Last year, nearly 200 million people visited the website of Planned Parenthood, a nonprofit that many people turn to for very private matters like sex education, access to contraceptives, and access to abortions.
What those visitors may not have known is that as soon as they opened plannedparenthood.org, some two dozen ad trackers embedded in the site alerted a slew of companies whose business is not reproductive freedom but gathering, selling, and using browsing data.
See our data here: GitHub
The Markup ran Planned Parenthoodâs website through our Blacklight tool and found 28 ad trackers and 40 third-party cookies tracking visitors, in addition to so-called âsession recordersâ that could be capturing the mouse movements and keystrokes of people visiting the homepage in search of things like information on contraceptives and abortions. The site also contained trackers that tell Facebook and Google if users visited the site.
The Markupâs scan found Planned Parenthoodâs site communicating with companies like Oracle, Verizon, LiveRamp, TowerData, and Quantcastâsome of which have made a business of assembling and selling access to masses of digital data about peopleâs habits.
Katie Skibinski, vice president for digital products at Planned Parenthood, said the data collected on its website is âused only for internal purposes by Planned Parenthood and our affiliates,â and the company doesnât âsellâ data to third parties.
âWhile we aim to use data to learn how we can be most impactful, at Planned Parenthood, data-driven learning is always thoughtfully executed with respect for patient and user privacy,â Skibinski said. âThis means using analytics platforms to collect aggregate data to gather insights and identify trends that help us improve our digital programs.â
Skibinski did not dispute that the organization shares data with third parties, including data brokers.
A Blacklight scan of Planned Parenthood Gulf Coastâa localized website specifically for people in the Gulf region, including Texas, where abortion has been essentially outlawedâchurned up similar results.
Planned Parenthood is not alone when it comes to nonprofits, some operating in sensitive areas like mental health and addiction, gathering and sharing data on website visitors.
Using our Blacklight tool, The Markup scanned more than 23,000 websites of nonprofit organizations, including those belonging to abortion providers and nonprofit addiction treatment centers.
The Markup used the IRSâs nonprofit master file to identify nonprofits that have filed a tax return since 2019 and that the agency categorizes as focusing on areas like mental health and crisis intervention, civil rights, and medical research.
We then examined each nonprofitâs website as publicly listed in GuideStar. We found that about 86 percent of them had third-party cookies or tracking network requests. By comparison, when The Markup did a survey of the top 80,000 websites in 2020, we found 87 percent used some type of third-party tracking.
About 11 percent of the 23,856 nonprofit websites we scanned had a Facebook pixel embedded, while 18 percent used the Google Analytics âRemarketing Audiencesâ feature.
The Markup found that 439 of the nonprofit websites loaded scripts called session recorders, which can monitor visitorsâ clicks and keystrokes. Eighty-nine of those were for websites that belonged to nonprofits that the IRS categorizes as primarily focusing on mental health and crisis intervention issues.
âAs a user of this website, by sharing your information with them, you probably donât assume that this sensitive information is shared with third parties and definitely donât assume that your keystrokes are recorded,â Gunes Acar, a privacy researcher who copublished a 2017 study on session recorders, said. âThe more sensitive the website is, the more worried I am.â
Tracy Plevel, the vice president of development and community relations at Gateway Rehab, one of the nonprofits with session recorders on its site, said that the nonprofit uses trackers and session recorders because it needs to stay competitive with its larger, for-profit counterparts.
The more sensitive the website is, the more worried I am.
Gunes Acar, privacy researcher
âAs a nonprofit ourselves, we are up against for-profit providers with large advertising budgets as well as the addiction treatment brokers who grab those seeking care with similar online advertising tactics and connect them with the provider who is offering the greatest âsalesâ compensation,â Plevel said.
âAdditionally we know user experience has a big impact on following through on treatment. When someone is ready to commit to treatment, we need to ensure it [is] as easy as possible for them before they get frustrated or intimidated by the process.â
Other nonprofits had a significant number of trackers embedded on their sites as well. The Markup found 26 ad trackers and 50 third-party cookies on The Clinic at Sharma-Crawford Attorneys at Law, a Kansas City legal clinic that represents low-income people facing deportation.
Rekha Sharma-Crawford, the board president of The Clinic, wrote in an emailed statement, âWe take privacy and security concerns very seriously and will continue to work with our web provider to address the issues you have identified.â
Save the Children, a humanitarian aid organization founded more than 100 years ago, had 26 ad trackers and 49 third-party cookies. March of Dimes, a nonprofit started by President Franklin D. Roosevelt that focuses on maternal and infant care, had more than 29 ad trackers on its site and 58 third-party cookies.
City of Hope, a Californian cancer treatment and research center, had 25 ad trackers and 47 third-party cookies.
Results of Blacklight scans of the homepages of Save the Children, March of Dimes, and City of Hope performed on Oct. 19, 2021.
Paul Butcher, associate vice president of global digital strategy at Save the Children, said in an emailed statement that the organization âtakes data protection very seriously.â
Butcher also wrote that Save the Children collects some data through ad trackers âto improve user experienceâ and that the organization is in the process of revamping its data retention policies and recently hired a new head of data.
