Written by Brian Wesolowski
CDT has a few key guidelines for how we collect, use, and retain data about visitors to the CDT website:
- All communications between a user and the CDT website will be performed over an encrypted connection (Transport Layer Security) to greatly reduce the risk of interception.
- CDT’s web server software, Nginx, collects and stores log file data (described below in “What are log files?”) for up to 30 days for site maintenance and to detect and investigate attacks. We also collect device-level analytics data (described below in “What does CDT collect for analytics?”) to help us understand overall trends regarding what content is popular and how visitors navigate and interact with our site. CDT does not use this information for advertising or to otherwise personalize your experience on our site. We do not use log file-based or device-level analytics information in disaggregated form, except for the limited purposes of site maintenance and security.
- CDT does not allow third-party cookies (cookies from companies and organizations other than CDT) to be placed on your computer unless you take a direct action to engage with a third-party tool on our site. However, CDT uses multi-session, first-party cookies to help us understand how people use our site, and how we can make it better. We use Google Universal Analytics software which does not collect personally identifiable information such as name or email address, but does collect information about your device. This analytics data is processed on Google’s servers, but Google only logs a portion of a user’s IP address. CDT only uses this analytics data in aggregate in order to improve the site; we do not personalize any content based on these multi-session cookies.. You can also opt-out of Google Analytics by using this tool.With very limited exceptions (as described below in “CDT’s Disclosure Policies”), CDT does not sell, rent, exchange, or otherwise disclose information about site visitors or people on our mailing lists to third parties.
How does CDT automatically collect information when you visit our website?
CDT’s web server generates and retains log files that record information about visitors that connect to our site. We also use an analytics program called Piwik to collect similar data.
What are log files?
Nginx, our web server software, generates log files — text files that record one line of data each time a browser request is made. For example, a line of data elements (described in detail below) is added to the end of a log file each time a page is viewed or an element on the page is clicked. All log files are automatically deleted after 28 days unless we believe that we need to retain them for longer in order to investigate or report a bug or malicious attack.
CDT logs the following information from users who visit our site:
- Internet Protocol (IP) address: The address of your computer on the Internet. Your IP address gets transmitted whenever you communicate online or surf the Web so that the content you are looking at and the people you are talking to can find your computer on the network in order to respond to you.
- The time and date the browser requested the URL of the page.
- URL of the page that directed (a “referer”) you to our site: If you arrive at our website through a link on another website (a blog, newspaper article, or search engine, for example) our web server will record the address of the web page that referred you to our site, if available. If you arrive at our website by clicking on a search result returned by a search engine, our server will record the search terms that you used when that information is available. However, for search engines that offer encryption (such as Google.com’s organic search results), we do not receive the search terms that you used.
- The web pages within our site: The specific web pages you visit within our site, including the first page you visit (the entry page) and the last page you visit (the exit page).
- Amount of traffic used in the transaction: The total number of bytes downloaded when you browse our site.
- The browser identification (or “user agent”) string: This provides the name, version, and the preferred language of your browser.
How does CDT use log files?
CDT uses its log files only to fix errors on the site and to defend against malicious attacks. If we detect an attack on our site, we will use log file data to try to determine the source of the attack. We may also share or report to law enforcement or other service providers (such as denial-of-service mitigation service providers) information about malicious attacks.
What does CDT collect for analytics?
CDT uses Google Universal Analytics to learn about how people use our site., The data that the software collects about your visit on behalf of CDT and sends to Google’s servers is similar to the log file data described above:
- Your device type, brand, and model
- Your operating system
- Your browser type, plugins, and version
- Pages you viewed on our site and time spent on each page
- Referer type and URL
- Language of your browser
- Country (determined by IP address)
We use Google Analytics with IP address masking activated; this means that Google only receives the first three octets of your IP address (e.g., 100.124.152.100 is logged as 100.124.152.0). This IP masking takes place as soon as data is received by Google’s Analytics servers. At no time is the full IP address stored on Google’s servers as the IP masking process happens in the volatile memory (a temporary data location) on Google’s servers nearly instantaneously after the request has been received. Because your full IP address is never stored on Google’s Analytics’ servers when the anonymization flag is turned on – as it is with CDT’s Google Analytics account – our analytics data will not include your full, individual IP address. Read more about IP Anonymization in Google Analytics.
