The ACLU is Committed to Protecting Your Personal Information

Privacy laws serve as vital guardrails against the potential abuse of personal information in an increasingly interconnected world. As a nationwide organization dedicated to defending civil liberties, the American Civil Liberties Union (ACLU) recognizes the paramount importance of privacy in today’s digital age, and we firmly believe that transparency and accountability are necessary to protect all of our rights to privacy.

Right now, Americans risk being tracked and surveilled without any notice every time we open an app, walk into a store carrying a phone, or do an online search. As Congress works to draft a comprehensive privacy law, states are trying to fill that critical gap by passing their own privacy legislation. In response to this evolving landscape of privacy laws, including the new Colorado Privacy Act that goes into effect on July 1, the ACLU has developed an updated and comprehensive privacy policy to adhere to the values we hold dear.

The ACLU is in a unique position as both an advocacy organization fighting for stronger privacy laws, and a nonprofit dependent on reaching donors, action-takers, volunteers, and other supporters through data-driven tools and strategies in order to further our legislative, advocacy, and organizing work. This natural tension has invited hard but critical conversations, as we debate the values and drawbacks of technology and data practices internally. But we see this tension as a strength. It has allowed us to learn and improve, challenge norms, and work diligently to push for better legislative solutions, as well as better internal policy solutions that ensure we are truly living our values.

We published our first privacy policy more than two decades ago to be open and transparent about our data practices and demonstrate our commitment to our members’ and constituents’ data privacy. Over the years, we have revised our privacy policy every few years, and will continue to revise our policy as consumer privacy laws are passed and privacy practices, data practices, and technologies evolve. This process of continuously updating and refining our privacy statement reflects our ongoing commitment to communicate openly with our members and supporters and to adapt to evolving technologies as well as new laws and norms. The ACLU is committed to being a leader in this field.

In this blog post, we aim to shed light on the steps we are taking to safeguard your personal information, as well as explain how the ACLU collects, uses, shares, and otherwise processes personal information as we work to defend the civil liberties of all people, and fight back against injustice in courts, statehouses, and communities across the country.

• Transparency: We commit to sharing our privacy policy and data practices to make clear what we are collecting, how we’re collecting it, and for which purposes. Our privacy policy details specific disclosures and encompasses both our approach to handling information we collect about you, and information about you that is already publicly available. You can read our full policy here and data principles here.
• Accountability and rigor: We know that privacy standards and technology are constantly evolving, and we need to continuously hold ourselves accountable to evaluate how we do our work. We created a dedicated privacy and data governance team to ensure consistency across our national organization. We also continue to conduct trainings for our teams on how to apply privacy practices to a changing world.
• Agency over your data: We have made it easier for you to review, correct, and delete your personal data, as well as opt out of certain practices through our website. We believe choice is key — you shouldn’t have to dig through the small print to opt-out. You can do it right here.

We won’t beat around the bush: The ACLU does collect personal information to build our community of supporters and advance our work to fight back against abuses of power and protect the rights of all people nationwide. We could not do our work effectively without using various data-driven tools and strategies and accessing information. For example, when we ask supporters to sign a petition or contact your member of Congress, completing those actions captures information such as your email and interest in the issue area, allowing us to contact you in the future and continue to advocate for that policy.

We take our responsibility to those who entrust us with their stories and information very seriously, which is why we are clear about what the ACLU collects, how we use that information, and for what purpose. Specifically, in service of our supporter engagement, organizing, advocacy, and litigation work, we collect and steward personal information through a variety of methods, including:

• Direct collection (e.g., through a web form you submit);
• Automated data collection (e.g., through tracking technologies to understand how people navigate our websites);
• Third-party sources (e.g., voter data from government and commercial sources); and
• Inferring personal information about you (e.g., your potential interest in joining a discrimination lawsuit based on information we have collected from you and/or information acquired from third-party sources or if you and another person share an address, we may assume you’re in the same household, which would prevent duplicative outreach).

We then use various tools and tactics that use this information to do the work. For example, to win political battles in states across the country where fundamental civil liberties are being stripped away, we use voter files that are available through commercial and government sources. In our fight to pass ballot initiatives that would help secure the right to abortion in Ohio and Michigan, we unfortunately cannot knock on every voter’s door — voter files allow us to better understand which voters we should engage and turn out to protect abortion access.

Additionally, we infer interest from “lookalike audiences” when considering audiences for things like digital advertising – that is audiences who have similar interests to our existing members (perhaps they liked the same allied groups or engaged with similar posts). This helps us connect with people who are like our existing supporters but haven’t yet joined the ACLU community. While we do receive information that social media sites provide us, such as we know how many people clicked on a specific Facebook ad, we do not have that information at an individual level so we do not and cannot add it to the information we have on a person.

To win court battles on our core issue areas, the ACLU uses personal information to research violations of civil liberties and seek potential clients whose rights might have been violated. We also review demographic and legal data through FOIA requests of government agencies to determine if there is a disparate impact of policies and how to remedy that. For example, in our recent redistricting case in Alabama, Allen v. Milligan, we reviewed and analyzed legislative district maps and census data to assemble evidence for filing the case. The facts derived from that data allowed us to move quickly to file a legal challenge to the gerrymandered maps. This work led to a win at the Supreme Court, which ruled that Alabama’s congressional map diluted Black political power and affirmed the order that Alabama must redraw its congressional map to correct that.

