The Importance of Nonprofits' Prioritization of Patron Privacy
Written by Natalie Larsen
Growing Privacy Concerns
In 2021, TikTok updated its privacy policy which allowed it to collect biometric data on its users, including faceprints and voiceprints. Rather than explicitly informing its users about this change, the app vaguely communicated that they were issuing a “privacy update.” Once people found out what the update entailed, concern rightfully grew. This type of data collection indicates a significant shift from companies collecting behavioral data on their consumers to something much more invasive and without true consent. Only 36% of Americans trust tech companies using facial recognition technology. In general, public trust in Big Tech has been steadily falling in the United States. Regardless, however, most people still click “accept” to the Terms & Conditions on any website without actually knowing what is being agreed to, indicating a disconnect between what US citizens expect from businesses and what is actually being conducted.
Data Privacy Explained
Everyone has data on the internet– name, age, gender, birthday, interests, browsing habits, and so forth. These aspects of a person’s identity fall under data categorized as Personal Data. That data is valuable to big corporations, whether they sell the data to gain revenue for free services to their consumers, or buy the data to advertise their products to potential consumers in a tactical, albeit intrusive, way. In the notorious 2018 Senate Hearing on Facebook, Mark Zuckerberg’s retort, when posed with the question of how Facebook remains profitable when its service is free, gave us a glimpse into an obvious yet disturbing truth behind the operations of a big tech company. Zuckerberg responded with a simple, yet telling answer to Facebook’s monetization: “Senator, we run ads.” A large purpose of data in capitalism is the predictive modeling of human behavior.
Data privacy can be defined as the careful handling of data throughout its lifecycle, from data creation to data deletion, based on its relative importance. This field has grown exponentially in the digital age, as it manages data, governance, compliance and its laws, consents, notices, and regulatory obligations. The Health Insurance Portability and Accountability Act, better known as HIPPA, is a policy in the healthcare sector that protects against institutions misusing patients’ medical and health data. It prevents healthcare organizations from giving out patient information about physical and mental health, and requires that healthcare and healthcare insurance companies protect this information from fraud or theft. This policy prevents insurance companies, pharmaceutical companies, and doctor’s offices from directly targeting people with personalized ads for products or services. HIPPA is the only sector-specific policy in the United States that protects people from having their personal information abused or exploited by large corporations. With only three states having adopted some form of data privacy law, it is unclear how soon Congress will propose bi-partisan data privacy legislation. Currently, policy regarding data privacy in the United States is the responsibility of the individual states.
Lack of Legislation
It is unsurprising that the United States government lacks data privacy regulation. As with many contemporary issues, it often takes extended periods of time for the government to create bi-partisan cooperation in implementing change. The European Union is the strongest leader of data privacy legislation, creating the General Data Protection Regulation (GDPR). GDPR is intended to be the toughest privacy and security law in the world. Much like the right to the pursuit of liberty or free speech, the new EU regulation is stalwart in the idea that “the protection of natural persons concerning the processing of personal data is a fundamental right.” Under this regulation, EU citizens have the right to ask companies how their personal data is collected, stored, and used. They also have the right to request that their data be deleted from a company’s database (or CRM). Companies must get consent from a consumer before collecting and storing their data. With the exception of HIPPA, there is no centralized regulation that protects US citizens’ personal information from being abused by companies.
The closest piece of legislation the United States has to the EU is the California Consumer Privacy Act (CCPA), passed and enacted in 2018. Under CCPA, California citizens have similar rights to those established in GDPR. Similar privacy legislation was passed in Virginia (the Consumer Data Protection Act) and Colorado (the Colorado Privacy Act), both in 2021. In deciding the parameters in national legislation, the biggest hurdle appears to be the extent to which Democrats and Republics want big companies to be penalized for mishandling personal consumer data. While Democrats want to enable consumers to hold businesses accountable for abusing their data, Republicans opt for more business-friendly legislation. Without centralized federal regulation, having varying data privacy laws by state makes the issue more ambiguous and complex, leaving consumers unsure or unaware of their rights.
Art Showcasing Concern
In 2016, Mozilla partnered with Tactical Tech to bring the Glass Room to London and New York City. This immersive exhibit, made to look like a tech store, was created to teach people about who is collecting their data online and why. The Glass Room attempts to demystify the world of data privacy in a vast digital world. It accomplished its goal by compelling participants to think about how they interact with online platforms, as well as visualize and contextualize otherwise abstract ideas about what happens to personal data.
