Last year, nearly 200 million people visited the website of Planned Parenthood, a nonprofit that many people turn to for very private matters like sex education, access to contraceptives, and access to abortions. What those visitors may not have known is that as soon as they opened plannedparenthood.org, some two dozen ad trackers embedded in the site alerted a slew of companies whose business is not reproductive freedom but gathering, selling, and using browsing data.

The Markup ran Planned Parenthood’s website through our Blacklight tool and found 28 ad trackers and 40 third-party cookies tracking visitors, in addition to so-called “session recorders” that could be capturing the mouse movements and keystrokes of people visiting the homepage in search of things like information on contraceptives and abortions. The site also contained trackers that tell Facebook and Google if users visited the site.

The Markup’s scan found Planned Parenthood’s site communicating with companies like Oracle, Verizon, LiveRamp, TowerData, and Quantcast—some of which have made a business of assembling and selling access to masses of digital data about people’s habits.

Katie Skibinski, vice president for digital products at Planned Parenthood, said the data collected on its website is “used only for internal purposes by Planned Parenthood and our affiliates,” and the company doesn’t “sell” data to third parties.

“While we aim to use data to learn how we can be most impactful, at Planned Parenthood, data-driven learning is always thoughtfully executed with respect for patient and user privacy,” Skibinski said. “This means using analytics platforms to collect aggregate data to gather insights and identify trends that help us improve our digital programs.”

Skibinski did not dispute that the organization shares data with third parties, including data brokers.

A Blacklight scan of Planned Parenthood Gulf Coast—a localized website specifically for people in the Gulf region, including Texas, where abortion has been essentially outlawed—churned up similar results.

Planned Parenthood is not alone when it comes to nonprofits, some operating in sensitive areas like mental health and addiction, gathering and sharing data on website visitors.

Using our Blacklight tool, The Markup scanned more than 23,000 websites of nonprofit organizations, including those belonging to abortion providers and nonprofit addiction treatment centers. The Markup used the IRS’s nonprofit master file to identify nonprofits that have filed a tax return since 2019 and that the agency categorizes as focusing on areas like mental health and crisis intervention, civil rights, and medical research. We then examined each nonprofit’s website as publicly listed in GuideStar. We found that about 86 percent of them had third-party cookies or tracking network requests. By comparison, when The Markup did a survey of the top 80,000 websites in 2020, we found 87 percent used some type of third-party tracking.

About 11 percent of the 23,856 nonprofit websites we scanned had a Facebook pixel embedded, while 18 percent used the Google Analytics “Remarketing Audiences” feature.

The Markup found that 439 of the nonprofit websites loaded scripts called session recorders, which can monitor visitors’ clicks and keystrokes. Eighty-nine of those were for websites that belonged to nonprofits that the IRS categorizes as primarily focusing on mental health and crisis intervention issues.

“As a user of this website, by sharing your information with them, you probably don’t assume that this sensitive information is shared with third parties and definitely don’t assume that your keystrokes are recorded,” Gunes Acar, a privacy researcher who copublished a 2017 study on session recorders, said. “The more sensitive the website is, the more worried I am.”

Tracy Plevel, the vice president of development and community relations at Gateway Rehab, one of the nonprofits with session recorders on its site, said that the nonprofit uses trackers and session recorders because it needs to stay competitive with its larger, for-profit counterparts.

“As a nonprofit ourselves, we are up against for-profit providers with large advertising budgets as well as the addiction treatment brokers who grab those seeking care with similar online advertising tactics and connect them with the provider who is offering the greatest ‘sales’ compensation,” Plevel said. “Additionally we know user experience has a big impact on following through on treatment. When someone is ready to commit to treatment, we need to ensure it [is] as easy as possible for them before they get frustrated or intimidated by the process.”

Other nonprofits had a significant number of trackers embedded on their sites as well. The Markup found 26 ad trackers and 50 third-party cookies on The Clinic at Sharma-Crawford Attorneys at Law, a Kansas City legal clinic that represents low-income people facing deportation.

Rekha Sharma-Crawford, the board president of The Clinic, wrote in an emailed statement, “We take privacy and security concerns very seriously and will continue to work with our web provider to address the issues you have identified.”

Save the Children, a humanitarian aid organization founded more than 100 years ago, had 26 ad trackers and 49 third-party cookies. March of Dimes, a nonprofit started by President Franklin D. Roosevelt that focuses on maternal and infant care, had more than 29 ad trackers on its site and 58 third-party cookies. City of Hope, a Californian cancer treatment and research center, had 25 ad trackers and 47 third-party cookies.

Results of Blacklight scans of the homepages of Save the Children, March of Dimes, and City of Hope, performed on Oct 19 2021
Credit: The Markup
Results of Blacklight scans of the homepages of Save the Children, March of Dimes, and City of Hope, performed on Oct 19 2021
Results of Blacklight scans of the homepages of Save the Children, March of Dimes, and City of Hope, performed on Oct 19 2021

Paul Butcher, associate vice president of global digital strategy at Save the Children, said in an emailed statement that the organization “takes data protection very seriously.” Butcher also wrote that Save the Children collects some data through ad trackers “to improve user experience” and that the organization is in the process of revamping its data retention policies and recently hired a new head of data.

