The Front Lines of Data Privacy: Challenges and Possibilities
The Legal Landscape
The development of privacy legislation in recent years has made it important for organizations to take data protection and privacy seriously. These laws are meant to address legal concerns regarding the protection of sensitive personal information of individuals who use and interact with online platforms. Laws such as the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Stop Hacks and Improve Electronic Data Security Act (SHIELD), and others mean organizations and private companies must adapt their practices to ensure compliance with these regulations. Failure to comply can have serious consequences, which include lawsuits, financial compensation and remediation costs, government audits, fines, lost revenue, and reputation.
Organizations, however, are asked to comply with these laws in a context where ownership and control of the infrastructure behind their online operations — websites, email, social media, etc. — belong to external companies, not to the organizations themselves. Matters become more complicated as the biggest, most popular platforms for digital operations have encountered legal challenges and lawsuits as well as industry criticism that assert these platforms inadequately address and do not provide easy ways for users to exercise their rights to data privacy.
More seriously, industry critics and data privacy advocates argue that the biggest companies in the online ecosystem that control much of the internet’s infrastructure have financial stakes in direct conflict with data privacy laws and regulations. These platforms collect and store data on billions of users and their online user behavior and monetize this information to sell online advertising. This conflict disincentivizes companies from complying with these laws and addressing them in meaningful ways.
The full picture for nonprofits and other organizations interested in complying with laws like GDPR and incorporating data privacy practices in their operations, therefore, is complicated. For frontline staff like web managers, this situation presents a conundrum that will take more than promoting data privacy practices within organizations to solve. It will require a sea change in how the internet industry, itself, operates.
Data Privacy in a Monetized Ecosystem
Generally, laws like GDPR require organizations that collect, process, and store personal data to:
be transparent about their data collection practices
provide clear mechanisms for individuals to exercise their rights under these laws
implement strong security measures to protect personal data from unauthorized access or disclosure
Putting these principles into practice, however, is easier said than done, especially for nonprofit organizations. The online infrastructure many organizations depend on, interact with their users, collect, store, and manage user data and information are generally not owned and controlled by these organizations. Instead, much of the day-to-day work of digital communications for nonprofits and other organizations is done using externally created or owned platforms.
Email operations, for example, are accomplished using tools like Mailchimp and Constant Contact. Websites are built on content management systems such as WordPress, Drupal, or Sharepoint. Web analytics is measured using tools like Google Analytics. Data is stored in servers by Amazon Web Services. Social media is conducted using Facebook, Tik Tok, Twitter, and LinkedIn.
Platforms like Google have been criticized for their practice of collecting and storing data on billions of users and their online behavior. User information, in this case, is monetized and used to sell online advertising. Online advertising for tech companies is big business, with Google making 209.49 billion dollars in advertising revenue in 2021. Facebook made 50.3 billion dollars in advertising revenue in 2021.
Monetized platforms, in and of themselves, are not a problem. Monetization becomes problematic when selling user information and behavior as the business model for a company creates a conflict of interest with implementing and enforcing privacy principles into how their platforms operate.
Enforcement of laws like GDPR, CCPA, and SHIELD have resulted in legal challenges. These lawsuits assert that many online tools fall short of providing data privacy protections to consumers and are not compliant with privacy laws. Tools like Google Analytics, for example, which is used to measure web traffic on millions of websites worldwide, have encountered serious legal challenges and industry criticism.
Data Privacy from the Top Down
Prescriptions for data privacy and compliance for organizations are often written for audiences such as IT directors, Chief Information Officers, and organizational leadership, who have the authority to implement these guidelines in their organizations from above. More often than not, these prescriptions boil down to how organizations can improve their internal processes and procedures to protect against malicious hackers and data breaches.
Data Privacy in the Front Lines
A significant part of where data privacy issues happen is not internal to organizations but happens in external platforms operated day to day by frontline staff like web managers. These staff work in settings where constituents first encounter the organization’s methods for collecting sensitive and other user information.
