Before You Start

This audit works best when conducted cross-functionally. Involve representatives from your product/tech, media/advertising, creative, and legal teams. The goal isn't to assign blame. It's to surface gaps in understanding and create shared awareness of what your audience actually experiences.

Questions to Ask:

• What behavioral data are we collecting about website visitors who haven't identified themselves?
  Look at your pixels, cookies, and tracking tags. What pages are being tracked? What actions trigger data collection? Are you collecting this data on sensitive content pages?
• What qualifies as "sensitive" in our context?
  For nonprofits, this often includes health data, demographic information, lived experiences related to your mission, crisis situations, identity-related content, or information about why someone might need your services.
• Are we collecting data about page views on sensitive topics?
  Health conditions, personal crises, identity-related content, support services? If someone visits your "Addiction Recovery Programs" or "LGBTQ+ Youth Services" page, are you tracking that? Where does that data go?
• What inferences are we drawing from this behavioral data?
  If someone visits certain pages, what are we assuming about them? Are we inferring health conditions, identity characteristics, personal circumstances, or crisis situations? Remember: inferences that create new information about someone counts as personal data in many states.
• Where is this data being sent?
  Meta Pixel? Google Analytics? Ad platforms? CDPs? Marketing automation tools? Each destination represents a potential risk if the data is sensitive. It's especially important to understand if your transfer of sensitive data counts as a "sale" in some states.
• What happens when someone opts out of tracking?
  Do we actually stop collecting their data, or just stop showing them personalized ads? Is the opt-out mechanism working as advertised?

Red Flags to Watch For:

• You're tracking page views on crisis support, health resources, or identity-related content
• You're passing sensitive page view data to advertising platforms
• You can't easily explain what data you're collecting or where it's going
• Your teams disagree about what data is being collected

Questions to Ask:

• What audience segments are we currently using for advertising?
  List them all: retargeting audiences, lookalike audiences, behavioral segments, demographic targeting, interest-based targeting, custom audiences from uploaded lists.
• Are any of these segments based on sensitive page visits or inferred characteristics?
  If you're retargeting people who visited your "Domestic Violence Support" page or building lookalikes from your "Cancer Survivor Community" members, that's a sensitivity red flag.
• Who's actually in our lookalike audiences?
  You don't have full control over who platforms include in lookalike audiences. What criteria are they using? Could they be making sensitive inferences about identity, health, or circumstances?
• Are we retargeting people who visited sensitive content areas of our site?
  Someone browsing your mental health resources or LGBTQ+ support pages may not want to be reminded of that visit through an ad that appears on their Facebook feed.
• What assumptions are we making about people in these audiences?
  If someone is in your "visited addiction resources" retargeting pool, are you assuming they have an addiction? Or could they have been researching for someone else, writing an article, or exploring options hypothetically?
• Could being targeted with this ad expose someone to risk?
  Think about domestic violence survivors on shared devices, people who aren't publicly out about their identity, or anyone whose privacy being violated could put them in danger.

Red Flags to Watch For:

• You're retargeting based on visits to sensitive content pages
• Your lookalike audiences are based on people who sought crisis support or disclosed sensitive information
• You can't explain what criteria platforms use to build your lookalike audiences
• You're making assumptions about identity, health, or circumstances that people never disclosed

Questions to Ask:

• Does our ad copy assume knowledge about the viewer that they haven't explicitly shared?
  Compare what you know (they visited a webpage) to what your ad implies (they have a specific condition, identity, or circumstance).
• Does the messaging use "you" language that implies we know something about their personal circumstances?
  "As a member of the LGBTQ+ community..." or "Living with diabetes..." or "Ready to get clean?" all assume information that may not be true or may not be something the person has disclosed.
• Could this ad make someone feel identified, surveilled, or exposed?
  Put yourself in the viewer's shoes. If you saw this ad after browsing that content, would you feel like you were being watched? Would you wonder how they know that about you?
• Would this ad be problematic if seen on a shared device or by someone other than the target?
  Ads about domestic violence support, LGBTQ+ services, or health conditions could put someone at risk if seen by a partner, family member, or employer on a shared screen.
• Does the combination of targeting + creative reveal too much?
  Sometimes the targeting alone is fine, and the creative alone is fine, but together they reveal that you've made sensitive inferences.
• How would we feel explaining to this person exactly how and why they saw this ad?
  If you'd be uncomfortable explaining your targeting and creative choices to the person who saw the ad, that's a sign you're revealing too much.

Red Flags to Watch For:

• Your ad assumes identity characteristics, health conditions, or personal circumstances
• You use direct "you" language about sensitive topics ("As someone struggling with...")
• The ad could expose someone to risk if seen by others
• You'd be embarrassed to explain your targeting methodology to the person who saw the ad

Questions to Ask:

• Do our media, creative, product, and legal teams all understand what data we're collecting and how it's being used?
  Test this by asking each team separately. Do they give consistent answers? Or do you get different stories depending on who you ask?
• Is there a process for reviewing advertising campaigns through a privacy lens before they launch?
  Who's responsible? What criteria do they use? Or do campaigns launch without privacy review?
• Do we have written guidelines for what types of retargeting or behavioral targeting are off-limits?
  Or is it ad-hoc decision-making based on whoever's running the campaign that day?
• When someone opts out of tracking, do we actually stop using their behavioral data for advertising?
  Does your consent management platform actually prevent data from flowing to ad platforms? Or does it just stop showing personalized ads?
• Who owns privacy compliance for advertising?
  Is it legal's responsibility? Media's? Product's? Or does everyone assume someone else is handling it?
• Have we ever had a campaign raise privacy concerns after it launched?
  If yes, what happened? Did you change your process? Or did you just fix that specific campaign and move on?
• Does your privacy policy accurately reflect your actual advertising practices?
  When legal writes the policy, do they know what media and product teams are actually doing? Or is there a gap between what you promise and what you practice?

Red Flags to Watch For:

• Different teams give different answers about what data you're collecting
• No formal process for privacy review before campaigns launch
• No written guidelines about what targeting is acceptable
• Campaigns have raised privacy concerns after launch—multiple times
• Your privacy policy doesn't match your actual practices

Next Step: Build Your Privacy Working Group

An audit identifies problems. A privacy working group solves them and prevents new ones from emerging. Learn how to build one for your organization.

Read the privacy working group framework →

 If you need support conducting this audit or facilitating the cross-functional conversations that follow, I offer customized workshops and consulting to help organizations navigate these challenges. Let's talk about what would be most useful for your situation.