Anedot Learn: Data Privacy Best Practices for Nonprofits and Fundraisers

‍Anedot Learn session transcript ↓

Patrick:

Hey, this is Patrick with Anedot and welcome to another Anedot Learn where we help you grow your organization through giving.

Today we're here with Mikey Swetz who's the vice president of fundraising at the advertising agency Arena.

And we're going to be talking about data privacy and best practices.

So thank you for joining us, Mikey.

Mikey:

Happy to be here. Thanks for inviting me on.

The state of data privacy and why respecting donor information matters

Patrick:

For sure. I know it's not the first Anedot Learn you've done with us, but it's an interesting topic, especially with how much is in the news right now about data privacy.

So I'm glad to have you on here, because sometimes we do hear from the donor side of it, but it's great to hear somebody who's actually doing marketing and things like that to get your take on it as well.

Mikey:

Yeah. It's been, I mean, everything you see now, you got to question it, double did you think about it twice. And is this real? Is it not real? Is it a scam?

I get tricked all the time, and I don't click on anything unless I actually know it's coming from a trusted source.

So with data leaks and privacy and securing data, it's a tough game to play right now and to dance around.

Patrick:

Yeah. I mean, I think so, a lot of donors are probably asking the question, they're probably like, you're the one that sends me those texts and we're going to highlight that there are people like Mikey who consider the ethics and try not to spam, but for donors who are like, why am I getting so many texts and emails all the time?

I feel like I'm hitting unsubscribe. It's not really helping. Can you kind of talk about why that's occurring right now?

Mikey:

Yeah, I think there's a lot of data sharing going on.

If you're giving to a political campaign or group it's public information so they can backtrace your contact, email, or phone number that way as well.

So, if you're a donor, they know that. And then they'll ask you for money again and again.

But also the sheer amount of people who are now doing nationalized texting or statewide texting has grown significantly since 2020.

When there was a big presence by both presidential campaigns on texting and email and social media and every other form of communication you see right now.

So I think it's just oversaturated in the markets right now because everyone's doing it. So everyone's doing it.

You might not, it might be the same message, but from a different person because people share messages as well. So it's getting a little more widespread.

Patrick:

Yeah. And I'm sure consultants say, oh, we do it because it raises more money because it works.

What's kind of your thought process on them saying that? What's your opinion of it and kind of how do you do things differently, I guess I would say.

Mikey:

And I would say, yeah, it works to an extent.

But I think the more and more people that do it nationally for random congressional races or whatever group you're working for, a national race, if you're in Florida and you're trying to solicit from Alaska, it better be a really good reason why you're doing that.

Otherwise, they're going to question why. But I think, yes, it works to an extent if you have a really good message, but it also hurts the donor ecosystem because they're getting messages nonstop.

I get I mean, because I'm on so many lists now, I get like at least 30 a day or more, from around the country on text and email.

I like seeing them, to see who’s doing what, but most people are not going to like that. So, really when we do our campaigns and with our group here at Arena, we want to respect the donor.

That's always my first and foremost mode here as a fundraiser because I consider myself, I'm a fundraiser first, digital professional second, because I've been in a fundraising atmosphere for 12 plus years, and digital only became so really widespread, started at 16, little bit, 18, and 20 kind of really it blew up.

But respecting the donor is a huge part of that because everyone's treating them like an ATM, and they might give once and never give again because they gave once, and then they're asked for money 40 times in the next month or so.

So I think really it comes down to frequency of how you send and who you're sending to because I can work for a governor's campaign in whatever state and reach out to Connecticut and they're going to opt out or hit spam on me, which then hurts my reputation or my campaign's domain reputation.

So we like to do things a little differently. Are we going to raise less money? Probably.

But are people going to give it again and again or be repeat donors? More likely, yes.

So it's all about that long term goal that we look for, because especially for groups that aren't campaigns that are around for a lot longer than a two year campaign, they have to raise money year over year rather than in a span of 12 months.

So it's a matter of planning it out, not over sending, and not oversaturate people because they're getting tired and turned off.

Patrick:

Yeah. So it sounds like the geographic location matters a lot.

Is there like a recommended contact schedule or kind of guidelines? You know, even loose ones that you've seen that work or don't work.

