Nonprofit websites trackers

It stands to argue that by now the overwhelming majority of Internet users are aware that their online activities are being tracked. Analytics scripts, cookies, and tracking pixels are all over the Internet, ready to phone home at every mouse click. Perhaps many don’t understand the technology that enables this tracking, but they nonetheless know they’re being tracked. They know the websites they visit can track their every click (analytics); they know that marketers are following them around the Web (cookies); they know their emails may not be as private as they would want (tracking pixels).

So nothing new under the sun here. Again, most users expect this behavior from commercial websites/applications. But one place some internet users don’t assume they’re being tracked is on non-profit websites. That’s probably because online tracking is tied to monetization, which is important to a commercial entity but not to a non-profit organization.

As it turns out, that assumption is wrong.

Should nonprofit sites be different from commercial sites?

Before we get into why nonprofit websites should not engage in the same practices as their commercial counterparts, let’s start by saying that neither would occur in an ideal world. The fact that a company is for-profit doesn’t suddenly make all that user tracking OK. It’s just expected behavior given our current state of affairs as a society. It isn’t suddenly “moral” because you’re profit-driven. All this data collection is concerning, regardless of whether you’re a commercial entity or a nonprofit.

However, nonprofits are nonetheless different from businesses in that they tend to collect even more sensitive data due to the nature of their mission(s).

Think about it. Nonprofits can be affiliated with religious organizations, political activism groups, dissidents, environmental militants, health care (physical, mental, reproductive), sexual orientation and gender support, etc. In a nutshell, charities go hand-in-hand with very intimate details about our lives, lifestyles, and beliefs. So the harm that can follow will be more significant than paying a bit more for your sneakers.

Let’s take reproductive care. In a post-Roe world, nonprofit organizations working in the reproductive rights space may be compelled to provide the data collected on their website visitors to law enforcement, and that data could be used to prosecute abortion providers and seekers. The same is true for political, religious, environmental, or LGBTQ+ activists.

The harm that can follow could be life-crippling.

A few general numbers

In 2021, The Markup, which describes itself as a nonprofit newsroom that investigates how powerful institutions are using technology to change our society, conducted a study to determine how widespread trackers were on nonprofit websites.

It used its Blacklight tool – which is public and scans websites for trackers – on over 23,000 websites belonging to nonprofit organizations and the results were staggering. They found that 86% of the scanned nonprofit sites included third-party cookies or tracking network requests. 86% is a lot. Surely commercial websites are much worse, right?

Wrong. The Markup did the same exercise on the top 80,000 websites in 2020, and as it turns out, 87% of those used some third-party tracking. So it looks like the “good guys” are just as bad as the “bad guys” in this arena.

If we drill down into those numbers a bit deeper, we gain the following insights:

  • Of the 23,856 nonprofit websites scanned, 11% embedded a Facebook tracking pixel into their site.
  • 18% of the 23,856 nonprofit websites used the Google Analytics “Remarketing Audiences” feature – which draws a list of cookies or mobile-advertising IDs that the site owner may want to retarget because Google’s behavioral tracking algorithm considers them likely to “convert” (i.e., make a purchase).
  • Of all the nonprofit websites scanned, 439 used session recorder scripts.
  • 89 of 439 nonprofit sites that used session recorder scripts focus on mental health and crisis intervention issues.

Below is a screenshot of The Markup’s Blacklight tool. It highlights the following:

  • Save the Children, a humanitarian aid organization founded over 100 years ago, had 26 ad trackers and 49 third-party cookies.
  • March of Dimes, a maternal and infant care nonprofit started by President Franklin D. Roosevelt, had over 31 ad trackers and 58 third-party cookies on its site.
  • City of Hope, a California-based cancer treatment and research center, had 25 ad trackers and 47 third-party cookies.

Nonprofit Tracking - Backlight Tool

The issue is worldwide. Sean McGrath, co-directed a study on this very question for UK-based nonprofits – and the results were eerily similar.  

The Planned Parenthood example

Throughout its study, The Markup scanned Planned Parenthood’s website. The result? The scan detected 28 ad trackers and 40 third-party cookies used to track site visitors. It also found several session recorder scripts that can record visitors’ mouse movements, clicks, and keystrokes. That’s not a typo – these scripts can record your keystrokes. In a post-Roe world, that’s not just invasive; it’s a liability. If that weren’t enough, the site also included trackers from Facebook and Google, informing the tech giants if users visited the site.

Planned Parenthood’s website was found to communicate with companies that have forged a lucrative business model of collecting and selling people’s private information as part of their activities (or as their sole activity). These are:

  • Oracle
  • Verizon
  • LiveRamp
  • TowerData
  • Quantcast

In a statement, Planned Parenthood’s vice president for digital products said that the data was only being collected for internal purposes and that it didn’t sell any of it to third parties. However, while it may be true that Planned Parenthood doesn’t sell its collected data to anyone, that defense still makes no sense. The website uses third-party trackers to turn traffic patterns and user behavior into insights, and those insights are provided by the third-party trackers themselves. Hence, those third parties already have the data. There’s no need to sell them anything, but the odds are high that these third parties will sell or rent their data to the highest bidder.

