About Agility Lab Our Services Data Privacy Monitoring Subscription Case Studies Resource Hub + Blog Book a Discovery Call

Equipping Everytown  to Protect the People Behind the Data

How Everytown for Gun Safety partnered with Agility Lab to turn a privacy gap analysis into lasting, cross-organizational governance — and protect the people at the heart of their mission.

The Situation

Everytown for Gun Safety exists to end gun violence in America. Their work brings them into contact with those experiencing vulnerability, and often, sharing their stories: survivors of gun violence, witnesses to trauma, activists who've put themselves in the public eye to advance a cause that carries real personal risk.

That context makes data privacy not just a compliance matter. It makes it a mission-critical obligation. When an organization collects constituent stories, processes sensitive personal information, and operates at the intersection of public advocacy and private grief, a privacy gap isn't just a legal exposure. It's a potential harm to the people you're trying to serve.

In early 2025, Everytown engaged Agility Lab to conduct a comprehensive privacy best practices audit — an honest assessment of where they stood and what they needed to do to protect their audience with the same rigor they applied to their cause — and to come onboard for an ongoing relationship to put findings into place.

The Challenge

Everytown's privacy landscape is complex by design. They operate across the nation and engage at a grassroots level. That looks like many teams conducting digital fundraising, advocacy and momentum building, direct response, data management, and communications — each with its own tools, vendor relationships, and data flows. In situations like this, privacy decisions can be made across the organization, often informally, without centralized oversight or a consistent framework.

In engagements like this one, Agility Lab looks across four domains: consent collection, technology integrations, personal information handling, and third-party data sharing.

Common gaps include teams handling personal data without a shared privacy framework; vendor data management terms that aren't reviewed on a consistent cadence; consent protocols for volunteers and partners that lack standardization; and data ingestion or third-party sharing processes with inconsistencies that create risk — particularly in pilot and testing phases, where the pace of work can outrun normal review cycles.

The deeper question in every engagement is whether a cross-organizational governance structure exists with the authority and mandate to hold privacy standards consistently across every function. For most organizations, the answer is no.

Agility Lab's Approach

We began with a comprehensive privacy best practices audit grounded in a decision-making framework designed to be both legally sound and operationally practical. Because U.S. state privacy laws vary so significantly — and because Everytown operates at national scale — we anchored our recommendations to the seven principles of GDPR as a floor, while layering in the specific requirements of applicable state laws.

From there, we produced a gap analysis documenting where current practices created compliance exposure, reputational risk, or operational inconsistency. Critically, we didn't stop at identifying problems. We developed Everytown's action plan: a specific set of commitments and operational changes — honoring Global Privacy Control, standardizing Data Processing Addendums, formalizing vendor review cadences, and more — that would put Everytown on a clear path to best-practice compliance without requiring them to rebuild their entire operation.

We also recommended a path that went beyond the audit: the creation of a formal privacy governance structure that could hold these standards over time.

What This Work Has Produced

The audit engagement produced:

  • A privacy best practices audit deck reviewing current state across consent, technology, data handling, and third-party relationships
  • A detailed gap analysis checklist documenting specific compliance and operational gaps by category
  • A clear action plan with prioritized recommendations — including both immediate steps and longer-term governance commitments
  • Operational checklists for cookie consent monitoring, data documentation standards, vendor management, and 2x annual compliance review cadences

The ongoing retainer that followed produced:

  • The design, launch, and ongoing maintenance of a cross-organizational privacy governance group, helmed jointly by IT and Legal
  • A clear mandate for the governance group, including decision-making authority, meeting cadence, and accountability structures
  • Standardized protocols for data ingestion, vendor access, volunteer and partner data agreements, and contact list management
  • A model for ensuring privacy isn't owned by one team — but is everyone's responsibility, with clear escalation paths when it needs to be

Privacy has become something Everytown does together, not something compliance enforces alone.

What This Means for Your Organization 

If your teams are managing personal data without a shared governance framework — or if privacy decisions are happening informally across functions without centralized oversight — you have gaps you may not be able to see from the inside.

Agility Lab's privacy gap analysis process is designed to surface those gaps honestly and build a practical path forward. For advocacy organizations and nonprofits operating with sensitive constituent data, that work isn't optional. It's the foundation everything else rests on.

STAY AGILE NEWSLETTER

Stay sharp on privacy without the overwhelm.

Strategic guidance, legislative updates, and analysis of Big Tech changes for nonprofit leaders who need to stay ahead.