Mikey:

And I would say when someone subscribes to a list via text or email, you should have that eventually.

Like do you want to be contacted often? Do you want to be contacted monthly, weekly, what's your frequency or is it one and done or something like that where at least they can opt in now?

Not many people do that, opt in that way. But I would say, for us, if someone just gave a donation to us, we don't ask them for money again for at least a week or two because they just gave.

If we sent five emails that week, I'm not going to ask them for money again and again until maybe a month later, because they just gave to us.

Let's give them a break. But the problem is they never know who's sending what. This person asks why you sent so many emails.

And I said, well, that wasn't us. So it's hard right now because everyone's messages are so similar and so intertwined.

And then on message, especially if you're on one side or the other. So that's also part of it, which is why branding yourself and making yourself unique and stand out is super important.

So people will then trust you and your brand, and then maybe nobody else.

But I think at least once a week is kind of a good if they've given, if they're not an active person, you're trying to activate them a few more times a week, probably is fine.

But if they're active and opening and they like who you are, and they signed up organically with you guys, with whoever, I think respecting them is super important.

Patrick:

I've been with Anedot for quite a few years now.

But I do recall before joining Anedot going and seeing a panel where I remember a panelist specifically saying, if this person's on your list and they're not giving, they shouldn't be on your list.

And that just kind of struck me and in a bad way.

And I feel like we're seeing that sort of become more pervasive, right. And that's the problem is they're not looking at people as people.

I mean, one thing we did a number of years ago was just put, we don't sell your data, we don't share your data.

Like if you give to someone and they share it, we can't control that.

But we don't do that. And I think, it is one of those things where people need to remember these are people, right? It's not just your piggy bank.

I think that was something that you've kind of mentioned that they're not your ATM, they're not your piggy bank.

They're people who are giving because they care and they should be treated with respect like that.

Mikey:

Exactly.

Best practices for collecting donor data securely

Patrick:

When you're collecting information, what kind of information are you trying to collect?

Do you think sometimes too much information is collected? What are your kind of thoughts on information collection in general?

Mikey:

I would be minimal in what you're collecting for what you need.

First name, email, or phone number if you're reaching out that way, if they're signing up for your list organically and they want to get your content and that general location like zip code or state is fine too.

But, when you ask for address or interest of issues, what do you like to do for fun or where are you going for your vacation?

If you're asking questions, things like that, that could be security risk. If someone ever got hacked or data leaks everything like that.

And then if you're an event planner to sensitive things like credit card numbers or things like that can also be on spreadsheets somewhere.

Or, I've done in the past, many, many years ago, that was dumb of me to do that because, you never know who can get access to your system at any time, especially these days where there's data leaks every week.

So only collecting the things you really need to contact somebody, not getting too much information with them.

Keep it minimal. Get their consent preferences as well. But also, you want to make sure you have enough for compliance.

So if they're donors and they’re giving to you, obviously employer, occupation are those two main things you need.

But, also once you have this data, where is it being held? Is it secure?

Can people trust to give their information to you because they know you're a legitimate organization or campaign and you're securing their data somewhere behind a password or two factor or something like that.

Patrick:

Yeah. I mean, I think it's really important, for us, in the industry we're in is maintaining PCI compliance, and making sure that anyone you give your credit card information to right that there's at least some form of PCI compliance.

And what that typically does mean is that we have to secure your data.

That's a liability for us if we don't. Everything's encrypted. Everything is tokenized. It's difficult on that end.

From what we've seen, a lot of times when donors do, let's say their credit card number is stolen or something along those lines, it's usually, they accidentally gave it to a scammer, right. Or something like that.

And that's something that we're always, we haven't ever had a PCI related leak or anything like that because we do tokenize and store our own data.

But to your point, you need to make sure that you do that. I mean, in my past life, same thing.

You collect things on paper, you make sure you shred it, just don't give people the opportunity to do that and one thing we also tell people is sometimes, Apple Pay or Google Pay, sometimes people are skeptical of these new methods, but they actually do encrypt your number.

So when we get an Apple Pay credit card number, we don't actually see the real credit card number. It's a completely separate credit card that's only like a one time use card.

