFF" refers to EFF staff, board members, cooperating attorneys, interns, volunteers, and consultants, all of whom are bound by law or contract to keep confidential information they receive as part of their assistance to EFF.
EFF does not sell or rent member, donor or website visitor information under any circumstances, and we do not share member, donor or visitor information with government entities except as compelled by law. This restriction applies to members and donors who join or donate both online and offline. (See discussion below.)
EFF is located within the United States, and therefore will transfer, process, and store your information in the United States, which may not provide as much protection as your home country. (We’re working to make U.S. practices better.)
Information Gathered by EFF's Site
Logging: For visitors to our website, we generally log only timestamps, URLs, and HTTP requests and do internal analytical logging, including additional technical information such as a single byte from IP addresses (described further below), for up to seven days from when the data was collected.
Circumstances in which EFF may need to log and retain technical information for longer than seven days include when we believe it is reasonably necessary for EFF’s mission and functionality, including situations such as:
- diagnosis of technical problems,
- defending against attacks to the site,
- handling a spike in traffic or other abnormal, short-term circumstances, or
- research projects (in anonymized form) that serve our overall mission to defend freedom online.
In these and similar situations, we will delete the information as soon as it is apparent that the information is no longer needed for the purpose for which it was retained. For more information on EFF's position on data logging and techniques we use to anonymize, obfuscate, aggregate and delete information, see our Best Practices for Online Service Providers.
How EFF Internal Analytics Works: EFF endeavors to gather sufficient information for analyzing our website and how visitors move within it without compromising the privacy of our visitors. EFF’s internal analytical logging involves logging for up to seven days a single byte of the IP address, as well as the referrer page, time stamp, page requested, user agent, language header, website visited, and a hash of all this information. After seven days we keep only aggregate information from these logs. We also geolocate IP addresses before anonymizing them, but we store only country-level data.
Cookies: We do not use persistent ID cookies on the eff.org domain. We use session cookies on certain portions of the website. Some of the third-party apps we use for other websites (acteff.org, shopeff.org etc) have their own cookie policies (See the Third Party Service Providers section below). You can use Tor if you wish to keep your connection information anonymous, but please note that you can still be identified to EFF if you log in.
Voluntarily Submitted Information: In addition, EFF collects and retains information you voluntarily submit to us. It is up to you whether to submit information to us, and how much information to provide. If you choose to become an EFF member, use the EFF Shop, otherwise donate to EFF or use the Action Center. We may ask for identifying information such as your name, email address, mailing address and phone number and will retain that information. For online donors and shoppers, we also ask for your credit card number or other payment information.
We may ask for additional personal information when you provide feedback or comments, or otherwise communicate with us. We are pleased to receive anonymous donations in the mail or in-person, but please note that your personal information may be required if you choose to donate using our online form, or if you choose to use a mobile payment processor for in-person donations (and the mobile payment processor will also receive your payment information, subject to their privacy policy.).
From time to time, we may ask for personal information on other portions of the site, such as asking you to sign a petition, participate in a contest, or provide prior art for a patent busting project.
EFFector and other Mailing Lists: If you choose to subscribe to EFFector, our free electronic newsletter, or any of our other mailing lists to receive email or text message updates, we collect your email address, and, if you choose to provide it, a zip or postal code and a phone number. We may occasionally ask you to opt-in to tracking your email actions to verify you’re still an active subscriber, so that we remain compliant with email service providers’ requirements.
Separately, we may ask for your consent to opt-in to tracking your email interactions to help us understand the types of content and information that interest our supporters. These interactions would include whether you open emails sent by EFF and which links you click inside of those emails. If you consent to this tracking, you can later opt-out at any time by clicking an opt-out link in future emails or by contacting us at membership@eff.org.
If you provide your email address or phone number to receive email or text message updates, we will only use this information for messaging purposes as described in this policy.
EFF's Use of Information
In general, EFF uses the information provided by you to further its mission, including to protect privacy, defend freedom and innovation, and to protect your rights in the digital world.
Member and Donor Information: We use member and donor information for our legitimate interests in processing and managing your membership or contribution, including fundraising reminders and renewals. If you agree, we will use your email address or phone number to send you updates and alerts on protecting your rights in the digital world, including on specific issues in which you have expressed an interest, so you may take action, such as contacting your representative in Congress or attending an event. If you choose to complete the "Please tell us why you became a member of EFF" field when donating, this information may be shared with the entire EFF staff and board, and select unattributed quotes may be used to promote our mission, such as including a relevant quote in a grant proposal.
