🚨We’re hosting an AMA with email deliverability expert Al Iverson! Reply directly to this email to drop your questions on all things deliverability by October 8th.
Data privacy isn’t just a box to check — it’s a way to build supporter trust.
Ahead of a Civic Shout Foundation webinar on this topic, I talked to Elyse Wallnutt of Agility Lab Consulting, who has helped organizations prepare for this new era of supporter acquisition, to talk about what a data privacy-first approach looks like for nonprofits.
Sara Cederberg: What does it mean for nonprofits to take a “privacy-first” approach to list growth?
Elyse Wallnutt: Instead of “how many people can we add as quickly as possible,” it’s “how do we build a list of people who want to hear from us?”
A privacy-first approach centers transparency, consent, and value exchange. It tells people clearly what they’re signing up for and respects their choices.
SC: What would you say to a group thinking about buying lists to send unsolicited messages?
EW: Don’t do it!
Purchased lists are almost always low-quality, high-complaint, and a quick way to damage your sender reputation.
Instead of chasing vanity metrics, invest in storytelling, partnerships, and channels that attract people who actually want to hear from you.
SC: How can email teams build trust with supporters while still growing fast?
EW: Speed and trust aren’t opposites. The fastest growth actually comes from people who feel respected and stick around.
That means no hidden pre-checked boxes, clear confirmation language, and delivering on promises in the welcome series.
When people get what they expect and it feels useful, they stick around longer, which compounds growth.
SC: What are some easy tweaks to signup forms that make consent clearer?
EW: Be clear with supporters about why you’re asking for their information and how you’ll use it.
Use plain, accessible language instead of legal jargon, and set expectations by sharing how often and in what ways you’ll be in touch.
Make your privacy policy visible and easy to find to build trust. It might feel risky, but give supporters the chance to actively opt in — removing pre-checked boxes helps ensure consent is genuine and data quality is stronger.
SC: How should practitioners think about consent differently for email vs. SMS?
EW: SMS requires a higher bar. It’s more personal, more interruptive, and more tightly regulated. Supporters expect fewer, more purposeful texts.
The biggest thing I encourage email practitioners to do is include your legal team in vetting your SMS opt-in strategy.
I know that the more cooks in the kitchen, the slower the project goes. But this really is the place where organizations have faced lawsuits before — so you don’t want to allow siloing in your decision-making.
SC: Why does leading with strong data privacy values matter for list growth, not just compliance?
EW: In my work with clients, we map what they want their organizational privacy values to be.
This helps ensure that privacy becomes part of the organization's culture and that everyone is aware of its risk tolerance.
Compliance is about “what’s the minimum we can get away with,” while values are about “how do we want to be in relationship with our supporters?”
It’s essential to understand where your organization sits on these key pieces.
SC: How can stronger content help bring in supporters who are more engaged?
EW: In times I’ve tested it with clients, we actually found that list opt-in rates did not suffer when they opted for an explicit opt-in strategy, which means their content and trust foundation was strong.
Strong content with a story or action that really resonates filters in the right people.
SC: What questions should nonprofits be asking vendors about data ownership and protection?
EW: When vetting vendors, start by asking about their Data Processing Agreement and who legally owns the supporter data exchanged through their platform.
It’s also critical to know where the data is stored and processed, since overseas storage can trigger additional obligations.
From there, dig into how the vendor uses supporter information: Do they ever share, sell, or repurpose it?
Clarify how consent is captured and documented, and what happens to the data when the contract ends — including their retention and destruction policies, and whether they provide proof of compliance.
SC: If a digital leader wanted to start tomorrow, what three steps should they take to be more data-friendly in list growth?
EW: Begin by auditing your signup flows to ensure they’re transparent, consent-driven, and properly connected to your internal systems.
Then map out the value exchange — what supporters actually get when they sign up — and ensure it’s compelling.
Finally, tighten operations by clarifying which staff and vendors have access to supporter data and making sure everyone understands their responsibilities.
The bottom line
Nonprofits that prioritize data privacy grow stronger email lists by focusing on transparency and consent.
Grow-big-quick strategies, such as list-buying, may pad vanity metrics — but real, lasting growth comes from trust and high-quality content.
Industry events
Wednesday, October 15, 1:00 PM ET
Paid: ENCC D.C. 2025
October 15-16 - Arlington, VAFree: Data Privacy-Friendly List Growth for Nonprofits
Tuesday, October 21, 12:00 PM ET
'Til next time!
Sara