Can I opt-out of automatic data collection?
Yes, you can opt-out of Google Analytics by using this tool.
Do Not Track
Many browsers offer Do Not Track features that let you communicate to the sites you visit that you don’t want to be tracked around the web. Do Not Track was designed to limit tracking across different sites and services — such as by third-party behavioral ad networks who track users across unaffiliated websites. CDT’s logfile and analytics collection is limited to the sites we own and operate. Since first-party data collection and use is outside the scope of a Do Not Track request, we do not limit our logfile or analytics data collection for users who have Do Not Track enabled.
What information can you choose to share with CDT? How do we use the information you share with CDT?
Except as noted here, CDT uses information that you share with us only for internal purposes. We do not sell, rent, exchange or otherwise disclose any information that we collect about our site visitors, except to process donation transactions, report malicious attacks or as required by law. Specifics types of information include:
If you submit your email address to be added to a mailing list, we will use the email address for the sole purpose of sending you the materials associated with that mailing list. For example, if you sign up to receive our newsletter, we will use your email to send you that newsletter. Each email we send will contain information on how to unsubscribe from our mailing list. You can also unsubscribe by going to our Contact page and request removal from a specific mailing list.
Feedback and Emailing Us
We use your feedback to improve our site and our organization. If you choose to provide information about yourself using our Contact page, we will not use the information for any purpose other than to respond to your inquiry or to act on your suggestion or comment. We will not share your information with others except with your permission or upon your request.
Our site search function is supported by WordPress, an open source Content Management System. CDT records search terms used in searches of our website for analytics purposes. We do not log or correlate search term data with IP address or any other information about our visitors.
If you make a donation to CDT, we will record your name and contact information so that we can acknowledge and thank you for your donation, provide tax-exemption receipts to you, contact you with news that may be of interest or for future donation opportunities, and answer any questions you may have about your donation. At the time of your donation, we may also ask whether we should include you on a list of supporters. Should you wish to opt-out of future communications, you may do so by following the information in the message or by requesting removal. CDT’s donations are currently processed by iATS Payments (described below).
What information is collected by third parties on CDT’s website?
Our website contains some third-party tools, including but not necessarily limited to those listed below. Some of these third-party tools may use their own tracking technology, such as traditional HTTP cookies, when you engage with them during your visit to our website. A traditional HTTP cookie is a unique piece of text that your browser saves on your computer’s hard drive and then retrieves whenever you visit that site in the future. Cookies are often used to track your behavior on the Internet. You can delete and block HTTP cookies through the settings in your web browser. Here is a well maintained website on how to remove cookies.
We have limited the amount of information that these third-party tools can collect about you on our website. However, the following tools may collect data from you when visit pages with these features embedded on our website:
Embedded YouTube Videos
On certain pages on our site, we may embed YouTube videos. Even if you don’t interact with a YouTube video, Google displays the image of the video on our site, and may collect and store log data associated with rendering that image on your device (including IP address and browser configuration). Even if you choose to play a YouTube video, we have configured the YouTube videos we embed to use the “-nocookie” option, so Google will not associate your visit with a Google cookie or account. However, they may collect additional log data associated with rendering the video on your device
Twitter and Facebook
You can share articles and blog posts from our site on Facebook and Twitter. When you click on our site’s sharing buttons for either Twitter or Facebook, your browser will open a new window linking you to Twitter or Facebook. However, because we host the images for the Facebook and Twitter buttons ourselves, Facebook and Twitter are not able to log the fact that you visited one of our pages merely because one of their branded buttons is on that page. They only receive information about your visit to our site if you click on the widget to share through one of those services.
