The NonProfit Times - Privacy Grows into a Hot Nonprofit Topic
Oringinally published on January 1, 2005
By Robert Ford
[I was quoted in this article that tracks the implementation of HIPPA and other privacy issues. For a more detailed article on HIPAA implementation as it impacts medical providers, please see this Modern Healthcare article, as well as this detailed analysis by AHP.]
For Gods Love We Deliver (GLWD) in New York City, donor and prospective donor privacy is something that is taken very seriously.
It’s an issue that impacts nonprofits in both direct mail and online. “When we acquire a new donor, we give them the opportunity to chose not to receive any more solicitations from us,” said Thomas Daubert, manager of marketing and communications for GLWD. He is also the president of the Direct Marketing Fundraisers Association in New York City.
“We honor any donor’s request not to exchange the information that we have on file about them,” Daubert said.
Privacy is a hot button issue for nonprofits, whether the contact is by mail, telephone, over the Internet, in-person or from a special event. The NonProfit Times first featured the topic in the January 2000 issue. The information age has been hurtling forward since and so have privacy concerns and laws. Here’s what’s happened since that first story.
Opt-in, opt-out, phishing and cookies are a dizzying array of terms that can leave a donor’s head spinning. However, all those terms can be summed up in one concept – privacy – a word that creates headaches for nonprofits and, in some cases, costs hundreds of thousands of dollars to ensure.
Nonprofits wrestle with privacy issues every day, said Walter Sczudlo, executive vice president and general counsel for the 26,000 member, Alexandria, Va.-based Association of Fundraising Professionals (AFP). “We have to show our donors that we are protecting their privacy in everything we do.”
Internet fundraising has grown exponentially during the past five years. And, it has proven to be the Pandora’s Box of privacy issues, leaving unsuspecting donors concerned about possible identity theft.
Internet privacy was not even an issue five years ago, said Lindy Litrides, president of the Atlanta-based Litrides & Associates, a donor relationship marketing and privacy consulting firm. “The Internet was not that big in our lives then,” she said.
There was some talk about Internet privacy but it was not an issue, she added. At that point, it was more a “nuisance factor,” questions like “where did you get my email address,” and for the off-line world of direct mail, “where did you get my mail address?,” she recalled.
But while, nonprofits have found success on the Internet, so too have unscrupulous individuals who are looking to part people from their money for less altruistic reasons.
One of the biggest fears potential online donors have is identity theft, said Carolyn Hodge, director of direct marketing for the San Francisco-based TRUSTe organization. TRUSTe is an online watchdog organization. The group has 1,500 nonprofit and for-profits registered, Hodge said. To become a member of TRUSTe and to be able to place its green logo seal of approval on a Web page, the applicant must fill out an extensive questionnaire and abide by strict consumer privacy guidelines.
Phishing and spoofing are the one-two punch for online identity thieves looking to get consumers to give up their credit card numbers, social security numbers, and passwords. A phisher will create an email that appears to come from a legitimate nonprofit, or create a Web site that appears to be legitimate, called spoofing, and attempt to get the person to answer the email or log onto the Web site and give up personal information, Hodge explained. Using the “spoofed” Web site or email to lure unsuspecting donors to give up their personal information is called phishing.
According to the Anti-Phishing Working Group (APWG) Web site, the most targeted sector is financial with retail the second most hit. In October, 73 percent of the reported attacks were on the financial sector and 7 percent on retail, according to the APWG. There have been few reports of nonprofits being targeted by identity thieves. However, Hodge said, donors see it happening in the for-profit sector and worry about the security of donating to charities online.
“We try to provide an additional assurance to the consumer that someone is watching their back,” Hodge said.
According to the APWG, an estimated 5 percent of those receiving phishing emails respond with their personal information.
But, Rick Christ, president of the Warrenton, Va.-based npadvisors.com, said phishing isn’t really a concern for charities because many of them don’t have enough visitors to their Web pages to inspire someone to go after donors’ information through emails or a spoofed Web site.
Data storage online is an even bigger concern, he said. “There is a lot of sloppiness out there,” Christ said. Too many nonprofits are keeping donor data online too long and not downloading it and securing it, he said.