Publication by EFF: If you provide information for publication, we may use your name and contact information you have provided to us to provide you with attribution.
Other activities: We may run surveys, contests, outreach, or similar activities through this site. Such information will be used for the purposes for which it was collected, and these purposes will be described on the webpage asking for data. We use the information provided through our online Shop to fulfill your order and to address any problems that might arise. We also look at technical information to diagnose problems with or consider improvements to our servers or related technologies and to administer eff.org and other websites we host or provide.
Third-Party Service Providers to EFF
Some EFF websites and portions of the EFF.org site, including the Action Center, and order processing for the EFF Shop, are operated by third parties. When necessary and appropriate, EFF uses the following categories of third-party services:
- Content delivery networks and cloud hosting providers (for example, hosting and handling traffic to our site).
- Financial services and payment processors (for example, your credit card and online payments)
- Cloud communications providers (for example, sending you email, like the EFFector newsletter)
- Online shopping, shipping and fulfillment services (for example, shipping you our great swag)
- Campaign service providers (for example, services that allow you to contact your representatives).
We control our own data practices carefully, but some of our tools and payment processors operate under their own policies. Where possible, we take steps to limit the ability of third parties to retain data about our users. Some service providers may place session and tracking cookies on your computer. EFF’s service providers may also log standard technical information, such as the Internet Protocol (IP) address of the computer you are using; the browser you use and your operating system; the date and time you access our site; and the Internet address of the website from which you linked directly to our site. We recommend installing Privacy Badger to limit exposure to tracking from these services. Our service providers may also store and organize the personal information collected through this site on our behalf. EFF’s third party providers primarily process information in the United States but may process data in other jurisdictions. Where applicable, we have entered into General Data Protection Regulation (GDPR)- compliant Data Protection Addendums with third -parties who process data on our behalf.
In addition, for all of EFF's service providers, hosting providers and credit card processors and any other providers we may use in the future, the information collected from EFF users remains protected by the terms of our agreements with those providers and we will ensure that the information is kept confidential and disclosed only to employees who require such access in the course of their assigned duties. EFF also requires all of our third-party service providers to notify EFF if they receive legal process seeking information about visitors to EFF’s website.
EFF may change the specific third-party providers from time to time and will transfer stored information to any new provider subject to similar restrictions and agreements. From time to time, EFF may work with third-party consultants or other service providers who may have access to personally identifiable information. In such cases, we will restrict their use of personally identifiable information in accordance with their assigned tasks.
Third-Party Services and APIs
EFF’s site also provides links to or interacts with a wide variety of third-party websites, including interactive links to sites like social media, telephone calling services, mapping services, or video hosting websites, often via application programming interfaces (APIs). EFF is not responsible for, and does not have any control over, the privacy practices or the content of such third parties.
We encourage users to read the privacy policies of any website visited via links from or interactions with the EFF website. Additionally, we recommend installing and using Privacy Badger to protect against tracking by these services. We turn off tracking where possible in third-party configurations, but not every service allows full control. Where appropriate, we will provide specific notice of these third-party services at the point of interaction. It is our policy not to include third-party resources when users initially load eff.org pages, such as video or document embeds, but we may dynamically include them later after giving the user a chance to choose to interact with them. If you believe a third-party resource is automatically loading, please let us know so we can address it.
Disclosure of Your Information
While EFF endeavors to provide the highest level of protection for your information, we may disclose personally identifiable information about you to third parties in limited circumstances, including: (1) with your consent; or (2) when we have a good faith belief it is required by law, such as pursuant to a subpoena or other judicial or administrative order.
If we are required by law to disclose the information that you have submitted, we will attempt to provide you with prior notice (unless we are prohibited or it would be futile) that a request for your information has been made in order to give you an opportunity to object to the disclosure. We will attempt to provide this notice by email, if you have given us an email address, or by postal mail if you have entered a postal address. If you do not challenge the disclosure request, we may be legally required to turn over your information.
In addition, we will independently object to requests for access to information about users of our site that we believe to be improper, and we have done so.
Updating or Removing Your Information
You may choose to correct, update, access, or delete the membership information you have submitted to us by sending an email requesting changes to membership@eff.org.
