Jordan van Bergen: Charities must practice data minimisation

Research in the Netherlands by Donateursbelangen shows that many nonprofits still make it mandatory for one-off online donors to provide personal data before they can give. CEO Jordan van Bergen talks us through the study findings, and explains why practicing data minimisation is so important.

People choose to donate for many different reasons, and in a multitude of ways. A one-off online donation, as we know, is generally a quick response to an urgent appeal. Yet in the Netherlands – and more widely – we have found that many nonprofits request a lot of personal data before allowing these donors to give.

There are several problems with this. Firstly, collecting data that isn’t needed in order to process an online donation puts people off giving. Secondly, it opens donors up to communications they don’t really want (potentially affecting how they then feel about that nonprofit), and finally, data minimisation is an important part of GDPR compliance.

Investigating whether charities practice data minimisation when taking one-off online donations is an area Donateursbelangen has looked into closely here in the Netherlands. Our research reveals which personal data is required, whether charities are transparent about donation transaction costs, and also whether donors have the option to give anonymously using payment methods with consumer protection.

Mandatory personal data requests
The complete research covers the Top 250 Dutch charities and is offered as open data that can be filtered on all fields. It shows that quite a few charities still make a mandatory request for personal data before allowing someone to donate, asking for everything from physical address, telephone number, name, email address, gender, and date of birth.

The study shows for example that 71 of the 285 online donation modules of charities examined require the physical residential address with the zip code & house number. Yet this personal data is not needed to process an online donation. Every donor who is obliged to leave an address can then expect direct emails in the mailbox, but apart from this, it enables charities can do data enrichment based on zip code + house number, from which up to 2,500 characteristics about the donor can be recorded.

Key figures
The following key figures provide insight into one-off online donations to charities via online donation modules in the Netherlands:

• 82% of charities do not communicate what the transaction costs are.
• 73% of charities don’t allow donors to give anonymously.
• 69% of charities don’t ask donors to agree to the privacy terms.
• 25% of charities demand the donor’s address.
• 4% of charities demand the donor’s telephone number.

Legitimate interest?
The nonprofit sector and fundraisers in Europe expect and explain that they can collect this data through the legitimate interest condition within GDPR’s law, but it’s a grey area. It’s not obvious how the condition applies, and unless a nonprofit can substantiate the reasoning, data subjects can object to the processing and force you to remove their records. They can do this via a DSAR (data subject access request), which gives them a full record of the data you hold on them and the purpose for collecting it. If they disagree with your justification for legitimate interest, the burden is on you to prove otherwise.

Making personal data mandatory that is not really needed for a one-off online donation, and not being transparent about how their data will be used, means donors don’t really know what’s happening, and that the nonprofit is not really representing their interests. The Privacy Coalition in The Netherlands, which Donateursbelangen has joined, is working to raise awareness of the issue, and to reverse this trend.

What must happen according to the Dutch Privacy Coalition?
We have to say goodbye to business models that are based on the massive collection of data from users. Asking for mandatory personal data from donors while making a one-off online donation should stop, and it’s an easy change to make. The first step is to make these fields optional in the donation form so donors themselves can decide how much personal data to share. The second is to make sure donors are aware that their data is collected and held through a privacy declaration and by making sure they can only donate when they’ve selected a mandatory checkbox to show this: [ ] I agree with the privacy declaration.

Data minimisation should be the starting point
Apart from possible legitimate interest, data minimisation is part of the GDPR law as well and should be the starting point when asking people for a donation. This fits into “Privacy by Design” as well.

What about Europe?
Donateursbelangen represents the interests of donors in the Netherlands only but checking a few charities outside of the Netherlands it looks like the situation is similar elsewhere. Currently the nonprofit sector in Europe is lucky that authorities in charge of GDPR legislation have other things on their mind but it could well be that someday data minimisation will win over legitimate interest. So why not act now and make the fields in your donation form or module optional. If you say you’re a donor-centric nonprofit, this should extend to letting your donors decide themselves what to share with you!

About Jordan van Bergen

Jordan van Bergen started the Dutch GeefGratis foundation in 2001, the goal of which was to deliver free internet services to charities through the donation platform geef.nl in the Netherlands. The platform was sold in 2021 and at the end of 2022 the foundation changed its name to Stichting Donateursbelangen. Its objective is to represent the interests of donors in The Netherlands. Fundraising organisations can show that they use donor-oriented fundraising by signing 10 donor promises. Jordan is currently the CEO of Stichting Donateursbelangen, and is also global leader of GivingTuesday in The Netherlands, and program manager for Techsoup The Netherlands, an IT marketplace for nonprofits.

Picture by Yan Krukau on Pexels