Privacy Best Practices for Campaigns
Information about individuals drives modern campaigning. Indeed, the ability to collect and use personal information about voters and the issues they care about is crucial to structuring a targeted campaign message. At the same time, in this data driven world, individuals are paying increased attention to how their personal information is being collected and used. Accordingly, although non-profit organizations, are generally exempt from most privacy laws, we recommend that everyone—including campaigns-- implement privacy best practices to ensure that voters are informed as to how their personal information will be collected and used by a campaign and to provide assurances that campaigns are taking reasonable steps to protect their information.
Below are a few privacy disclosure and data security best practices for campaigns.
Create a Privacy Policy. When you collect information online–either through a website or app—use a privacy policy to keep your visitors informed about what personal information you are collecting about them and how you are using that personal information. Tell users what information you are collecting about them directly (such as when they sign up to receive emails about campaign events) and indirectly (such as when your campaign uses analytics to track which pages of your website are most visited or uses tracking cookies to send targeted ads to voters across multiple websites). Next, be upfront about how your organization is using this personal information. Will you use it to send them emails about the campaign, to create targeted social media messaging, to request campaign donations? These are all valid reasons and in line with what someone visiting a campaign’s website should expect–but they should be disclosed. Lastly, make sure your privacy policy explains how you may share the individual’s personal information. Are you sharing it with other campaigns, with PACs, with the national committee? It is a best practice to tell voters how their personal information may be shared. Make sure your privacy disclosures accurately reflect your campaign’s actual privacy practices. While the FTC does not have authority over non-profits organizations, there may be other consequences if a campaign’s stated privacy practices are judged deceptive because they don’t reflect actual practices.
Be Thoughtful about Data Security. Evaluate your data security practices to ensure that they are reasonably designed to protect against unauthorized access of the personal information that you have collected about your supporters. In addition to protecting the individuals who provide you their information, security measures up front help to protect against the significant reputational costs of security breaches.
Hold Your Vendors/Service Providers to High Standards. When you share personal information with vendors or service providers—to send out email alerts, process donations, or run analytics on your website—hold your vendors and service providers responsible for the personal information you share with them. Have a written contract in place that sets out your requirements. Require that they have appropriate data security measures in place. Restrict these providers from using the personal information you have shared with them for any reason other than the job you have asked them to do and require that they delete the information once that job is done.
Personal information can help drive a focused campaign that helps voters invest and commit to an election or a cause. To ensure your use of personal information doesn’t leave those voters disenchanted, tell individuals how you collect, use, and share their data. Protect their information and ensure anyone you share the information with does the same. If you have any questions about privacy and data security best practices, please contact our privacy team for assistance.