March of Dimes and City of Hope did not respond to requests for comment.

State-level privacy laws miss nonprofits

While health data is governed by HIPAA, and FERPA  regulates educational records, there are no federal laws governing how websites track their visitors. Recently, a few states—California, Virginia, and Colorado—have enacted consumer privacy laws that require companies to disclose their tracking practices and allow visitors to opt out of data collection.

But nonprofits in two of those states, California and Virginia, don’t need to adhere to the regulations.

Sen. Ron Wyden (D-OR), who has proposed his own federal privacy legislation, said that nonprofits accrue a large amount of potentially sensitive data.

“Nonprofits store incredibly personal information about things we’re passionate about, from political causes and social views to which charitable causes we care about,” Wyden said in an emailed statement. “If a data breach reveals someone donates to a domestic violence support group or an LGBTQ rights organization or the name of their mosque, any of that information could be incredibly private.”

Nonprofit leaders, however, argue that they lack the infrastructure and funding to comply with privacy law requirements and must gather and share information on donors in order to survive.

“One of the most substantive and impactful uses of data by nonprofits has been our fundraising,” said Shannon McCracken, the CEO of The Nonprofit Alliance, an advocacy group made up of nonprofits and businesses. “Without the ability to cost-effectively reach prospective new donors and current donors, then nonprofits can’t continue to be as impactful as they are today.”

But purposeful or not, privacy experts say, nonprofits are feeding personal information to data brokers and tech giants like Facebook and Google.

“A nonprofit might share your phone number and name with LiveRamp. Tomorrow, a for-profit entity can then reuse that same data to target you,” said Ashkan Soltani, a privacy expert and former chief technologist at the Federal Trade Commission. “The data flows that go into these third-party aggregators and data brokers come often from nonprofits as well.”

Soltani, who was appointed executive director of the California Privacy Protection Agency on Oct. 4, helped draft the California Consumer Privacy Act, which was originally introduced with the nonprofit exemptions.

Many major nonprofits work with data brokers to help organize and analyze their data, Jan Masaoka, CEO of the California Association of Nonprofits, said.

“People that have big donor lists use them extensively, pretty much all of them use one of the services,” Masaoka said. “They don’t keep it in-house, pretty much everybody keeps it with one of these services.”

She noted that Blackbaud is a company that nonprofits often turn to. The registered data broker’s marketing material promotes a co-op database that combines donor data from more than 550 nonprofits with public information on millions of households.

Blackbaud didn’t respond to a request for comment.

Because of a lack of funds, nonprofits also rely on third-party platforms—which also happen to be data brokers—to manage their data’s security and privacy, McCracken said. But these kinds of companies aren’t immune to cyberattacks either: Blackbaud disclosed a ransomware attack in 2020 in which hackers stole passwords, Social Security numbers, and banking information, according to a Securities and Exchange Commission filing. Hundreds of charitable organizations, schools, and hospitals were affected, along with more than 13 million people, according to the Identity Theft Resource Center.

“They rely on this kind of problematic ecosystem to achieve their work, and as a result, they share number lists, email addresses, or browsing behavior with third-party advertising companies and subject their members to risk,” Soltani said.

The exception

Unlike its predecessors in California and Virginia, Colorado’s privacy bill doesn’t have an exemption for nonprofits.

In both California and Virginia, the bills’ main supporters gave nonprofits an exemption as a political maneuver. Alastair Mactaggart, a real estate developer and founder of Californians for Consumer Privacy, who was the driving force behind the California Consumer Privacy Act, said his proposal was already facing opposition from tech giants and didn’t want a political showdown with nonprofits, too.

“You gotta take the first step, so we figured this was the one that would be the easiest to bounce off,” Mactaggart said. “Eventually, I hope that the big nonprofits are included as well.”

David Marsden, the state senator who introduced the Virginia Consumer Data Protection Act, echoed that sentiment, reflecting that the law wasn’t perfect but still a good start.

“Does this pick up everybody that it should, or exempt everybody who needs an exemption? Probably not, but it comes pretty close,” Marsden said. “We were able, with this bill, to get it passed without people getting up and objecting to what we were trying to do.”

Colorado state senator Robert Rodriguez, who co-sponsored the state’s privacy bill, said he didn’t include an exemption for nonprofits because he felt that any entity that had data on more than 100,000 people should have to follow privacy protections. He also didn’t understand why other states had exemptions.

“Someone that has over 100,000 records is a good size,” he said in an email. “They should have some protections or requirements to follow.”

This article by Alfred Ng and Maddy Varner was originally published on The Markup and was republished under the Creative Commons Attribution-NonCommercial-NoDerivatives license.