As with any other complex social issue, artists have been quick to be the messengers of social and moral concern. The beauty of art is its ability to convince people that they need to care about something. Humans are inherently visual creatures, but it sometimes takes more than just showing an audience why something is a problem. Some artists have gone so far as to make an audience live a problem, either in an immersive exhibition or through some “alternate universe” via a Black Mirror-esque presentation. One such experience is German artist Tobias Leingruber’s Facebook ID card project, named FB Resistance. In 2012, Leingruber created Facebook ID cards for his guests at an art event. This concept was somewhat influenced by George Orwell’s 1984. Leingruber’s project lends commentary to how social media pervades our everyday lives. If we allow digital platforms to consume our identity little by little, where is the line drawn? Since todays’s society holds great importance in having an online presence, is it not unimaginable that humans will one day be solely valued on the meticulously curated digital content to achieve a certain level of social status.
Netflix’s Black Mirror episode Nosedive also played with this idea in 2016, in which a woman’s life unravels over her slowly deteriorating “social media score” as she desperately tries to cling to the small amount of social standing she has. While these are two extreme examples (thankfully, in the ten years since, Leingruber’s fake project hasn’t become a reality), these projects raise concern of what will happen when nothing is private anymore? In the United States, citizens are aware of their Constitutional rights. However, when a significant data breach at a big company occurs, no collective outrage occurs. This indicates a lack of ignorance regarding rights in relation to data privacy in the US. The EU asserts this in the GDPR through the following statement: “the protection of natural persons in relation to the processing of personal data is a fundamental right.” As more of our personal lives become exposed and our habits become exploited by big business, how does the nonprofit sector factor into all this?
The Adaptability of Arts Nonprofits
In a society where technological trends feel almost ephemeral, it is understandable why many nonprofit art organizations are slow to adopt the most up-to-date data collection, storage, and management technologies. This is driven by several factors, such lack of funding, tech-hesitant Boards of Directors, and a general lack of awareness of more efficient systems. Even many for-profit entities are behind the curve when it comes to having a data strategy. But as opposed to for-profit businesses, nonprofits could be using data from their communities to create more effective programming tailored to their target audiences’ needs. These efforts are crucial to achieving its mission. One author noted that when organizations lack the data architecture to fully leverage the data available to them, the actual opportunity cost is innovation.
Knowing how to use the data is only part of the equation, though.
In addition to the newness of investing in data collection and management, nonprofits must grapple with the issue of consumer privacy. The lack of regulation in the US forces private and public sector managers to consider their level of responsibility. Amidst this concern, data has become more crucial than ever for nonprofits to understand their target demographics, which influences the creation of appropriate programming and effective marketing materials. However, the lack of data architecture and policies leave nonprofit organizations more vulnerable to data breaches. This has occurred before, as the Shakespeare Theater of New Jersey experienced a ransomware attack in 2019. Hackers disabled the organization’s access to its ticketing system and patron database. Several other breaches have occurred in which hackers gained access to an organization’s funder information, costing them tens of thousands of dollars, practically forcing some to shut down.
While nonprofit-centric data breaches do not typically make headlines, this may be seen as a trivial issue. But as entities that hold personal identifying information about patrons, donors, employees, and Board members, nonprofits have just as much an obligation to protect their data as for-profit businesses do. The following are starting points nonprofits should heavily consider in developing a long-term strategy for data storage and protection:
Understand the legislation that exists to develop protection plans
Form a data and cyber security governance committee
Embrace cloud-based storage software
Properly educate employees on data security
By following these guidelines, nonprofits will be more equipped to protect their employees and patrons in a data-heavy and legislatively ambiguous digital world.
Ensuring Moral Use
For centuries, the arts have been used to express opinion and belief of one’s circumstances. This holds constant to the conversation around data privacy, forcing conversation and contemplation of the issue. With the current lack of legislation in the United States, the arts can help bring awareness and empower the public to push the federal government to implement change. However, with a lack of national protection, nonprofit organizations must assume responsibility in protecting personal consumer data and using it ethically. The relationship between people, their data, and business is significantly unbalanced, but arts organizations can help restore the balance by acting in the best interests of their patrons by ensuring personal privacy is at the forefront of business operations.
+ Resources
Alexander, Alistair. “The Glass Room: Big data, privacy and interactive art.” Mob Lab. April 28, 2018. https://mobilisationlab.org/stories/big-data-privacy-interactive-art/.
Crittenden, Elizabeth. “Let’s Talk: TikTok’s Privacy Update And Incubator For Black Creatives, Spotify’s Speech Recognition Technology, And More.” Arts Management & Technology Laboratory. June 22, 2021. https://amt-lab.org/podcasts-interviews/2021/6/lets-talk-tiktok-privacy-update-and-incubator-for-black-creatives-spotify-speech-recognition-technology.