Skibinski did not dispute that Planned Parenthood shares data with third parties, including data brokers.

Why do nonprofits engage in user tracking?

That’s a good question. And there are several possible answers.

They may not even know about it

This one may seem strange, but given that many organizations, if not most, outsource their website development, they may not be aware of the number or the identity of trackers embedded in the site. Add to that the number of application programming interfaces (API) typically used to build modern websites, which may well include trackers. You have a good chance that many working for the nonprofit will simply be unaware that this is happening.

Also, some nonprofits might embed website elements that perform a legitimate task or service but also happen to contain a tracker. Facebook Like/Share buttons and Google Analytics come to mind.

It’s just to sell you stuff

While product and service marketing is undoubtedly one of the main reasons all this tracking is occurring, that’s only part of the story. Data is data is data and that data, even if it was initially collected for marketing purposes (i.e., to sell you stuff), can be (and is) repurposed for law enforcement, banks, insurance companies, political campaigns, hacker collectives, etc. Many are those who disregard the second part of the equation. In focusing only on the marketing aspect, they convince themselves that it’s innocuous.

Additionally, donations are critically important to nonprofits and folks who donate once are more likely to donate again moving forward. So retargeting those people becomes crucial for nonprofits – and it takes user data to do that.

Some nonprofits may need additional revenue streams

Nonprofits are organizations that are on not-for-profit missions. And in many cases, they’re chronically underfunded. Many might be tempted to supplement their budgets by collecting and selling valuable user data.

Competing with for-profits

Some nonprofits feel they need to engage in the same kind of tracking practices as their commercial counterparts to remain competitive. Suppose the nonprofit renounces data collection while a competing for-profit organization obtains highly detailed data on the same visitors. In that case, there’s a good chance the for-profit organization will “steal” the visitor from the nonprofit.

Tracy Pavel, vice president of development and community relations at Gateway Rehab, one of the nonprofits embedding session recorders into its site, stated the following to The Markup.

“As a nonprofit ourselves, we are up against for-profit providers with large advertising budgets as well as the addiction treatment brokers who grab those seeking care with similar online advertising tactics and connect them with the provider who is offering the greatest ‘sales’ compensation. Additionally, we know user experience has a big impact on following through on treatment. When someone is ready to commit to treatment, we need to ensure it [is] as easy as possible for them before they get frustrated or intimidated by the process.”

What can you do about it?

Unfortunately, there isn’t much you can do because user tracking is ubiquitous and indiscriminate – it just happens to anyone and everyone who visits the website. But you can still somewhat mitigate the issue in a few ways.

Use an ad and tracker blocker

While not 100%, this is probably one of the best defenses you can use. Ad blockers are available on every platform and for every web browser available. Ad blockers contain lists of known ad networks and trackers. Anytime an ad or tracker on the list attempts to resolve a connection to your device, it will be blocked. That should take care of most of the trackers on nonprofit websites (and any other website as well), but bear in mind that it’s unlikely to block them all. New ad and tracker domains crop up daily, and the block lists must be constantly updated. Using an ad blocker is something I would recommend to everyone – even outside the scope of this article.

Use a VPN

Another way to mitigate the issue is to use a VPN so that you encrypt your traffic (in transit) and spoof your location. Also, some VPN providers include an ad and tracker blocker in their subscriptions, so you might be able to hit two birds with one stone. Keep in mind that if you supply any information about your true self to the website you’re on, VPN or not, you’ll be identifying yourself.

Use your browser’s “incognito” mode

Along with using a VPN, you should set your browser to “incognito” mode or “private browsing” – the name of the feature differs from browser to browser – but the functionality is the same. When you enable private browsing, your web browser will delete your history and your cookies as soon as you close your browser. That makes it much harder for third parties to track your activities across the web.

Use Tor

Tor, which stands for The Onion Router, is a free, open-source, volunteer-run network of over 7,000 relay nodes. When you use Tor, your traffic is encrypted and bounced over three to five nodes, making it much more difficult to identify a particular user. If you’re simply looking to gather information on the different services a nonprofit provides, using Tor can enable you to do so anonymously. As with VPNs, if you supply identifying information to the website you’re visiting over Tor, you will de-anonymize yourself.

Wrap up

So it looks like the “good guys” are playing the same game as the “bad guys.” It’s a shame and highlights a few things about how the Internet has evolved in catering to marketers and business interests. Today, those databases are not just being used by marketers and click peddlers but by governments, banks, insurance companies, health care providers, political organizations, hackers, etc. It’s a mess and, unfortunately, nonprofits are part of that mess.

Until we get strong legislation regulating all this data collection, we’re stuck with this Far-West data collection philosophy, in which pretty much anything goes. So long as visiting a website is taken as consent to its collection practices (whatever they may be), there isn’t much we can do beyond what’s listed above except not visiting the website in the first place. But for those in need, that’s not going to be a viable option.

Hopefully, governments will eventually step in and fix this problem. Until then, follow the above advice and try to keep as much of your data to yourself.