What Arts Nonprofits Should Know About Data Privacy and Security

Nonprofit arts organizations’ relationships with their patrons are built on trust. This is what encourages loyal attendees to willingly supply their contact information for updates from the organization and drives donors to entrust the organization with their credit card information. In recent years, because of large, for-profit tech companies’ public scrutiny for their handling of consumers’ data, the general public has gained a heightened sense of concern about where the data they provide throughout their internet use—birthdays, addresses, credit card numbers, the websites they visit—go and how companies use them. People have begun to consider what society will look like if this type of monitoring and collection continues unchecked, raising concerns about widespread data collection leading to a system of surveillance capitalism in which personal behaviors are increasingly commodified. This concern has seeped into consumers’ interactions with nonprofit arts organizations, increasing their expectations regarding how organizations inform them about how their data is collected, used, and safeguarded.

For companies, this data is enormously helpful for improving targeted marketing and profitable when sold to third-party companies. So, collection continues even at the risk of declining trust. For nonprofits, however, maintaining trust is vital for survival since a loss of trust can result in a loss of their largest source of income: donations. Therefore, nonprofit arts organizations should be aware of how changing data privacy practices and policies affect consumers’ expectations.

In a survey of 467 nonprofit professionals, EveryAction and Nonprofit Hub found that 90% of nonprofits are collecting data, but that 49% of surveyed nonprofit professionals did not know how it was collected. While data clearly plays a large role in nonprofit arts organizations’ operations, few have concrete policies and procedures that guide its collection and use. In the context of changing policies about data privacy and increased risk of cyberattacks, this is a dangerous place for nonprofit arts organizations to be in. This article will summarize considerations in areas pertinent to these organizations.

Nonprofit Data Collection

Figure 1: The percentage of nonprofit's that claim to be informed about their data collection. Source: Chart created by Author from EveryAction and Nonprofit Hub.

Rules that already guide nonprofits

Some policies that nonprofit arts organizations are already required to comply with include Payment Card Industry Data Security Standards (PCI DSS), which are the “technical and operational standards” that organizations must follow to protect customers’ credit card data. If an arts organization is using credit cards for purchases or donations, they are required by the Federal Trade Commission to provide a base level of security to protect patrons’ from having financial account information stolen. PCI DSS includes six major objectives, 12 key requirements, 78 base requirements, and over 400 test procedures.

For nonprofits using an e-commerce package or online donation system, these standards are already met by the company providing the platform. Organizations that outsource all payment processing to a third party fall into the SAQ-A category of PCI compliance. Because these organizations never touch cardholder data, the only things they need to do to maintain security are to destroy any paper copies of cardholder data and ensure that vendors are PCI compliant by getting it in writing or a screenshot. Nonprofits that have a system in which most payment processing is outsourced, but at some point credit card information goes through the nonprofit’s site or server, are classified as SAQ-EP and must follow more requirements that can be found here. Transactions made using PayPal’s PayFlow or Authorize.net would fall into this category. To avoid grey area, NTEN recommends changing structures to fall into the SAQ-A category.

Recent policy changes

In recent years, governments have begun to enact policies to unify consumer data privacy standards. In 2018, the General Data Protection Regulation (GDPR) went into effect in the European Union, creating the world’s strongest data protection rules. One of the biggest differences between the GDPR and the previous Data Protection Act is the emphasis on consumer consent. The GDPR requires any organizations—for-profit or nonprofit—that are controlling or processing personal data to provide clear privacy notices that inform individuals that they are providing personal data that may have an effect on their privacy. Additionally, this notification cannot come in the form of an “opt-out” statement in which the default option is consent. The GDPR specifies, “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement ... Silence, pre-ticked boxes or inactivity should not therefore constitute consent.” Under the GDPR, consumers should be free to revoke this consent at any time.

While this European policy may not seem like it would be relevant to arts nonprofits operating in the United States, it instigated a wave of new conversations and considerations regarding consumer privacy. Additionally, many arts nonprofits are not fully isolated from this policy: orchestras that go on tour, for example, would need to be aware of how their operations must comply.

Recently, similar privacy policies have made their way to the United States. The California Consumer Privacy Act (CCPA) came into effect on January 1, 2020 and is similar to the EU’s GDPR in that it guarantees consumers the right to know what data is being collected, allows consumers the right to opt out of data collection, and gives consumers the right to delete all their private data. The scope of who is restricted under this policy, however, is narrower. The CCPR applies to any for-profit entity doing business in California that meets one of the following:

  • Has a gross revenue greater than $25 million

  • Annually buys, receives, sells, or shares the personal information of more than 50,000 consumers, households, or devices for commercial purposes

  • Receives 50% or more of its annual revenues from selling consumers’ personal information

(For a more detailed comparison, see Table 1 below.)

