This policy was in effect from May 25, 2018 to Jul 1, 2022. You can view our current policy here.
In this policy, "EFF" refers to EFF staff, board members, cooperating attorneys, interns, volunteers, and consultants, all of whom are bound by law or contract to keep confidential information they receive as part of their assistance to EFF.
EFF does not sell or rent member, donor or website visitor information under any circumstances, and we do not share member, donor or visitor information without prior consent except as compelled by law. This restriction applies to member and donors who join or donate both online and offline. (See discussion below.)
EFF is located within the United States, and therefore will transfer, process, and store your information in the United States, which may not provide as much protection as your home country. (We’re working to make US practices better.)
Information Gathered by EFF's Site
Logging: For visitors to our website, we generally log requests to our website through a program called cryptolog (cryptolog described further below) and do internal analytical logging (also described further below) for up to seven days from when the data was collected.
Circumstances in which EFF may need to log and retain technical information for longer than seven days include when we believe it is reasonably necessary for EFF’s mission and functionality, including situations such as:
diagnosis of technical problems,
defending against attacks to the site,
handling a spike in traffic or other abnormal, short-term circumstances, or
- research projects (in anonymized form) that serve our overall mission to defend freedom online.
In those and similar situations we will delete the information as soon as it is apparent that the information is no longer needed for the purpose for which it was retained. For more information on EFF's position on data logging and techniques we use to anonymize, obfuscate, aggregate and delete information, see our Best Practices for Online Service Providers.
How Cryptolog Works: Cryptolog takes the IP address portion of the request getting logged and encrypts it, as well as a chunk of random data (the salt), using a cryptographic hash function. The salt changes every night, which should result in making it very difficult for us, or anyone else, to recover IP addresses from our logs.
How EFF Internal Analytics Works: EFF endeavors to gather sufficient information for analyzing our website and how visitors move within it without compromising the privacy of our visitors. EFF’s internal analytical logging, which is separate from the Cryptolog logs, involves logging for up to seven days a single byte of the IP address, as well as the referrer page, time stamp, page requested, user agent, language header, website visited, and a hash of all of this information. After seven days we keep only aggregate information from these logs. We also geolocate IP addresses before anonymizing them and store only the country.
Cookies: We do not use persistent ID cookies on this site except where you click “remember me” or are logged in, as you can be for the Action Center. We use session cookies on certain portions of the website. Session cookies expire when you close your browser. You can use Tor if you wish to keep your connection information anonymous, but please note that you can still be identified to EFF if you log in.
Voluntarily Submitted Information: In addition, EFF collects and retains information you voluntarily submit to us. It is up to you whether to submit information to us, and how much information to provide. If you choose to become an EFF member, use the EFF Shop, otherwise donate to EFF or use our Action Center, we may ask for identifying information such as your name, email address, mailing address and phone number and will retain that information. For online donors and shoppers, we also ask for your credit card number or other payment information. For the Action Center, we maintain aggregate information about participation in the action campaigns, and, if you agree, we will also maintain account-specific records of your use of the Action Center. If you use the EFF Shop, you are asked to provide personal information, such as a shipping address, necessary to complete your transaction.
From time to time, we may ask for personal information on other portions of the site, such as asking you to sign a petition, participate in a contest, or provide prior art for a patent busting project.
EFFector and other Mailing Lists: If you choose to subscribe to EFFector, our free electronic newsletter or any of our other mailing lists, we collect your email address, and, if you choose to provide it, a zip or postal code.
EFF's Use of Information
In general, EFF uses the information provided by you to further its mission, including to protect privacy, defend freedom and innovation, and to protect your rights in the digital world.
Member and Donor Information: We use member and donor information for our legitimate interest in processing and managing your membership or contribution, including fundraising reminders and renewals. If you agree, we will use your email address to send you updates and alerts on protecting your rights in the digital world, so you may take action, such as contacting your representative in Congress or attending an event. If you choose to complete the "Please tell us why you became a member of EFF" field when donating, this information may be shared with the entire EFF staff and board, and select unattributed quotes may be used to promote our mission, such as including a relevant quote in a grant proposal.
Action Center: We use the information you supply in our Action Center to help you take action in support of digital civil liberties, such as contacting decision makers (e.g. a representative in Congress) and their staff, signing a petition or sharing a message on social media. We may use Action Center information to assess the success of action campaigns and to improve the functionality and effectiveness of our site, and to allow you to see records of your activities.We, and our coalition partners, may publicize and share aggregate information about action campaigns, such as the number of people who participated in a particular location or region or through a type of action, as well as sharing or publicizing activity trends.
Publication by EFF: If you provide information for publication we may use your name and contact information you have provided to us to provide you with attribution.
Other activities: We may run surveys, contests, or similar activities through this site. Such information will be used for the purposes for which it was collected. We use the information provided through our online shop to fulfill your order, and address any problems that might arise. We also look at technical information to diagnose problems with or consider improvements to our servers or related technologies and to administer eff.org and other websites we host or provide.
Third-Party Service Providers to EFF
Portions of the eff.org site, including some of our individual action alert webpages, are operated by third-parties, such as grassroots campaign service providers. When necessary and appropriate, EFF uses the following categories of third party services:
content delivery networks and cloud hosting providers (for example, hosting and handling traffic to our site).
Financial services and payment processors (for example, your credit card and online payments)
cloud email providers (for example, sending you email, like the EFFector newsletter)
shipping and fulfillment services (for example, shipping you our great swag)
Where possible, we take steps to limit the ability of third parties to retain data about our users. These service providers may place session cookies on your computer. EFF’s service providers may also log standard technical information, such as the numerical Internet Protocol (IP) address of the computer you are using; the browser software you use and your operating system; the date and time you access our site; and the Internet address of the website from which you linked directly to our site. Our service providers may also store and organize the personal information collected through this site on our behalf. EFF’s third party providers primarily process information in the United States, but may process data in other jurisdictions. Where applicable, we have entered into General Data Protection Regulation (GDPR) compliant Data Protection Addendums with third-parties who process data on our behalf.
