Nonprofit Organizations and Privacy: Responsible Mailing List Management

Nonprofit Organizations and Privacy: Responsible Mailing List Management

Presentation by Beth Givens
Marketplace of Ideas conference
Hosted by San Francisco Nonprofit Support Center


I'm going to talk for just a bit about privacy public opinion and trends, and then launch into what we at the Privacy Rights Clearinghouse think are some do's and don'ts for nonprofits in handling mailing lists and other personal information.

Consumer advocates say that privacy is THE consumer issue of the 90s. We would not dispute that.

  • A 1994 Louis Harris Poll found that 84% of respondents were very or somewhat concerned about privacy issues. This is up from 67% in 1978.

  • Nearly 80% of survey respondents say that "consumers have lost all control over how personal information about them is circulated and used by companies." 53% agree that "technology has gotten out of control."

And by the way, when I am talking about privacy, I am referring to informational privacy -- the extent to which we can control the use of our personal information -- how it is released, who has access to it, how it is used and so on.


The number one topic of complaint on our hotline is unwanted mail, this year totaling about 1/3 of our calls. [This speech was given in 1995.] When we ask people what type of mail they most want to get rid of, most say all of it, and of the remaining, about 1 in 6 complain about unwanted solicitations from nonprofit organizations.


We got a call from a woman who had written over 2,000 letters in the past couple years, asking to be taken off various and sundry mailing lists. She kept detailed records of all her correspondence and its effect. The one entity that was the most troublesome to her was a nonprofit organization -- she wrote it 18 times to no avail. It was the Republican National Committee.


What are some of the results of not taking name removal seriously? Of course, there is always negative public relations. Another is the land fill problem -- solid waste. But one that may not be considered, until maybe too late, is the threat of government regulation.


In just the past two years, the legislatures in the states of Hawaii and Illinois have considered legislation that would have required nonprofits to undertake costly and cumbersome mail reduction practices.


A law that passed in Hawaii would have required a nonprofit to get its donors' permission before giving their names to other nonprofits - this is what is called an "opt in" provision. We hear that work was done after the fact to lessen its onerous impact. As Max Hart said -- the director of fundraising for the Disabled American Veterans -- "if other states adopt similar language, we'll be out of business."


In Illinois, a bill was proposed that would amend the state's Solicitation for Charities Act to state that no organization could rent, sell or exchange a list of donors unless everyone on the list consented to have their names and addressed used in this manner. The author of the bill said that its purpose was to thwart fraud. Apparently, this bill is not moving forward. But you can see what kind of impact this would have on your operations if such a bill were passed in California.


What I would like to toss out for your consideration are two ways of looking at and dealing with the personal information that you handle everyday in your work as nonprofit organization:

  • set of privacy principles called the fair information practices

  • responsible information handling practices

Background on Fair Information Practices

In 1973 the U.S. Dept of Health, Education and Welfare studied the impact of automation on medical records privacy. The people involved in the study were concerned that a knee-jerk reaction to the fears of computerization would close off the beneficial aspects of their use.


So they developed what they called the code of fair information practices. They wanted to create an environment where reasonable uses of data would be allowed.


Here, in a nutshell is that code. It has been expanded upon and adapted for different uses since the early 1970s, but all variations have the same basic tenets: notice, access, disclosure of secondary uses, error correction, and security of data.


1. No secrets. There must be no personal recordkeeping systems whose very existence is secret.


2. There must be a way for an individual to find out what information about him is in a record and how it is used. I call these the NOTICE and ACCESS provisions.


3. There must be a way for an individual to prevent information about him that was obtained for one purpose from being used or made available for other purposes without his/her consent.

This is what is called the SECONDARY USE principle. It is probably the most relevant of the fair information practices to the work of nonprofits who rent or exchange their mailing lists with other organizations.

The primary use of compiling membership data is so you can keep in touch with your members. A secondary use is renting the list to other organizations for the purpose of either getting some revenue to support your work or exchanging lists with other organizations for prospecting for new members.

I will go into more detail about working with this principle in a few moments.


4. There must be a way for an individual to correct or amend a record of identifiable information about him.

While this principle has relatively little application to nonprofits, there are some instances where it does. We have received calls from people who are upset, even irate, about getting solicitations that don't relate to them, for example, solicitations from the Republican or Democratic party, when that is not their political affiliation. Many people complain about continuing to get unwanted mail for their deceased spouse or parent, after they've notified the entity many times not to contact them.


5. Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuse of the data.

I call this the SECURITY principle and will go into more detail in just a moment.


In short, what the adoption of fair information practices means for any marketers who rely on lists, whether in the private or nonprofit sectors, is the following:

  • Use of a mail suppression system for deleting the names of members who so request it from mailing lists that are rented/exchanged with other organizations -- even going so far as to suppress names of nonmembers who have contacted you to have their names removed from lists you use which have been obtained from other organizations.

  • This also means the use of an "opt out" statement on the reply devices of solicitations, and I'll suggest some wording in just a moment.

  • Keeping your mailing lists in a secure environment.

So far, I've been talking about the importance of adopting the privacy code called the fair information practices.


We at the Privacy Rights Clearinghouse also stress the need for organizations to adopt what we call responsible information handling practices. Let me start this section of the presentation with a story from our hotline.


We received a call from a woman who had spent several thousand dollars to join the Great Expectations Dating Service. She asked if the mailing list information and other information they would be gathering on her would be held in strictest confidence. They assured her it would.


