This policy was in effect from February 20, 2018 to May 24, 2018. You can view our current policy here.
In this policy, "EFF" refers to EFF staff, board members, cooperating attorneys, interns, volunteers, and consultants, all of whom are bound by law or contract to keep confidential information they receive as part of their assistance to EFF.
EFF does not sell or rent member, donor or website visitor information under any circumstances, and we do not share member, donor or visitor information without prior consent except as compelled by law. This restriction applies to member and donors who join or donate both online and offline. (See discussion below.)
Information Gathered by EFF's Site
Logging: For visitors to our website, we generally log requests to our website through a program called cryptolog (cryptolog described further below) and do internal analytical logging (also described further below) for up to seven days from when the data was collected.
Circumstances in which EFF may need to log and retain technical information for longer than seven days include when we believe it is reasonably necessary for EFF’s mission and functionality, including situations such as:
diagnosis of technical problems,
defending against attacks to the site,
handling a spike in traffic or other abnormal, short-term circumstances, or
- research projects (in anonymized form) that serve our overall mission to defend freedom online.
In those and similar situations we will delete the information as soon as it is apparent that the information is no longer needed for the purpose for which it was retained. For more information on EFF's position on data logging and techniques we use to anonymize, obfuscate, aggregate and delete information, see our Best Practices for Online Service Providers.
How Cryptolog Works: Cryptolog takes the IP address portion of the request getting logged and encrypts it, as well as a chunk of random data (the salt), using a cryptographic hash function. The salt changes every night, which should result in making it very difficult for us, or anyone else, to recover IP addresses from our logs.
How EFF Internal Analytics Works: EFF endeavors to gather sufficient information for analyzing our website and how visitors move within it without compromising the privacy of our visitors. EFF’s internal analytical logging, which is separate from the Cryptolog logs, involves logging for up to seven days a single byte of the IP address, as well as the referrer page, time stamp, page requested, user agent, language header, website visited, and a hash of all of this information. After seven days we keep only aggregate information from these logs. We also geolocate IP addresses before anonymizing them and store only the country.
Cookies: We do not use persistent ID cookies on this site except where you click “remember me” or are logged in, as you can be for the Action Center. We use session cookies on certain portions of the website. Session cookies expire when you close your browser. You can use Tor if you wish to keep your connection information anonymous, but please note that you can still be identified to EFF if you log in.
Voluntarily Submitted Information: In addition, EFF collects and retains information you voluntarily submit to us. It is up to you whether to submit information to us, and how much information to provide. If you choose to become an EFF member, use the EFF Shop, otherwise donate to EFF or use our Action Center, we may ask for identifying information such as your name, email address, mailing address and phone number and will retain that information. For online donors and shoppers, we also ask for your credit card number.For the Action Center, we maintain aggregate information about participation in the action campaigns, and, if you agree, we will also maintain account-specific records of your use of the Action Center. If you use the EFF Shop, you are asked to provide personal information, such as a shipping address, necessary to complete your transaction.
From time to time, we may ask for personal information on other portions of the site, such as asking you to sign a petition, participate in a contest, or provide prior art for a patent busting project.
EFFector and other Mailing Lists: If you choose to subscribe to EFFector, our free electronic newsletter or any of our other mailing lists, we collect your email address, and, if you choose to provide it, a zip or postal code.
EFF's Use of Information
In general, EFF uses the information provided by you to further its mission, including to protect privacy, defend freedom and innovation, and to protect your rights in the digital world.
Member and Donor Information: We use member and donor information to process and manage your membership or contribution. If you agree, we will use your email address to send you updates and alerts on protecting your rights in the digital world, so you may take action, such as contacting your representative in Congress or attending an event. If you choose to complete the "Please tell us why you became a member of EFF" field when donating, this information may be shared with the entire EFF staff and board, and select unattributed quotes may be used to promote our mission, such as including a relevant quote in a grant proposal.
Action Center: We use the information you supply in our Action Center to help you take action in support of digital civil liberties, such as contacting decision makers (e.g. a representative in Congress) and their staff, signing a petition or sharing a message on social media. We may use Action Center information to assess the success of action campaigns and to improve the functionality and effectiveness of our site, and to allow you to see records of your activities.We, and our coalition partners, may publicize and share aggregate information about action campaigns, such as the number of people who participated in a particular location or region or through a type of action, as well as sharing or publicizing activity trends.
Invitees to EFF: If you invite another person to join EFF or take action in one of our alerts, we will ask for that person's name and online contact information. We use this information to contact and, if necessary, remind that person that he or she has been invited to join EFF.
