As nonprofits work to better understand and serve their communities, I'm often asked about how they should proceed in collecting sensitive demographic data, such as race, gender identity, ZIP code, or health information.

These efforts are often rooted in values, a commitment to inclusion, a desire to reach underserved groups, or a need to demonstrate impact to funders.

But collecting sensitive data also comes with legal, ethical, and trust-based responsibilities that must be handled with great care.

So when nonprofit teams ask me:

“Can we collect demographic data to better understand whether we’re serving our full community?”

My answer always starts here:

Before collecting any sensitive data, ask: Do the risks to our supporters outweigh the benefits to our mission?

That risk calculus shouldn’t stop at breach prevention. It requires a clear-eyed understanding of:

• Who will access the data,

• How it will be used, and

• What that use communicates to the people you’re trying to serve.

Key Questions to Ask Before You Collect Sensitive Data

1. Why are we collecting this data?
If your reason is vague or still evolving, it’s likely not the right time. Define a specific, purposeful goal first.

2. How will it be used, and by whom?
Will it be used for internal equity analysis? Fundraising segmentation? Advertising? Will any of it be shared with vendors? Each use case carries its own legal and ethical implications.

3. Have we clearly disclosed that use to supporters?
If the data could be used in ad platforms, shared with partners (including data brokers or vendors), or applied to audience segmentation, that could qualify as the sale or sharing of sensitive data under U.S. state privacy laws. As of 2025, more than 10 U.S. states currently require enhanced disclosures and consent procedures for this kind of processing and that number is growing.

4. Did we obtain explicit, opt-in consent?
Many states now require affirmative consent for the collection or use of sensitive data. Without it, even well-meaning actions may violate the law or betray constituent trust.

If You Decide to Collect Sensitive Data, Proceed with Care

• Only collect what you truly need.

• Limit internal and external access.

• Obtain clear, informed consent, especially for outreach or marketing.

• Track how and where the data flows once collected, including partner platforms.

• Update your privacy policy to reflect all collection points and intended uses.

And before you proceed, ask:

If our supporters read how their data is being used, would they feel respected -- or would they feel surprised?

Trust Is Your Greatest Asset

Nonprofits hold a deep kind of trust -- one that’s earned through transparency, care, and accountability. Protecting that trust means protecting your audience above all else.

--

If your organization is thinking about how to approach this work with clarity and confidence, or you're ready to help your team embrace consent-based operations, let's talk.