When it comes to credit card information, he said credit card companies, keep a tight rein on that type of information.
He compared a cookie to someone leaving a suit at a dry cleaner. They are given a ticket with a number on it that allows the dry cleaner to locate the suit when the customer comes to pick it up. A cookie works in the same way, Christ explained. It allows a Web site to know when that user is going onto the site. The cookie may contain information that will allow the user to automatically log-in when accessing a site. It might also contain information that automatically lets the site see some personal information about the user, such as previous donations or areas of the site or organization that interests the user, Christ said. Very seldom do cookies, at least as nonprofits use them, permit the site to view the user’s personal information, he said.
To allay a users concern, Christ said that in addition to letting users know up front that the site wants to place a cookie on the computer, it should also give the user the option of not accepting the cookie.
In both the online and off-line worlds, nonprofits are permitting those who receive direct mail and email to opt-out from receiving it. There is also extensive talk in both realms to create opt-in programs.
Opt-out is the older of the two methods, in which a person receiving information, via either email or snail mail, can stop it. Every legitimate nonprofit Web site or direct mail solicitation will have either a telephone number or an address where someone who wishes to be off its mail list can call or write to opt-out.
Opt-out is an important part of donor privacy issues, Sczudlo said. The AFP believes that donors must have the right to opt-out from receiving solicitations, he added. “And, nonprofits must alert donors annually that they have the right to opt-out. They should not only do it when the donor comes on board,” Sczudlo said. A donor’s right to opt-out should be made clear on all nonprofit Internet sites and direct mailings, he said.
Five years ago, opt-in was just beginning to make an appearance. Opt-in policies require that a donor or potential donor indicate in some way that they want to opt-in and receive nonprofit solicitations.
Sczudlo said the AFP has some real issues with opt-in. The AFP has been working with various state attorneys general on the matter. As more states seek to strengthen consumer protection laws and consider opt-in as a solution, the AFP has been trying to get them to look at other possibilities, Sczudlo said. “They (the AGs) need to understand that opt-in limits a charity’s ability to balance the scales between a consumer’s right to protection and the charity’s ability to solicit donors.”
Many nonprofits also attach a privacy statement to their Web sites and solicitation mail detailing what they do with their lists and how they protect their donors’ privacy.
“It’s really not an issue if everyone follows the rules,” Litrides said. Most of the privacy issues, Litrides said, are in the online communication. “I haven’t seen it in the off-line world,” she added.
But, nonprofits are now giving consumers a choice, with opt-out and, in some cases, opt-in so that “they (nonprofits) are well prepared,” to deal with donor privacy issues, Litrides said.
Five years ago, the Health Insurance Portability and Accountability Act (HIPAA) wasn’t even on the radar screen for fundraisers at hospitals and their foundations. However, since 2003, HIPAA has hovered over healthcare fundraising.
Dealing with HIPAA, which outlines a patient’s privacy rights, is costing hospitals and their foundations hundreds of thousands of dollars and in some cases millions of dollars for compliance, said William C. McGinly, president and CEO of the Falls Church, Va.-based Association for Healthcare Philanthropy (AHP).
The act, adopted by Congress in 1996 did not begin to impact hospitals’ fundraising until 2003, when institutions had to begin to comply with its privacy standards. It was designed to stop the “fraudulent misuse of patient information by insurance companies,” said McGinly. Insurance companies were acquiring patient information and using that information to deny patients insurance coverage, he explained.
What started out as a “need to protect privacy,” ended up being “too sweeping,” and “made life so much more complicated,” for hospitals and associated foundations, McGinly said.
The gist of the law, at least the portion that affects healthcare fundraising, is that hospitals cannot target segmented fundraising mail to former patients without their express written consent. For instance, if a person goes into the hospital as a cardiac patient, the hospital’s fundraiser or foundation cannot target that former patient as having been in the cardiac care unit without his or her written permission.
The hospital and foundation can, however, do mass mailings to former patients soliciting donations, McGinly said. But, the mass mailings cost more to send than only segmented, targeted mailings. McGinly said the mass mailings resulted in lower gift amounts than segmented mailings although he did not have exact numbers.