Publication by EFF: If you provide information for publication we may use your name and contact information you have provided to us to provide you with attribution.
Other activities: We may run surveys, contests, or similar activities through this site. Such information will be used for the purposes for which it was collected. We use the information provided through our online shop to fulfill your order, and address any problems that might arise. We also look at technical information to diagnose problems with or consider improvements to our servers or related technologies and to administer eff.org and other websites we host or provide.
Third-Party Service Providers to EFF
Portions of the eff.org site, including some of our individual action alert webpages, are operated by third-parties, such as grassroots campaign service providers. When necessary and appropriate, EFF will use will use third party services such as content delivery networks and cloud hosting providers to handle traffic to our sites. EFF also uses a third-party credit card processor. Where possible, we take steps to limit the ability of third parties to retain data about our users. These service providers may place session cookies on your computer. EFF’s service providers may also log standard technical information, such as the numerical Internet Protocol (IP) address of the computer you are using; the browser software you use and your operating system; the date and time you access our site; and the Internet address of the website from which you linked directly to our site. Our service providers may also store and organize the personal information collected through this site on our behalf.
For all of EFF's service providers, hosting providers and credit card processors and any other providers we may use in the future, the information collected from EFF users remains protected by the terms of our agreements with those providers and we will ensure that the information to be kept confidential and disclosed only to employees who require such access in the course of their assigned duties. EFF also requires all of our third-party service providers to notify EFF if they receive legal process seeking information about visitors to EFF’s website.
EFF may change the specific third-party providers from time to time, and will transfer stored information to any new provider subject to similar restrictions and agreements. From time to time, EFF may work with third-party consultants or other service providers who may have access to personally identifiable information. In such cases, we will restrict their use of personally identifiable information in accordance with their assigned tasks.
Third-Party Services and APIs
EFF’s site also provides links to or interacts with a wide variety of third-party websites, including interactive links to sites like social media, telephone calling services, mapping services, or video hosting websites, often via application programming interfaces (APIs). EFF is not responsible for, and does not have any control over, the privacy practices or the content of such third parties.
We encourage users to read the privacy policies of any website visited via links from or interactions with the EFF website. Where appropriate, we will provide specific notice of these third-party services at the point of interaction. It is our policy not to include third-party resources when users initially load our web pages, but we may dynamically include them later after giving the user a chance to choose to interact with them. If you believe a third-party resource is automatically loading, please let us know so we can address it.
Disclosure of Your Information
While EFF endeavors to provide the highest level of protection for your information, we may disclose personally identifiable information about you to third parties in limited circumstances, including: (1) with your consent; or (2) when we have a good faith belief it is required by law, such as pursuant to a subpoena or other judicial or administrative order.
If we are required by law to disclose the information that you have submitted, we will attempt to provide you with prior notice (unless we are prohibited or it would be futile) that a request for your information has been made in order to give you an opportunity to object to the disclosure. We will attempt to provide this notice by email, if you have given us an email address, or by postal mail if you have entered a postal address. If you do not challenge the disclosure request, we may be legally required to turn over your information.
In addition, we will independently object to requests for access to information about users of our site that we believe to be improper and we have done so.
Updating or Removing Your Information
You may choose to correct, update, or delete the membership information you have submitted to us by sending an email requesting changes to firstname.lastname@example.org. If you join the Action Center, you may correct, update, or delete the information provided on the account management page. If we inadvertently collect more personal information than intended, we endeavor to delete the extraneous information. However, please understand that deleted information may continue to persist on backup media.
Changes to Our Policies
EFF employs industry standard security measures to protect the loss, misuse, and alteration of the information under our control. EFF has turned on HTTPS by default.
Although we make good faith efforts to store information collected by EFF in a secure operating environment, we cannot guarantee complete security. Information collected by EFF will be maintained for a length of time appropriate to our needs. However, we generally do not retain credit card information unless you choose to have us make automatic monthly withdrawals from your account for your donation.
Updated February 20, 2018 to clarify how EFF works with third parties like content delivery networks and cloud service providers.
Updated July 14, 2016 to clarify the use of information in the EFF Action Center and protections for members who join EFF offline.
Updated April 7, 2015 to reflect: 1) changes to the types of third-party service providers which may be used by EFF websites; 2) that third-party service providers may be used by any EFF site, not just those on the eff.org domain; and 3) to fix some typographical errors.
Updated June 12, 2014 to reflect: 1) changes to reflect EFF’s new Action Center, including the consequences for logging in or clicking “remember me,” the identifying information we retain about logged in users and how to manage your account; 2) information use by purchasers in our Shop; 3) a specific section addressing EFF’s use of Third Party Services and API’s.