A few months later, she started getting solicitations from other dating services in the area. She thought this was odd, because prior to joining Great Expectations, she had not received such mail. She contacted Great Expectations and asked if they had sold their mailing list. They admitted to her that they had fired someone who walked off the premises with their computerized list, who then proceeded to sell it to other dating services.


We would call this an example of irresponsible information handling. It also violates fair information privacy guideline number 5, which is the SECURITY principle.


This situation could happen just as easily to a nonprofit. You can see how important it is to hold your membership AND employee and volunteer records in a secure environment, especially for nonprofits that work in controversial areas -- such as gay rights, reproductive choice, and even environmental issues. Such nonprofits are likely to be infiltrated by people on the opposite side of the fence who would like nothing more than to obtain computer disks of key organizational information. It HAS happened.


Our fact sheet number 12, "Checklist of Responsible Information Handling Practices," has many additional tips. Let me go over just a few of these.

  • Recycling: When you toss paper which contains personally identifiable information on it into the recycling bin, has it been shredded? Or is a locked bin used for such materials?

  • When disposing of diskettes or hard drives containing names and addresses, do you physically destroy them, or at least use a strong "wipe" program to delete the contents?

  • If you work in a sensitive area, say gay rights or abortion rights, do you avoid using cordless and cellular phones when discussing strategy matters or when personal names are used?

The Checklist contains many more such tips.

I want to conclude by reviewing a checklist I've prepared especially for nonprofits -- what you can do to adhere to fair information practices guidelines and practice responsible information handling. Then we'll open this up for questions and discussion.


Privacy Checklist for Nonprofit Organizations

1. Does your organization acquire mailing lists for fundraising solicitations? If yes, from what sources? Are the lists rented or exchanged, or both? Does the source of the list purge the people who don't want their names released before giving you the list?


2. Do you use a mailing service bureau which subscribes to the Mail Preference Service data base? This is the suppression service of the Direct Marketing Association. For more information, see the web site,


3. Do you include a disclosure statement with an "opt-out" check-off on solicitation forms (reply devices) regarding the rental/exchange of mailing lists?


Example: "We occasionally rent our mailing list to other nonprofit organizations as a way of raising extra money to support [organization name] services. If you do not your name provided to other organizations, please let us know."


4. Do you maintain an in-house suppression list of members who do not want their names released on mailing lists made available to others?


Do you maintain an in-house list of others (nonmembers) who have indicated they do not want mailings from your organization? These might be people who have received solicitations from lists you have rented from other organizations.


Alternatively, when nonmembers contact you asking that you take them off "your" mailing list, have you established a procedure to inform them of the sources of the mailing lists providing their names to you? For example, Save-the-Redwoods League sends a postcard to nonmembers who have requested to be taken off their mailing list which indicates the name of the organization which supplied their list. Here is a portion of the text from its postcard:


"If you want to reduce the amount of mail you receive, you should contact the organizations which have your name on their mailing lists and ask that they not exchange your name. The label which you sent was from the Greater Yellowstone Coalition. We will be happy to identify the source of any mailing you receive from us."


5. Do you work with a list broker who rents or exchanges your list to other organizations? Have you established a policy that clearly defines the categories of entities that you will and will not rent/exchange your list with? Have you communicated that policy to the list broker in writing?


6. When you rent or exchange your organization's list, do you enter into a nondisclosure agreement with the list acquirer? Such agreements state that the user will not disclose, transfer, duplicate, reproduce or retain the list. Do you"seed" the list with "decoy" names in order to catch unauthorized list usage?


7. Do you do any fundraising solicitations by telephone? Do you contract with an outside telemarketing service to make the calls?


If yes, do you and/or contractor use the Telephone Preference Service and/or an in-house suppression list to screen out those who do not want to be reached by phone?


Do you have a procedure to deal with people who want to be taken off the calling list, such as a printed form?


Federal law requires that private sector businesses maintain "do not call" lists of people who have indicated they don't want any further contacts. This law, the Telephone Consumer Protection Act, does not apply to nonprofits. However, I do think it important that nonprofits maintain the same kinds of lists, just as good organizational practice.


8. What means do you use to ensure a secure environment for your own mailing list (precautions against theft, unauthorized access and release)?


If your organization has a need to safeguard the privacy of members and employees (for example, if you work in the area of gay rights or reproductive choice), be especially careful regarding the security of mailing lists and employee records.


9. Do you assign responsibility for privacy and security practices to one individual or department?


10. Do you conduct training sessions on a regular basis with your employees, volunteers and contractees regarding information-handling practices?


Do you ask your employees, volunteers and contractees to sign a nondisclosure agreement?


11. Have you discussed responsible information-handling practices with the board of directors? Have you developed a privacy policy?


Are there any practices that you might add to this list?



Disclosure statement printed at bottom of solicitation letter, by Disabled American Veterans

We occasionally rent our mailing list to other organizations as a way of raising extra money to support DAV services. If you do not wish to participate in this program, please let us know.


Postcard sent by Save-the-Redwoods League to someone who has asked to be removed from the mailing list:

We cannot remove your name from the Save-the-Redwoods League's mailing list because your name is not on the League's mailing list. When we use another organization's list to contact potential new members, we can only remove current League members from that list.


If you want to reduce the amount of mail you receive, you should contact the organizations which have your name on their mailing lists and ask that they not exchange your name.


The label which you sent was from the Greater Yellowstone Coalition. We will be happy to identify the source of any mailing you receive from us.


[alternate last paragraph]

If you send us the mailing label from the Save the Redwoods League mailing which you received, or give us the code number from that label, we will be happy to identify the source of the mailing for you.