Back in 2023, I wrote about the need to question whether we really need to install certain tracking. At the time, the focus was largely on understanding what you're collecting and protecting your audiences from inadvertent data sharing — the kind that made headlines when organizations like FAFSA and major hospitals were discovered passing sensitive information to Meta.

Fast forward to 2026, and the landscape has shifted dramatically. The calculus has changed from "track everything and ask questions later" to "track strategically and be prepared to defend every choice."

For nonprofit leaders, this isn't just about good data hygiene anymore. It's about understanding two fundamental realities that make a more thoughtful approach to tracking not just wise, but necessary.

Your Constituents Can Now Request a List of Everyone You've Shared Their Data With

Several states have enacted data privacy laws that give consumers the right to know exactly which third parties have received their personal information. While some states carve out exemptions for nonprofits, others — like Oregon, Connecticut, and Minnesota — do not.

Think about what that means in practice. Every pixel you place, every tracking tag you install, every marketing platform you integrate potentially becomes a line item on a list that a constituent can request. And you're legally obligated to provide it.

The more liberally you've approached tracking, the longer that list becomes. And the longer that list, the more questions you may need to answer. Why is this nonprofit sharing data with that ad tech company? Why did my email address end up with this data broker? Even if no personally identifiable information (PII) traveled with a specific pixel, you'll need to verify that, document it, and be prepared to explain it.

This isn't a theoretical concern. It's a compliance obligation that requires you to maintain an accurate inventory of your data sharing practices. Every pixel, every integration, every third-party relationship needs to be documented, understood, and periodically reviewed to ensure it aligns with both your policies and your values.

The old approach — install now, audit maybe later — simply doesn't hold up when constituents have the legal right to pull back the curtain.

Private Right of Action Considerations

California allows individual consumers to sue organizations directly for data privacy violations through what's called a "private right of action." That means that you don't need to wait for the state Attorney General to bring an enforcement action. Any person can file suit.

While nonprofits are largely exempt from California's law, multiple states have attempted to include private rights of action in their data privacy legislation. Those efforts have been unsuccessful so far, but the trend line is clear: lawmakers are trying to put more enforcement power directly in the hands of consumers.

Massachusetts is expected to pass legislation in 2026 that (as of the time of this writing) includes a limited private right of action and, crucially, does not exempt nonprofits. This fundamentally changes the risk profile around tracking decisions.

When enforcement depends solely on state Attorneys General, the reality is that resources are limited and priorities vary. Individual violations might fly under the radar. But when any constituent can file suit? The landscape becomes far less forgiving.

This matters because enforcement mechanisms are constantly evolving. What felt like an acceptable risk profile last year may look very different today. And what looks manageable today could shift tomorrow as more states consider similar provisions.

What This Means for Your Tracking Strategy

The message here isn't that you should eliminate all tracking or abandon data-driven marketing. It's that the era of installing every available pixel "just in case" is over.

Instead, your approach should be:

Intentional: Only implement tracking that serves a clear, documented business purpose. Be prepared to articulate why each piece of tracking exists and what value it provides that justifies the risk and compliance burden.

Minimal: Collect only what you need, share it with as few third parties as possible, and regularly prune tracking that's no longer serving its intended purpose. Remember: each additional tracker is another entry on that list your constituents can request.

Documented: Maintain a current inventory of all tracking, including what data is collected, where it goes, and what business justification supports it. This isn't just good practice—it's a compliance requirement in many jurisdictions.

Cross-functional: Your marketing team can't make these decisions in a vacuum. Legal, risk, and leadership need to be part of the conversation about what tracking serves the mission and what doesn't.

The Bottom Line

The question I posed in 2023 — "Do we really need to install that tracking?" — is even more urgent now. But it's not just about whether you need it. It's about whether you can defend it, explain it, and stand behind it when constituents ask questions or enforcement actions arise.

As data privacy laws continue to evolve and enforcement mechanisms shift more power to individual consumers, nonprofits need to take a more conservative, strategic approach to tracking. Your mission depends on maintaining constituent trust. And nothing erodes trust faster than being unable to explain why you're sharing someone's data with dozens of third parties.

The days of "track everything" are over. Welcome to the era of "track what matters."

Need help auditing your current tracking setup or developing a strategic approach to data collection that balances mission needs with privacy obligations? I work with nonprofit leaders to navigate these exact challenges.

 Contact me about customized workshops for your team, ongoing support with compliance documentation, privacy policy development, and more.

Quick Data Privacy FAQs

• Q: Do data privacy laws apply to nonprofits? A: Yes. States like Oregon, Connecticut, and Minnesota do not exempt nonprofits from data privacy requirements including third-party disclosure obligations. Your legal counsel can advise on which states need to be in your specific consideration set dependent on your size, mission purview, and data-sharing activities, and Agility Lab can help you set that plan into motion.
• Q: What is a private right of action in data privacy? A: A private right of action allows individual consumers to sue organizations directly for privacy violations without waiting for state Attorney General enforcement. California has this; Massachusetts is expected to pass similar legislation in 2026.
• Q: What should nonprofits track on their websites? A: Only tracking that serves a documented business purpose, with minimal third-party sharing, full documentation, and cross-functional approval.