More and more hospitals are hiring the additional staff necessary to go to patients and ask them to sign consent forms that will enable the institutions to solicit them. Despite this extra effort and additional cost, hospitals are finding that almost 50 percent of patients asked to sign a consent form refuse, McGinly said.
“When the public is asked about fundraising, they think it means a call during dinner time and don’t want to participate,” he said. Because of the restrictions, hospitals are losing “half of their grateful patients,” McGinly said.
Hospitals are also increasingly turning to sending out mass mailings of comment and questionnaire cards. They are asking former patients, what their interests are, and what services they look on favorably, McGinly said, that way former patients are “self-identifying,” so that “now the hospitals can direct market them.”
Chris Cloud, director of fundraising programs for the New York Weill Cornell Medical Center in New York City, said while the operations side of the hospital might have felt HIPAA’s financial impact, the fundraising side has not. When HIPAA went into effect in 2003, “we were terrified we would lose all of our donors, but it has not worked out that way,” Cloud said. The reason it didn’t work out that way, he added was preparation. “We knew it was coming, put in a lot of work and began to put measures into place on the fundraising side that would enable us to be successful.”
Cloud said the fundraisers at the medical center wait for about six months after a patient has left the hospital and then solicits the former patient through direct mail and telephone calls using only basic patient information, such as age, address and basic demographic data, which the law allows.
The medical center also places fundraising brochures in waiting areas of each department so that waiting patients or their relatives can see what the center does and, in essence, opt-in to receive solicitation mail and calls. “So, we have been successful despite the HIPAA restrictions,” Cloud said.
Direct marketers that use the mail need to communicate to donors that they are treating the issue seriously and letting them know what they are doing to protect information, said Neal Denton, executive director of the Washington, D.C.-based Alliance of Nonprofit Mailers.
Identity theft, a big issue for online fundraisers, is also a major concern for direct mail marketers, Denton said. The fear is that those receiving the direct mail appeal, which might have personal information included, will be tossed out without first being destroyed and identity thieves will get hold of it.
Much like their online brethren, direct mail includes detailed privacy statements explaining what the organization’s policy is concerning the use of a donor’s data. They also include opt-out information for those who would no longer want to receive the charity’s mailings.
To help protect a donor’s information, nonprofits using direct mail are keeping that information in secured files. In their privacy statements, charities also disclose how that information will be used and if it will be rented or traded for use by other organizations.
Do not call
While the national Do Not Call Registry has had a major impact on for-profit telemarketers, nonprofits are exempt from having to follow it. However, when Congress initially adopted it, there were some questions, mostly from individuals who signed up for it, questioning why they were getting calls even from non-profits. But as people have gotten better educated about what organizations can and cannot call, there have been fewer concerns, Sczudlo said.In fact, telefundraising results have actually improved because of the lack of competition with for-profit firms, experts have said.
The Federal Trade Commission discussed creating a national Do Not Email list but has dropped the idea as being unworkable at this time.
Ethics questions are where Litrides said she has been seeing problems. She said she sees nonprofits “doing the right thing” when it comes to ethics. Unfortunately, Litrides said, the highly visible for-profit ethics cases “put questions into peoples’ minds.”
Nonprofits need to show the public that they are following standards and that they have the ability to monitor themselves, Sczudlo said. To that end, the AFP has a list of 18 ethical standards, which its members pledge to follow. “Donor trust is all we have,” he said, “and that must be maintained and protected. The charitable sector is based on trust. Once you lose it, it is difficult to regain it again. It is important to let donors know there are standards in the sector.”
Several of the ethical standards include: “members shall not disclose privileged or confidential information to unauthorized parties,” and “members shall adhere to the principle that all donor and prospect information created by, or on behalf of, an organization is the property of that organization and shall not be transferred or utilized except on behalf of that organization.”
What does the future hold for donor privacy? Organizations say that technology is advancing so quickly, especially in the online world that they are having difficulty keeping up.
Looking at the future is not yet possible. It’s taking enough effort just to catch up to the present.
NPT staff writer Jeff Berger also contributed to this story
© Copyright 2006 Chris Cloud.
Last update: 9/5/2006; 8:37:19 PM.