Understanding the Privacy Practices of Political Campaigns: A Perspective from the 2020 US Election Websites

Abstract

Political campaigns are known to collect private user data, whether for building voter profiles, engaging with volunteers, or for soliciting donations. However, as such campaigns are classified as nonprofit in the United States (U.S.), their privacy practices have not received the same level of scrutiny as those of for-profit enterprises. This paper presents the Polityzer framework to evaluate the privacy posture of political campaign websites, and uses it to analyze 2060 campaign websites active during the U.S. election of November 2020. Our analysis leads to 20 key findings that demonstrate gaps in the privacy postures of political campaigns. For instance, we find that campaigns collect extensive private data they are not required to by the Federal Election Commission (FEC), and a vast majority do not provide any form of privacy disclosure. When disclosures are provided, they are often incomplete. We also found that campaigns may be inadvertently sharing data with other campaigns through common fundraising platforms, without disclosing such sharing. Reporting the lack of privacy disclosure to the respective campaigns yields further insights into the rationale behind their security posture. Finally, we discuss ways in which our results could enable future research, inform emerging privacy regulations, and transform user behavior regarding data privacy in this critical context.