DalleMule, Leandro and Thomas H. Davenport. “What’s Your Data Strategy?” Harvard Business Review. May-June 2017. https://hbr.org/2017/05/whats-your-data-strategy.
“Data Privacy – Definitions, Importance, Legislations / Privacy laws.” Data Privacy Acts. May 12, 2020. https://dataprivacyacts.com/data-privacy-everything-you-need-to-know/.
Fang, Jiashun. “What Makes Facial Recognition Controversial?” Arts Management & Technology Laboratory. February 13, 2020. https://amt-lab.org/blog/2020/2/what-makes-facial-recognition-controversial.
Frankfurt, Tal. “How To Avoid Security Breaches In The Nonprofit Sector.” Forbes. March 31, 2021. https://www.forbes.com/sites/forbestechcouncil/2021/03/31/how-to-avoid-security-breaches-in-the-nonprofit-sector/?sh=1be2a0095ce0.
Fried, Ina and Mike Allen. “Exclusive: Trust in tech craters.” Axios. March 31, 2021. https://www.axios.com/edelman-trust-barometer-tech-5787acea-8ef5-4d0b 96946e4f8eb006c4.html.
GDPR.eu. “General Data Protection Regulation (GDPR).” Accessed April 6, 2022. https://gdpr.eu/tag/gdpr/.
Jehl, Laura and Alan Friel. “CCPA and GDPR Comparison Chart.” Baker Hostetler LLP. Accessed April 30, 2022. https://www.bakerlaw.com/webfiles/Privacy/2018/Articles/CCPA-GDPR-Chart.pdf.
“Legislative Preview: Data privacy”. Congressional Quarterly Magazine. February 14, 2022. https://advance-lexis-com.cmu.idm.oclc.org/api/permalink/73df9d80-2c49-4f29 a233-3ca744502911/?context=1516831.
Leingruber, Tobias. “FB Bureau Berlin: Get Your Fb Identity Card!!” Free Art and Technology Lab. February 24, 2012. http://fffff.at/fb-bureau-berlin-get-your-fb-identity-card/.
NBC News. “Senator Asks How Facebook Remains Free, Mark Zuckerberg Smirks: ‘We Run Ads’ | NBC News.” April 10, 2018, 1:00. YouTube video. https://www.youtube.com/watch?v=n2H8wx1aBiQ.
“Nosedive.” IMDb. Accessed April 30, 2022. https://www.imdb.com/title/tt5497778/.
Pardes, Arielle. “What Is GDPR and Why Should You Care?” Wired. May 24, 2018. https://www.wired.com/story/how-gdpr-affects-you/.
Pyne, Lydia. “A Data Artist’s Guide to Putting People (and Privacy) First.” Hyperallergic. May 6, 2021. https://hyperallergic.com/641187/living-in-data-jer-thorp/.
Rippy, Sarah. “Colorado Privacy Act becomes law.” IAPP. July 8, 2021. https://iapp.org/news/a/colorado-privacy-act-becomes-law/#:~:text=Sarah%20Rippy%20IAPP%20Member%20Contributor%20On%20July%208%2C,earlier%20this%20year%2C%20to%20enact%20comprehensive%20privacy%20legislation.
Rippy, Sarah. “Virginia passes the Consumer Data Protection Act.” IAPP. March 31, 2021. https://iapp.org/news/a/virginia-passes-the-consumer-data-protection-act/.
Schenker, Dylan. “Artist Explores Online Identity and Privacy With Facebook ID Cards.” VICE. March 5, 2012. https://www.vice.com/en/article/z4y5z8/artist-explores-online-identity-and-privacy-with-facebook-id-cards.
State Of California Department of Justice Office of the Attorney General. “California Consumer Privacy Act (CCPA).” Accessed April 22, 2022. https://www.oag.ca.gov/privacy/ccpa?msclkid=7dc2492cbd9411ec867bf5984af6282d.
“The Week in Breach: 12/04/19 – 12/10/19.” DeckerWright Corporation Blog. December 11, 2019. https://www.deckerwright.com/blog/the-week-in-breach-1-5.
“What is CRM?” Keap. Accessed May 2, 2022. https://keap.com/product/what-is-crm.
Younanzadeh, Emanuel. “Why Your Company’s Data Architecture Is More Important Than the Data Itself.” Forbes. April 13, 2022. https://www.forbes.com/sites/forbescommunicationscouncil/2022/04/13/why-your-companys-data-architecture-is-more-important-than-the-data-itself/?sh=609e81e85311.