Email a Friend
You can email articles from our site to friends. To use this feature, you must enter your and your friends’ email addresses. This information is processed directly by a form on cdt.org, and will not in any way be logged by CDT or any third party. Emailing articles to your friends will not result in cookies being placed on your computer.
If you choose to use our website to make a donation by visiting our Donate page (https://www.cdt.org/donate), your credit card information (or other financial information used to execute a donation transaction) will be processed by a third-party provider that handles our donations and they will collect information about your device, including IP address, and they will deposit identifiers, such as session cookies (temporary cookies are stored until you close your web browser) on your computer in order to process your transaction.
CDT will not in any way receive or log your credit card information or other sensitive financial information unless you have expressly asked that we do so in order to process regular recurring donations. However, we will record your name and contact information so that we can acknowledge and thank you for your donation, provide tax-exemption receipts to you, contact you for donation opportunities, and answer any questions you may have about your donation. At the time of your donation, we may also ask whether we should include you on a list of supporters.
CDT’s Disclosure Policies
CDT does not sell, rent, exchange or otherwise disclose any information that we collect about our site visitors, except as described in this section or elsewhere in this policy.
We will comply with lawful requests from government agencies that follow appropriate legal standards and procedures. If we receive a request from a governmental entity to disclose information about your activities on our website, we will (unless prohibited by law or court order from doing so) attempt to contact you prior to such disclosure so that you can object. If we comply with a governmental agency’s disclosure request we will subsequently (unless prohibited by law or court order from doing so) attempt to contact you in order to disclose to you the fact that we have disclosed information about you and to tell you what information we have disclosed. We will object to disclosure demands that we believe are improper.
If we receive a request from a non-governmental entity (such as a civil litigant) for disclosure of information about your activities on our website, we will insist that the requesting party obtain at least a subpoena, and we will (unless prohibited by law or court order from doing so) attempt to contact you prior to such disclosure so that you can object. If we comply with a non-governmental entity’s disclosure request we will subsequently (unless prohibited by law or court order from doing so) attempt to contact you in order disclose to you the fact that we have disclosed information about you and to tell you what information we have disclosed. We will object to disclosure demands that we believe are improper.
Finally, we may disclose information to a third party if we reasonably believe that our system has been attacked and the information is necessary to describe the attack.
We also reserve the right to affirmatively share or to provide to law enforcement evidence of malicious attacks or other unlawful activity or content that we detect or collect on our site.
CDT’s Retention Policies
All data that is collected into individualized log files by our web server is deleted within 30 days, unless we believe that we need to retain it for longer in order to investigate or report a bug or malicious attack. We do not have backup storage of our log files.
Aggregated data about visitors to our website – which we will not link back to individual visitors – is maintained indefinitely.
Email addresses submitted to subscribe to mailings lists are retained until the associated users ask to remove their names from the mailing list, except that copies of the mailing list may be retained for one year in backup storage. In the unlikely event that we have technical problems that cause us to revert to a backup copy of a mailing list, our systems may restore a previously removed address to a mailing list. Removal from our mailing list might then require the user to request removal a second time.
Any information you provide us via email or our Contact page on our website (as well as responses, if any, to your inquiry or comment) may be retained indefinitely.
Contact information you provide when making a donation online will be retained indefinitely unless you ask us to delete it.
CDT uses industry-standard security measures to protect the information we collect. An encrypted (Transport Layer Security (TLS)) connection is used throughout the cdt.org website and when you submit a donation through our donation processor. This encrypted connection encrypts your information as it travels across the Internet. For information we automatically collect from site visitors, we employ standard computer and network access control mechanisms to limit access to stored data to our technical staff.
What if I have concerns or want to know what information you have about me?
Feel free to contact us via our Contact page to ask us to disclose to you any information we have about you, and we will within reason attempt to comply with your request. You have the right to correct, update, or delete information that we may have about you.
If you have any concerns about this policy, please contact CDT via our Contact page or call (202) 637-9800. We can also be reached at 1634 Eye Street NW, Suite 1100, Washington DC 20006.