So there's other ways too to kind of maintain your privacy, security, even if it is like you went to a restaurant and somebody wrote down your number, which is unfortunate.

Mikey:

And, as a fundraiser too, you do direct mail or people sign up on forms, they put their credit on their seat and they process it later on.

And those are things too that could get leaked. Don't throw them in the trash.

Shred them, scratch it out until the paper is gone, rip your paper because the number is still there or prevalent.

But shredding, getting rid of it, securely is super important because those things also can get caught in the trash and people pick them up. Whatever. Get rid of them the right way.

Patrick:

Yeah. It's fascinating. We've actually, I think it was maybe two years ago, we added QR codes as a way to share pages.

And we noticed that's been used on direct mail more and more because some donors are like, oh, yeah, I'm used to going into a restaurant and doing it from the menu, right?

But then at least they're typing in their credit card on their own phone.

They're not mailing something out. It's still fine. Obviously direct mail, you still can do that.

But there's just various ways, right, to provide the opportunity to be secure because the reality is, like myself or you, Mikey, we don't actually want to hold that credit card information.

We want you to enter it securely.

Us holding it is a security risk to us. It's not something we want to do unless it's heavily encrypted and protected.

Mikey:

If one good thing came out of Covid, it's QR code.

We use it on our mail pieces here as well. And, we encourage it. Yes, it's great for security, but also it's great for us just to get quick feedback on mail pieces as well.

How nonprofits can safeguard donor data with modern tools

Patrick:

100%. Let's say there's a consultant who's like, oh, well, what can we do to better communicate how donor data is used and what can we do to sort of become better when it comes to privacy and security?

Are there any sort of tips or tricks that you would give out there?

Mikey:

Really is training, and training your team is going to be important, but also, using a secure CRM as well.

There's dozens out there that are secure, a reputable CRMs that you can use to secure your data, that does most of the things for you. They're behind a password or something more secure.

One thing I do, these security keys that you get, you can use now to secure your Facebook and your email and your data.

The more secure you can get, there's not enough security you can do just to protect data. So I think, every option should be on a table.

Nothing should be out there, Google Sheets. Great. But if it's not secure, then people can get into it, share a link, whatever.

I just think clear rules from the beginning and guidelines and a checklist are important for teams and consultants of people to utilize every day because I think it's getting more important that things are secure because, I mean, I don't know what was it last week?

There was a giant data leak from all these giant companies.

They're secure as well. Nothing's got to be crazy, but on your end, doing everything you can is important because I feel better that my stuff is secure now with this data key or this security key.

And I think most people should be doing that now.

Patrick:

And there's no excuse even for donors, right?

So, I mean, Google and Google has it, Microsoft Authenticator, Apple Passkeys.

Or if you want a more robust solution like a 1Password, I mean, you can have all these options built into your phone, your laptops that allow you to have a different password for every single item.

I mean, that's something that I think is best practice.

Don't use the same password everywhere because we have these leaks.

So use a temporary password with every single platform, so that way if they do get one of your passwords they don't get your password for anything else. I mean, that's always a big one too.

Mikey:

And if you have an iPhone it now suggests long giant passwords for you.

Do it because that's more secure than doing something you remember.

Just make sure that your phone remembers it so you're not always hitting I forgot my password every time. Apple was made with security and I appreciate that from them at least.

And then suggesting all these passwords, I use them all the time because I don't trust myself to not use the same password every single time.

Patrick:

The other thing that started to become really common too is using sort of your phone number, your cell phone number as a replacement for a password.

I think it's something we're looking at in the future, too, where, instead of having a password, it text your phone number a different key each time because it's less likely that somebody gets a hold of your cell phone, your cell phone number, than them getting a hold of a password.

So that's another thing too. There's so many different ways now where it's like, don't reuse things.

Make sure you know who you're giving your information to. There's a lot of different ways like that.

And then, as you said on the consultant side on our end, I guess so much my end, but on your hand and others, it's treat people like people, right?

They're not piggy banks. You're not the only one sending them. Make sure that you're being smart about it. And I think it's something that's really important to do.

One thing we always say, too, is if you do have donors who are concerned that their information is being shared and sold or they don't know if they're giving directly to you, we provide free custom domains, and that's something as well.