Web managers, for example, administer content management systems (CMS) for websites, and email platforms, and oversee technical troubleshooting and configuration of these systems interacting with other platforms such AMS, CRMs, and other databases. They collect user information and online interactions from websites using tools such as Google Analytics, Hotjar, and Crazy Egg. They administer the organization’s social media accounts on Twitter or Facebook.
Having firsthand knowledge and expertise of these platforms, web managers are generally knowledgeable about how organizations collect information about their users and constituents, what type of information is being collected, entry points where that collection is made, vulnerabilities to the system, how that data is stored and managed, archived and deleted, and which staff and vendors are in charge of those functions for the organization. These staff, therefore, can play a key role in promoting and practicing data privacy in their organizations.
Data Privacy in Practice
What does a privacy-centric nonprofit organization look like? Digital privacy advocates the Electronic Frontier Foundation (EFF) compiled a set of actionable resources that incorporate privacy principles for day-to-day use by frontline staff. Below is an abridged list of their advice and guidelines.
Advertising
Check to see if your site has ad trackers installed. Tools that can be used are EFF’s Privacy Badger tool and The Markup’s Blacklight tool
Do not use Facebook tracking pixels
Do not upload lists of your supporters and donors to Facebook
Websites
Opt out of Google’s surveillance ecosystem. Google’s business model is heavily dependent on user surveillance. On their own, Google tools may not be particularly invasive, but when connected to one another and implemented on billions of websites, Google is able to collect and store vast amounts of data about individuals and their online behavior
Do not use dark patterns or user interfaces that were crafted to deliberately push someone into making a choice that they may not otherwise make
Check to see if your site functions properly when being viewed on a VPN
Do not use captchas
Deactivate or delete privacy-invasive analytics tracking codes, tracking pixels, and cookies, and switch to privacy-protective analytics tools. For example, use alternatives to Google Analytics such as Plausible, Matomo, and Simple Analytics
Ensure your site functions if the user entirely blocks cookies
Do not collect form data before it is submitted.
Disable built-in email “open tracking” and “click tracking” in platforms such as Mailchimp
Manually use UTM parameters in links in your emails
Server and Online Architecture
Make sure your site is available by default over HTTPS rather than unencrypted HTTP
Make sure server logs are automatically and regularly deleted
The EFF guidelines for data privacy for nonprofits illustrate the ubiquity of external platforms in the digital operations of organizations. They show how frontline staff like web managers are required to jump through hoops to achieve data privacy because many platforms do not make it easy or provide simple to execute controls for compliance by default. Finally, it is notable that in several cases, the EFF guide prescribes abandoning platforms entirely (Facebook, Google) because the platforms, themselves, are problematic.
The Long Game: Changing the Industry
The EFF boils down the issue of privacy for nonprofits succinctly:
It’s outrageous that a nonprofit interested in protecting privacy must jump through so many hoops to do so. Unfortunately, much of the online ecosystem has been built to monetize information, rather than protect it.
Industry giants who control large swaths of online infrastructure like Google and Facebook make billions of dollars from online advertising. Their business model is built on capturing user data from billions of people and websites and selling customer data to advertisers. They have incentives and interests, therefore, that go against the spirit and substance of data privacy laws and regulations.
The solution the EFF advocates is for online platforms to offer simple privacy settings and assume users want these settings on by default. These companies should make it clear and easy to turn off data collection or turn on anonymous, aggregate collection. They should also make transparent what data they are collecting and how that data is being used.
Making this a reality will require a sea change in how the internet industry and its biggest companies operate. More than promoting data privacy within own organizations, industry-wide change will require users of internet platforms, staff in nonprofits and other organizations to support and advocate for enforcement of laws that promote principles and practices of cybersecurity and data privacy — in direct conflict with the interests of the biggest companies in the industry.
This tension and conflict, however, create an incentive for companies who produce software to create platforms that are compliant with privacy principles and laws by default. In turn, organizations and individuals concerned about data privacy would have access to alternative platforms that will be more conducive to data privacy.
