The privacy risk hiding in your email program

Your CRM has names, addresses, emails, giving history, and behavioral data on every supporter in your program.

Your shared drives might have even more.

If the rules around how you collect and store it change, your email program could be directly in the crosshairs.

At the 2026 Nonprofit Technology Conference, Kim Snyder of Meet the Moment and Lauren Feldman Hay and Diona Peddie of Fountain House walked through the risks and what nonprofits should actually do about them.

The regulatory picture
More than 20 states now have privacy laws on the books, and the protections keep getting broader.

Nonprofits are currently exempt from many of them, but that exemption is narrowing.

The practical question us emailers should be asking ourselves: will my current practices hold up when the rules expand to cover my organization?

That means how you collect emails, what consent language lives on your signup forms, and whether you could honor a supporter’s request to delete their data.

The AI risk your team might not see
There are three categories of data risk: external attackers, internal human error, and a newer one you’re probably familiar with — the use of AI tools that send data to third-party platforms.

If you’re pasting donor segments into ChatGPT to brainstorm copy or uploading lists to test a new feature, that data may be used to train someone else’s model.

Real people at the AI company may be reading what you type in. Those conversations might be stored indefinitely.

The presenters put it simply: adoption is outpacing governance. Most organizations are using AI tools. Most don’t have a policy for them.

They also cited a noteworthy stat: nearly 83% of phishing emails now contain AI-generated elements, possibly trained on emails from organizations like yours.

As scam emails get harder to spot, supporters get more skeptical of everything in their inbox … including your fundraising appeals.

The liability line
The session introduced a concept that I think many of us need to hear: the value of holding onto data decreases over time while the risk increases.

That old list you haven’t touched in years? It’s worth less to your program today than it was when you built it, and it’s riskier to keep.

How to mitigate risk
Audit what you’re holding on to. You should know exactly what kind of supporter data you’re sitting on: giving history, survey responses, and geographic data — to name just a few.

Check who can access (and export!) your email list. How many people can pull a full subscriber export right now?

Do former staff or old agency partners still have logins? Tighten permissions to the people who actually need them.

Clean up what you’re storing. A suppressed donor segment from 2018 might still live in your CRM. Do you still need it?

Or how about that old unsubscribe export in the downloads folder of your desktop?

Set ground rules for AI use on your team. If your team is using AI to draft appeals, brainstorm subject lines, or analyze supporter data, it’s essential to put basic guardrails in writing.

The bottom line
Privacy laws are expanding, AI is creating new exposure, and your supporters are definitely paying closer attention to where their data goes.

You don’t need to overhaul everything at once!

Define what types of supporter data you’re holding on to, who has access to the tools that store your data, and create policies for how your team uses AI.

Check our events list for more or reply to this email to submit one for consideration.

‘Til next time!
Sara