Even though the CCPA does not apply directly to nonprofit organizations, it can affect outside data sources from which nonprofits get information. Additionally, it sets the standard for consumers’ expectations when they provide personal data, regardless of the organization’s status as a nonprofit or for-profit entity. Since nonprofits want to maintain the highest level of trust from their patrons, they should implement policies and practices that align with these standards. It will not take long for other states to implement similar policies. As this article is being published, New Jersey legislators are proposing a similar bill to tighten data privacy regulations. If your organization operates across multiple states, complying with policies such as these is something you should prepare for. Now is a good time to start looking at how similarly positioned organizations have adapted.

Figure 2: A comparison of the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). Source: Laura Jehl and Alan Friel.

Figure 2: A comparison of the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). Source: Laura Jehl and Alan Friel.

Data security

In addition to complying with regulations for collecting data, organizations also need to take appropriate measures to protect that information. If a patron has chosen to consent to some level of data collection, they are putting their trust in the organization to only use their data as it said it would and keep it safe otherwise. Both the GDPR and the CCPA include requirements for data security to protect individuals’ personal data. Right now, however, not all nonprofits have strong cybersecurity measures in place. A study conducted by NTEN in 2018 found that 38.8% of nonprofits do not have a policy that identifies how their organization handles cybersecurity risk, equipment usage, or data privacy.

38.8% of nonprofits do not have a policy that identifies how their organization handles cybersecurity risk, equipment usage, or data privacy.
— NTEN

Nonprofit arts organizations are far from being immune to security breaches. For museums, for example, there is concern about hackers accessing online databases that include information about upcoming donations of art, which could lead criminals to where the art is currently located. Additionally, museums’ and other cultural institutions’ ties to wealthy donors make them attractive targets. To protect against cyberattacks, Tyler Cohen Wood, a cyber security consultant and former cyber deputy chief of the defense intelligence agency, advises that arts organizations have up-to-date intrusion and malware protection on their systems in addition to having proper employee training since many ransomware attacks are introduced over email. Another step is not keeping an organization’s most sensitive information, like personal data, where it is accessible to anyone who gains access to a computer. It should be segmented off from the regular network and password protected.

For nonprofit organizations, there is, of course, the consideration of how to fund necessary security measures. Some steps have been taken to solve this, mostly aimed at human rights nonprofits. Starting in 2016, Jigsaw, the technology incubator of Alphabet, Inc., started offering free distributed denial-of-service mitigation tools to organizations dealing with media, elections, and human rights. (Distributed denial-of-service (DDoS) attacks aim to paralyze a computer network by flooding it with data.) Beginning in 2018, philanthropic organizations such as the Ford Foundation and the MacArthur Foundation began recognizing nonprofits’ need for cybersecurity funding. The Ford Foundation hired six full-time technology fellows to work with grantmakers to help them think about the technological needs of funded organizations. The foundation has also turned some of its focus to long-term grants that help fund operational needs, which includes digital security.

Looking forward

With the changing landscape of data privacy in the United States, arts nonprofits should be aware of new policies that could affect them and steps they can take to make their organization more secure. While there are currently no national policies affecting nonprofit arts organizations, what consumers expect regarding data protection is growing because of policies that are setting the norm for for-profit companies and organizations in other places. Maintaining good practices with data privacy, such as making a publicly available privacy policy, lays the foundation of trust between organizations and their patrons. Since arts organizations are currently being affected by the COVID-19 outbreak and going more online, it is an especially pertinent time to evaluate data privacy and security measures. As board meetings are taking place in Zoom instead of in conference rooms and taking visitors’ temperatures has become the job of some museums, arts organizations need to be even more prepared to protect patrons’ privacy in a data-driven future.

Sources

Bastide, Kelly Demarchis and Shannon K. Yavorsky. “Europe’s New Data Law: What Nonprofits Need To Know To Prepare For GDPR.” The Non-profit Times 32, no. 1 (February 2018): 15. http://link.gale.com/apps/doc/A531862275/AONE?u=cmu_main&sid=zotero&xid=e2a10f37.

"California Becomes First State to Strengthen Consumer Data Privacy Protections." PR Newswire, June 28, 2018. Gale General OneFile (accessed March 7, 2020). https://link-gale-com.proxy.library.cmu.edu/apps/doc/A544654399/ITOF?u=cmu_main&sid=ITOF&xid=ba5018c9.

Cascone, Sarah. “Hackers Saw the Asian Art Museum of San Francisco as Ripe for Ransom Attack. Are Other Cultural Institutions Next?” ArtNet News, July 22, 2019. https://news.artnet.com/market/hackers-attack-asian-art-museum-san-francisco-1604188.

"GDPR." In A Dictionary of the Internet, edited by Ince, Darrel. Oxford University Press, https://www.oxfordreference.com/view/10.1093/acref/9780191884276.001.0001/acref-9780191884276-e-4753.