In addition, for all of EFF's service providers, hosting providers and credit card processors and any other providers we may use in the future, the information collected from EFF users remains protected by the terms of our agreements with those providers and we will ensure that the information to be kept confidential and disclosed only to employees who require such access in the course of their assigned duties. EFF also requires all of our third-party service providers to notify EFF if they receive legal process seeking information about visitors to EFF’s website.
EFF may change the specific third-party providers from time to time, and will transfer stored information to any new provider subject to similar restrictions and agreements. From time to time, EFF may work with third-party consultants or other service providers who may have access to personally identifiable information. In such cases, we will restrict their use of personally identifiable information in accordance with their assigned tasks.
Third-Party Services and APIs
EFF’s site also provides links to or interacts with a wide variety of third-party websites, including interactive links to sites like social media, telephone calling services, mapping services, or video hosting websites, often via application programming interfaces (APIs). EFF is not responsible for, and does not have any control over, the privacy practices or the content of such third parties.
We encourage users to read the privacy policies of any website visited via links from or interactions with the EFF website. Where appropriate, we will provide specific notice of these third-party services at the point of interaction. It is our policy not to include third-party resources when users initially load our web pages, but we may dynamically include them later after giving the user a chance to choose to interact with them. If you believe a third-party resource is automatically loading, please let us know so we can address it.
Disclosure of Your Information
While EFF endeavors to provide the highest level of protection for your information, we may disclose personally identifiable information about you to third parties in limited circumstances, including: (1) with your consent; or (2) when we have a good faith belief it is required by law, such as pursuant to a subpoena or other judicial or administrative order.
If we are required by law to disclose the information that you have submitted, we will attempt to provide you with prior notice (unless we are prohibited or it would be futile) that a request for your information has been made in order to give you an opportunity to object to the disclosure. We will attempt to provide this notice by email, if you have given us an email address, or by postal mail if you have entered a postal address. If you do not challenge the disclosure request, we may be legally required to turn over your information.
In addition, we will independently object to requests for access to information about users of our site that we believe to be improper and we have done so.
Updating or Removing Your Information
You may choose to correct, update, access, or delete the membership information you have submitted to us by sending an email requesting changes to email@example.com. If you join the Action Center, you may correct, update, access, or delete the information provided on the account management page.
Your consent to our use of your information is very important to us. If you would like to withdraw your consent to receive the EFFector newsletter, Action Alerts and other bulk emails, you may use this subscription management page to unsubscribe. If you would like to otherwise withdraw your consent, restrict or object to EFF’s processing of your data, please email firstname.lastname@example.org.
Data Storage and Retention
EFF’s server logs are stored and retained as explained above in the section on logging.
Information submitted through our Action Center, including records of the actions you take, is retained until you choose to delete your account. Email subscriptions information is retained until you unsubscribe from the mailing list(s).
If you communicate with EFF, such as through email@example.com, we keep records of those communications indefinitely, pursuant to our document retention policy (described below).
Financial records of donations and other transactions are retained indefinitely, pursuant to our document retention policy. Paper records of donations, such as event donation forms and signup sheets, are typically destroyed soon after entry. Check copies and payment distribution details are normally kept up to seven years. Accompanying donor information is kept indefinitely unless the individual requests that it be removed.
Our document retention policy provides that EFF generally retains documents for the period of their immediate or current use, unless longer retention is necessary to comply with contractual or legal requirements. However, data storage periods are based on EFF's assessment of its needs and might include retaining some documents for historical reference and retaining some documents because EFF has insufficient organizational resources available to dedicate to their review and destruction, and/or other pertinent factors.
If we inadvertently collect more personal information than intended, we endeavor to delete the extraneous information. When we no longer need to retain information or when deleting information on request, we endeavor to remove all copies. However, please understand that deleted information may continue to persist on backup media.
If you have any questions about our privacy and data protection practices, you can reach EFF at:
Electronic Frontier Foundation
815 Eddy Street
San Francisco, CA 94109 USA
If our processing of your personal data is covered by EU law, you may also lodge a complaint with the relevant data protection supervisory authority for your country of residence.
EFF employs industry standard security measures to protect the loss, misuse, and alteration of the information under our control, including appropriate technical and organizational measures to ensure a level of security appropriate to the risk, such as the pseudonymization and encryption of personal data, data backup systems, and engaging security professionals to evaluate our systems effectiveness. EFF has turned on HTTPS by default.
Although we make good faith efforts to store information collected by EFF in a secure operating environment, we cannot guarantee complete security.
Changes to Our Policies
Updated May 25, 2018 to provide more transparency about our privacy practices and more detailed information about how you can access, correct and remove personal data stored with EFF.
Updated February 20, 2018 to clarify how EFF works with third parties like content delivery networks and cloud service providers.
Updated July 14, 2016 to clarify the use of information in the EFF Action Center and protections for members who join EFF offline.
Updated April 7, 2015 to reflect: 1) changes to the types of third-party service providers which may be used by EFF websites; 2) that third-party service providers may be used by any EFF site, not just those on the eff.org domain; and 3) to fix some typographical errors.
Updated June 12, 2014 to reflect: 1) changes to reflect EFF’s new Action Center, including the consequences for logging in or clicking “remember me,” the identifying information we retain about logged in users and how to manage your account; 2) information use by purchasers in our Shop; 3) a specific section addressing EFF’s use of Third Party Services and API’s.