Your consent to our use of your information is very important to us. If you would like to withdraw your consent to receive the EFFector newsletter, Action Alerts and other bulk emails or texts, you may use this subscription management page to unsubscribe. If you would like to otherwise withdraw your consent, restrict or object to EFF’s processing of your data, please email privacypolicy@eff.org..
GDPR Data Deletion Requests: Users in the European Union have the right to request deletion of personal data under GDPR. To make a request, please contact us at info@eff.org with the subject line "GDPR Data Deletion Request". We will respond within the time limits required by law.
Data Storage and Retention
EFF’s server logs are stored and retained as explained above in the section on logging.
Email and text subscription information is retained until you unsubscribe from the mailing list(s) or request we delete your information.
Some records and communications are maintained according to EFF’s internal document retention period. This policy provides that EFF generally retains documents for the period of their immediate or current use, unless longer retention is necessary to comply with contractual or legal requirements. However, data storage periods are based on EFF's assessment of its needs and might include retaining some documents for historical reference and retaining some documents because EFF has insufficient organizational resources available to dedicate to their review and destruction, and/or other pertinent factors.
Records and communications subject to EFF’s document retention policy include:
- Communications with EFF, such as through info@eff.orgor individual staff members’ emails
- Financial records of donations and other transactions (retained indefinitely)
- Paper records of donations, such as event donation forms and signup sheets (typically destroyed soon after entry)
- Check copies and payment distribution details (normally kept up to seven years)
- Accompanying donor information (kept indefinitely unless the individual requests that it be removed)
If we inadvertently collect more personal information than intended, we endeavor to delete the extraneous information. When we no longer need to retain information or when deleting information on request, we endeavor to remove all copies. However, please understand that deleted information may continue to persist on backup media.
Contacting EFF
If you have any questions about our privacy and data protection practices, you can reach EFF at:
Electronic Frontier Foundation
815 Eddy Street
San Francisco, CA 94109 USA
Phone: +1-415-436-9333
Fax: +1-415-436-9993
Email: privacypolicy@eff.org.
If our processing of your personal data is covered by EU law, you may also lodge a complaint with the relevant data protection supervisory authority for your country of residence.
Security
EFF employs industry standard security measures to protect the loss, misuse, and alteration of the information under our control, including appropriate technical and organizational measures to ensure a level of security appropriate to the risk, such as the pseudonymization and encryption of personal data, data backup systems, and engaging security professionals to evaluate our systems effectiveness. EFF has turned on HTTPS by default.
Although we make good faith efforts to store information collected by EFF in a secure operating environment, we cannot guarantee complete security.
Changes to Our Policies
EFF's Privacy Policy may change from time to time. However, any revised privacy policy will be consistent with EFF's mission. If we make any substantive changes to our policies, we will place notice in EFFector and post notice of changes on this page.
Updated May 18, 2026 to further clarify our use of third party tools especially in the cases where they operate under their on privacy policy, remove Action Center specific policies, and add opt-in email tracking provisions. We also added GDPR information and data retention guidelines.
Updated July 1, 2022 to reflect that EFF no longer uses Cryptolog, which allowed us to take the IP address portion of the request getting logged and encrypt it, as well as a chunk of random data (the salt), using a cryptographic hash function. Instead, as described above, we generally don’t log IP addresses at all.
Updated May 25, 2018 to provide more transparency about our privacy practices and more detailed information about how you can access, correct and remove personal data stored with EFF.
Updated February 20, 2018 to clarify how EFF works with third parties like content delivery networks and cloud service providers.
Updated July 14, 2016 to clarify the use of information in the EFF Action Center and protections for members who join EFF offline.
Updated April 7, 2015 to reflect: 1) changes to the types of third-party service providers which may be used by EFF websites; 2) that third-party service providers may be used by any EFF site, not just those on the eff.org domain; and 3) to fix some typographical errors.
Updated June 12, 2014 to reflect: 1) changes to reflect EFF’s new Action Center, including the consequences for logging in or clicking “remember me,” the identifying information we retain about logged in users and how to manage your account; 2) information use by purchasers in our Shop; 3) a specific section addressing EFF’s use of Third Party Services and API’s.
Also recently updated May 1, 2014 to reflect: 1) introduction of EFF's separate Technology Projects Privacy Policy; 2) specifying that we will try to give prior notice to users when someone seeks their data from us and that we have actually challenged requests for access to our user information; 3) clarifying that we will ensure that information we give to third parties is protected, even if that is not through a specific agreement (it may, for example, be because the third party does not engage in logging).