"Good Practice: Fundraising - GDPR should You be Afraid?" Third Sector (May 01, 2017): 42. https://search-proquest-com.proxy.library.cmu.edu/docview/1914194299?accountid=9902.

Hulshof-Schmidt, Robert. “State of Nonprofit Cybersecurity.” NTEN, 2018.

Janofsky, Adam. "Resource-Strapped Nonprofits Fight Cyberattacks from Governments and Hacktivists." WSJ Pro.Cyber Security (Jul 26, 2018). https://search-proquest-com.proxy.library.cmu.edu/docview/2171154435?accountid=9902.

Jehl, Laura and Alan Friel. "CCPA and GDPR Comparison Chart." Thomson Reuters, 2018. https://www.bakerlaw.com/webfiles/Privacy/2018/Articles/CCPA-GDPR-Chart.pdf.

Lamanna, Kevin. “DIY PCI compliance: What nonprofits need to know to protect their donors.” NTEN Connect, March 14, 2018. https://www.nten.org/article/diy-pci-compliance-nonprofits-need-know/.

Laybats, Claire, and John Davies. “GDPR: Implementing the Regulations.” Business Information Review 35, no. 2 (June 2018): 81–83. doi:10.1177/0266382118777808.

Lehtiniemi, Tuukka and Jesse Haapoja. “Data agency at stake: MyData activism and alternative frames of equal participation.” New Media & Society 22, no.1 (January 1, 2020): 87-104. doi:10.1177/1461444819861955.

McCarthy, John. “Over 90% of users consent to GDPR requests says Quantcast after enabling 1bn of them.” The Drum, July 31, 2018. https://www.thedrum.com/news/2018/07/31/over-90-users-consent-gdpr-requests-says-quantcast-after-enabling-1bn-them.

Micali, Mark. "AN UPDATE FOR NONPROFITS ABOUT FEDERAL PRIVACY LEGISLATION." NonProfit Pro 17, no. 3 (May 2019): 24. https://search-proquest-com.proxy.library.cmu.edu/docview/2246858036?accountid=9902.

Naughton, John. “’The goal is to automate us’: welcome to the age of surveillance capitalism.” The Guardian, January 20, 2019. https://www.theguardian.com/technology/2019/jan/20/shoshana-zuboff-age-of-surveillance-capitalism-google-facebook.

Nouwens, Midas, Ilaria Liccardi, Michael Veale, David Karger, and Lalana Kagal. “Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence.” Cornell University, January 8, 2020. https://arxiv.org/ct?url=https%3A%2F%2Fdx.doi.org%2F10.1145% 2F3313831.3376321&v=d078414d.

Parker, Ian. “Yuval Noah Harari’s History of Everyone, Ever.” The New Yorker, February 10, 2020. https://www.newyorker.com/magazine/2020/02/17/yuval-noah-harari-gives-the-really-big-picture.

"Parsons Behle Lab Launches Automated Software That Generates Legal Documents to Comply with GDPR." PR Newswire, March 27, 2018. Gale Academic OneFile (accessed February 16, 2020). https://link-gale-com.proxy.library.cmu.edu/apps/doc/A532398427/AONE?u= cmu_main&sid=AONE&xid=a5895e64.

Pugliese, Anthony. "Privacy is a Priority." California CPA 88, no. 5 (11, 2019): 4. https://search-proquest-com.proxy.library.cmu.edu/docview/2321818370?accountid=9902.

Sorrell, Karen L. “Cyber Attacks on Nonprofits: ONE DATA BREACH CAN COMPROMISE A CHARITABLE ORGANIZATION’S DONOR DATA AND PUT THE NONPROFIT OUT OF BUSINESS.” Property & Casualty 360 122, no. 1 (January 2018): 38–39. http://search.ebscohost.com.proxy.library.cmu.edu/login.aspx?direct=true&db=buh&AN=127972929&site=ehost-live.

"The Future of Data Justice Examines the Impact that Data Collection and Surveillance has on Marginalized Populations." Targeted News Service, Mar 25, 2019. https://search-proquest-com.proxy.library.cmu.edu/docview/2197343709?accountid=9902.

“The State of Data in the Nonprofit Sector.” EveryAction, Nonprofit Hub. http://cdn2.hubspot.net/hubfs/433841/The_State_of_Data_in_The_Nonprofit_Sector.pdf.

Wells, Christina. “Why Nonprofits Need to Care About Proper Data Collection.” GuideStar Blog, April 2, 2018. https://trust.guidestar.org/why-nonprofits-need-to-care-about-proper-data-collection.

Winters, Paul and Jonathan Hwang. "THE CALIFORNIA CONSUMER PRIVACY ACT - WHAT NONPROFITS NEED TO KNOW." Taxation of Exempts 30, no. 7 (July 2019): 25-28. https://search-proquest-com.proxy.library.cmu.edu/docview/2260001317?accountid=9902.