Facebook Privacy for Nonprofit Organizations

There's a lot of talk these days about privacy issues on Facebook.  What does that mean for you as an organization?  The issues for an organization are different than those facing an individual—but still absolutely something you should be thinking about.  This article was funded through the Idealware Research Fund, with the support of people like you.  Thank you!

Facebook seems to generate a lot of discussion about the way it handles privacy and security, and not without reason—personal data protection is worth some scrutiny, and Facebook has a questionable track record in this area. However, these issues don’t apply in the same way to nonprofits who have an organizational presence on Facebook. Organizational data is, by definition, far less personal than the information an individual might trust to the site, so you’re much less likely to want to keep it private.

But there are other privacy concerns for nonprofits that use Facebook—even if your own privacy isn’t a big concern, it’s important to think of your constituents’ privacy. What does that mean for you? We talked to a few experts and condensed their advice into this article. We’ll take a look at the issues you most need to be concerned about one at a time.

What’s the Deal with Facebook and Privacy?

Facebook began as a way for users to communicate with a select group of people they chose to add to their networks. Six short years later, it’s become a nearly indispensable utility with more than 500 million users and its own Hollywood movie.

As it grew, its privacy settings evolved—and, in many ways, eroded. The first changes made a lot of user information public by default, forcing users to be savvy enough to notice and change them. More recent changes have made additional user data public—and shared it with partners to target ads—without giving the option to change it.

While it’s still possible to adjust individual user settings to keep a great deal of personal data private, it’s not always easy to do so, and with regular, ongoing changes, Facebook keeps moving the goalposts.

However, most of this doesn’t apply to organizations. Organizations that choose to have a public Fan Page usually are very interested in reaching people they don’t yet know. If they want to have a more private conversation, they can set up a private Group, for which the privacy settings are relatively straightforward. And the truth is that Facebook is far more interested in information about individual users—who are prime targets for promotions and ads—than organizations, which are more difficult to target with advertisements.

Constituent Privacy

However, constituent privacy is another thing altogether. Before you post anything about the people who interact with your organization, it’s important to consider a few things—like whether or not you have their permission. And whether your post might say more about them than they would want, either intentionally or not.

For example, are you mentioning things done by someone outside your organization and referencing them by name? Are you displaying photos or videos of people, or tagging photos with their names? It’s a good idea to get permission from them first. At an event, this can be relatively easy—post signs, or a note on the invitation or tickets, letting attendees know you’re taking pictures, and asking them to let you know if they don’t want to be included.

Many schools and organizations that work with children already ask families to sign waivers giving permission to use photos in print and on the Web. It’s a good idea to add Facebook and other social media into those waivers—and if you’re not already using such waivers, give them some thought. But even if you have permission, consider each picture or video. Is it something a constituent would want family or employers to see? If not, think twice before posting it.  That picture of your donor dancing on the table with a drink in her hand might be a great illustration of the good time had by all, but may well not be the image she’s trying to portray at work.

Sometimes simply mentioning someone’s name can be an invasion of their privacy. HIPAA guidelines, for instance, which apply to health-related organizations who receive funding from Medicare or insurance companies, prohibit disclosure of any information related to diagnosis—even general information that someone is enrolled in a program. In this case, it’s clear that mentioning someone’s name in conjunction with your program is a violation of not just privacy, but of the law. 

But even if HIPAA doesn’t apply to you, consider what you might be saying about constituents when you publish their names. One expert we spoke with cited a New York-based nonprofit that makes one-time financial grants to individuals and families in need—for instance, to pay medical bills, or to cover mortgage or tuition during a particularly lean period. Because grant recipients probably don’t want to publicize their economic hardships, that organization chooses to not mention them when promoting the good work it does on Facebook. Instead, it uses the opportunity to thank donors and supporters for their assistance, and to encourage others to give.

Things get even more complicated when it comes to organizational staff members’ personal Facebook pages. If one of your social workers “friends” the kids she works with, does that publicize that your organization providing them with services? Maybe—one of the experts told us about a nonprofit that serves at-risk teens. Its social media policy was for staff to not friend anyone who might be a constituent, and for the organization page’s administrators to never post on those users’ walls. Why? Because associating a teen with the organization might imply a need for the services the organization provides, and that could be a breach of privacy.

Another expert told us about a Maine school for children with autism spectrum disorders that adopted a similar policy to prevent legal action. In the past, the school administration encouraged teachers to interact with families of students and alumni on Facebook, but fearing a potential lawsuit by a parent who felt that this disclosed too much about their child, recently required staff to “unfriend” parents.

This is a murky area, because employee Facebook profiles are their own, and not strictly affiliated with your organization. The lines, however, are not clear. When creating a social media policy, make sure to think about your constituents and how your staff’s Facebook activities may affect them. It’s not always clear cut or easy to see.

Wrapping Up

To most people, Facebook is a harmless way to keep in touch with friends, families and other groups and people with shared interests. That’s certainly true of the site, but it’s worth a reminder that it’s also a business, and that means it’s revenue-driven. That revenue comes from advertisers drawn to Facebook for the same reason so many new users are—because of the vast numbers of people already using the site.

The negative press about privacy concerns has people talking about the issues, and Facebook’s founder has also made public statements that reveal his fundamental belief that the age of privacy is over. But the site is so popular now that many people feel they’d be missing out if they were to cancel their account, which makes it more and more difficult for people to vote with their feet.

Privacy issues are likely to continue evolving. Users need to stay abreast of them to ensure their data is protected in the way they believe it to be. Of course, they always have the option of not using the site at all, but for most people the pros outweigh the cons. As long as they continue using Facebook, chances are your organization will, too, as a good way to be part of the conversation.

Whether you’re thinking about creating a page, or already have one, sit down and think through a policy to make sure your organization and constituents are protected. The issues aren’t black and white. The best thing you can do is to stay informed, and adapt your policy as you learn more.

Thanks to John Haydon of Inbound Zombie, Amy Sample Ward of NP Tech and Andrea Berry of Idealware.