Whether it is for advocacy, litigation, fundraising, or research, when we collect personal information, our usage aligns not only with state and federal laws — but also with the ACLU’s privacy and transparency values, for example:

• When collecting information, we strive to minimize what is collected and retained to the information that is needed for specific, limited, and legitimate purposes in support of our mission to safeguard, protect, and expand civil liberties for all people;
• We don’t use precise geolocation data, which means we don’t have information on your exact location or whereabouts;
• We don’t use “retargeting pixels,” which uses tracking technology to identify users as they travel across the internet and serve them ads based on that identification; and
• We work to keep your data safe and protect against unauthorized access to, and improper use of, personal information we collect online and offline through physical, technical, and administrative safeguards.

We are continually updating our practices, assessing our opportunities for growth, alerting our users to meaningful changes in our policies, and training our teams on vulnerabilities for protecting your data.

We strive to work with business partners and retain service providers whose privacy practices we feel confident about. That said, the reality is that not all of our business partners and service providers share our privacy values — companies that due to size and scale are unavoidable providers for nearly every organization today. What we do differently, however, is we push service providers and business partners to be better when we can, and when we cannot, we reevaluate what is truly needed and may forgo non-essential capabilities.

Here are some practices we have put in place to ensure our expectations on privacy are met by our core partners. When working with service providers who must access, store, handle, or process personal information in our possession, our Privacy & Data Governance team reviews their data practices. We also contractually require them to verify that they will meet our same confidentiality and security standards and make explicitly clear they cannot use the personal information we steward for their own purposes.

It is standard in the nonprofit sector for organizations to participate in list sharing arrangements and join nonprofit data co-ops. These practices allow us to do our work effectively, though we recognize they are imperfect and require constant scrutiny. So while we push for better industry standards to govern our entire sector, including for privacy laws that do not exempt nonprofits, we have implemented a few requirements we hold ourselves to. First, we only rent or exchange with reputable nonpartisan organizations on a single use basis. Second, we only join nonprofit data co-ops that promise not to share a person’s ACLU association with other co-op members. Third, information is only shared with service providers, not organizations themselves, to ensure the organization cannot repurpose the information.

The ACLU offers choices on how we process your information and makes it easy to change that information at any point. You can use this form to correct your information, ask us to tell you about the information we have about you, and request we delete or stop using your information. Our website already included the options for users to update their communication preferences, correct or update any information you may have shared, opt out of data sharing with non-ACLU platforms (i.e., targeted advertising), and opt out of list sharing with other organizations.

Recently, we took these options a step further: Now you can request information about what type of data we have collected about you, ask us to delete data, or request a copy of the information we have about you. ACLU National offers these choices to everyone, regardless of what state they live in and regardless of whether we are legally required to do so. The ACLU of Colorado and the ACLU of Virginia also offer these options. As we roll out this new and comprehensive function, it may take us some time to be as speedy as we hope to one day be, and we appreciate your patience while we improve and operationalize this critical offering.

As privacy and technology continue to evolve, we remain committed to upholding the highest standards when handling your personal information and updating our policy to reflect that evolution. We are equally committed to fighting for privacy laws that protect your information beyond your engagement with the ACLU. Here’s a snapshot of three efforts we’re leading to advance the right to privacy across the country:

• The ACLU is leading a nationwide movement to ensure communities — not private entities or government agencies — get to decide if and how surveillance technologies are used in their communities. Already, as part of ACLU-led campaigns, multiple towns and cities, including San Francisco, Berkeley, and Oakland, California; Syracuse, New York; and Springfield, Boston, and Cambridge, Massachusetts have adopted bans on the government’s use of face recognition. Following another ACLU effort, the state of California bans use of the technology on police body cams.
• In Maine, we’ve been working to pass a biometrics privacy bill that would impose strict regulations on companies obtaining, selling, or retaining individuals’ facial, fingerprint, or eye scans. This bill is modeled after an Illinois law we helped pass back in 2008 that is known as the “gold standard” biometric privacy law.
• At a federal level, we are supporting the Fourth Amendment Is Not For Sale Act, which would stop the government from skirting the Fourth Amendment’s warrant requirement and surveillance laws by purchasing Americans’ data from third-party brokers.

Additionally, we continue to push for federal legislation to establish a national baseline that provides robust privacy protections and places the onus on the entities that wish to collect and use our data – and have pushed for protections for our data from agencies like the Federal Trade Commission, the Equal Employment Opportunity Commission, the Consumer Financial Protection Bureau, and others.

As we continue to fight for your privacy at the state and federal level across the country, we’ll work to ensure the values that drive our advocacy are reflected in our internal practices. We also acknowledge that no organization is immune to challenges when it comes to privacy. We have learned from our own challenges and experiences, as well as from those of our partner organizations, and recognize the need for rigorous evaluation and continuous improvement of our privacy practices. If you’d like to adjust the way we use your data, change the information we collect, or have any questions please don’t hesitate to reach out.