If you are a campaign thinking about this and you get complaints from donors, like make sure it's custom branded, make sure they know it's you and it's legitimate.

Because that's something I think that's going to happen more and more is them questioning, is this actually the organization asking me, or is this some other fraudulent thing going on?

Mikey:

Yeah. And I agree with that too, especially with the custom domains, because they're verified and they're real.

And, I always look for that little lock sign, if it's a secure website or not.

Because, you never know what's out there and what's lurking because there are many malicious actors out there.

How transparency builds trust and protects donor relationships

Patrick:

100%. Mike, is there any other tips or items that you'd recommend to either donors or people that work in the field trying to raise money?

Mikey:

Yeah. I mean, being transparent is super key, especially for campaigns and groups that are asking for money, especially if they're opting into something, or they don't know they're opting into something, make sure it's plain language, not a bunch of legal jargon.

They don't understand it anyway. That's one of the things that we try to do on our end.

And I think reinforcing the transparency with your campaign as well.

So, you know, we are a transparent campaign. We're not going to sell your data.

Putting it out there, making sure that people know that as well. It's more trusting as well.

But I think tips for if you are raising money, announce who you are because I get so many messages that say we need $5 before midnight or else we're going to lose whatever. It's like here.

I'm not clicking that link, especially if I don’t know who it’s coming from because I don't know if it's real. I don't know if that short link is a bunch of numbers and letters. I'm not sure if that's secure.

So, being as transparent as possible and who you are, why you're asking, what you're doing is super important especially on email and text.

Digital fundraisers are having a hard time now because of all these scams out there. The tolls, I'm sure you get toll scams on your texts.

And, I get one from my dentist now that's a scam, apparently, because they've hacked into something. Tell me I owed money and I don't owe money.

So there's things out there that affects not just political, but everyday life and on everyday things that you're doing.

So, being super careful, having a secure phone or making sure everything is done the right way is super important.

But, it builds long term credibility with your supporters, with your donors that you're doing things the right way, and then you're showing them how you're doing them the right way, and you're not selling their data.

And one trick I like to do myself, especially on Gmail. Let's say my Gmail is, mike@gmail.com.

If I did Mike with the plus sign, whoever I'm giving to, I can see if they sell my data or not or my data is leaked somehow.

Because if someone from Alaska is asking you for money and I live in Utah, I'll know it's somehow got leaked or sold.

And I can then report it or do nothing about it. But at least you know, it's not a secure campaign you're giving to.

Patrick:

I mean, I think you summed it up best. Do the right thing, right?

I mean, I think that's kind of the answer, right is do the right thing. Do to others as you wish to be done to you.

You know, kind of deal. And I think that's what it comes down to because to your point also, you made earlier, trust and donor confidence is everything.

And just because you're running right now, like, doesn't mean in the future you're hurting everybody else if you're not doing the right thing ultimately.

Mikey:

And doing the right thing, too. If you're a campaign or a consultant or a vendor and someone opts out, my number one rule with my team is truly opt them out.

They're not going to ask again. If they opt out by email, if they opt out by text, they're on the blacklist forever on our end because we're not going to ask them again, because that can then lead to fines.

If they then report you because you they've proven they opted out. But you know, some people use different numbers to then text them again, even though they said no.

If they said no once, they're not going to give. So stop asking them for money. They're already mad, pissed off.

And you want to make sure that you are doing the right thing by opting them out completely and just getting them off your list, because it's going to cost you less to send to them because they're not on your list.

But they’re never going to give. So at that point, that's one thing we do, one thing everyone should be doing, but that's one thing people aren't doing.

So, that's super important.

Closing thoughts

Patrick:

100%, 100%. Well, thank you for joining us, Mikey.

Again, Mikey Swetz, vice president of fundraising at Arena. Mikey’s been on a few Anedot Learns.

So you can go to our blog and Anedot Learn and kind of learn more and watch any other ones, as well as our Nonprofit Pulse podcast.

You can also go to help.anedot.com and see any help documents if you need that.

But thank you for joining us for Anedot Learn and we will see you on the next one.

Mikey:

Thank you, Patrick, and thank you Anedot.