March of Dimes and City of Hope did not respond to requests for comment.
State-Level Privacy Laws Miss Nonprofits
While health data is governed by HIPAA, and FERPA regulates educational records, there are no federal laws governing how websites track their visitors. Recently, a few statesâCalifornia, Virginia, and Coloradoâhave enacted consumer privacy laws that require companies to disclose their tracking practices and allow visitors to opt-out of data collection.
But nonprofits in two of those states, California and Virginia, donât need to adhere to the regulations.
Sen. Ron Wyden (D-OR), who has proposed his own federal privacy legislation, said that nonprofits accrue a large amount of potentially sensitive data.
âNonprofits store incredibly personal information about things weâre passionate about, from political causes and social views to which charitable causes we care about,â Wyden said in an emailed statement.
âIf a data breach reveals someone donates to a domestic violence support group or an LGBTQ rights organization or the name of their mosque, any of that information could be incredibly private.â
Nonprofit leaders, however, argue that they lack the infrastructure and funding to comply with privacy law requirements and must gather and share information on donors in order to survive.
âOne of the most substantive and impactful uses of data by nonprofits has been our fundraising,â said Shannon McCracken, the CEO of The Nonprofit Alliance, an advocacy group made up of nonprofits and businesses.
âWithout the ability to cost-effectively reach prospective new donors and current donors, then nonprofits canât continue to be as impactful as they are today.â
But purposeful or not, privacy experts say, nonprofits are feeding personal information to data brokers and tech giants like Facebook and Google.
âA nonprofit might share your phone number and name with LiveRamp. Tomorrow, a for-profit entity can then reuse that same data to target you,â said Ashkan Soltani, a privacy expert, and former chief technologist at the Federal Trade Commission. âThe data flows that go into these third-party aggregators and data brokers come often from nonprofits as well.â
Soltani, who was appointed executive director of the California Privacy Protection Agency on Oct. 4, helped draft the California Consumer Privacy Act, which was originally introduced with the nonprofit exemptions.
A nonprofit might share your phone number and nameâŚ. Tomorrow, a for-profit entity can then reuse the same data to target you.
Ashkan Soltani, California Privacy Protection Agency
Many major nonprofits work with data brokers to help organize and analyze their data, Jan Masaoka, CEO of the California Association of Nonprofits, said.
âPeople that have big donor lists use them extensively, pretty much all of them use one of the services,â Masaoka said. âThey donât keep it in-house, pretty much everybody keeps it with one of these services.â
She noted that Blackbaud is a company that nonprofits often turn to. The registered data brokerâs marketing material promotes a co-op database that combines donor data from more than 550Â nonprofits with public information on millions of households.
Blackbaud didnât respond to a request for comment.
Because of a lack of funds, nonprofits also rely on third-party platformsâwhich also happen to be data brokersâto manage their dataâs security and privacy, McCracken said.
But these kinds of companies arenât immune to cyberattacks either: Blackbaud disclosed a ransomware attack in 2020 in which hackers stole passwords, Social Security numbers, and banking information, according to a Securities and Exchange Commission filing.
Hundreds of charitable organizations, schools, and hospitals were affected, along with more than 13 million people, according to the Identity Theft Resource Center.
âThey rely on this kind of problematic ecosystem to achieve their work, and as a result, they share number lists, email addresses, or browsing behavior with third-party advertising companies and subject their members to risk,â Soltani said.
The Exception
Unlike its predecessors in California and Virginia, Coloradoâs privacy bill doesnât have an exemption for nonprofits.
In both California and Virginia, the billsâ main supporters gave nonprofits an exemption as a political maneuver. Alastair Mactaggart, a real estate developer and founder of Californians for Consumer Privacy, who was the driving force behind the California Consumer Privacy Act, said his proposal was already facing opposition from tech giants and didnât want a political showdown with nonprofits, too.
âYou gotta take the first step, so we figured this was the one that would be the easiest to bounce off,â Mactaggart said. âEventually, I hope that the big nonprofits are included as well.â
David Marsden, the state senator who introduced the Virginia Consumer Data Protection Act, echoed that sentiment, reflecting that the law wasnât perfect but still a good start.
âDoes this pick up everybody that it should, or exempt everybody who needs an exemption? Probably not, but it comes pretty close,â Marsden said. âWe were able, with this bill, to get it passed without people getting up and objecting to what we were trying to do.â
Colorado state senator Robert Rodriguez, who co-sponsored the stateâs privacy bill, said he didnât include an exemption for nonprofits because he felt that any entity that had data on more than 100,000 people should have to follow privacy protections. He also didnât understand why other states had exemptions.
âSomeone that has over 100,000 records is a good size,â he said in an email. âThey should have some protections or requirements to follow.â
Correction
This story has been updated to correct the title of Paul Butcher at Save the Children. He is the associate vice president of global digital strategy.
Written by: Alfred Ng and Maddy Varner
This article was originally published on The Markup and was republished under the Creative Commons Attribution-NonCommercial-NoDerivatives license.