Originally published on Medium.
The short version
When a nonprofit offers a free service and generates revenue by monetizing your data, you are the product. This is especially troubling for intimate data: health, mental health, behavioral patterns of people in crisis. The greater-good defense ("we use these insights to help people") rarely traces clearly from "sold anonymized health data" to "helped someone." GDPR forces transparency in the EU; the US has only sector-specific protections like HIPAA and FERPA. AI makes this more urgent because machine learning extracts deeper insights and infers sensitive information you never explicitly shared. The call isn't to stop monetizing data. It's to be honest about it and require informed consent from vulnerable populations, especially children.
A Disclaimer
I want to be clear upfront - I'm not writing about any single nonprofit. I'm writing about a pattern I'm seeing across the sector. The specific examples below are illustrative, not accusations.
If You're Not Paying, You Are the Product
That phrase gets thrown around a lot about Silicon Valley tech companies. But it applies equally to nonprofits.
When a nonprofit offers a free service and generates revenue by selling insights about your data or licensing your information to other organizations, you are the product. Not the customer.
Your Data as a Commodity
This is particularly troubling when the data is intimate. Health data. Mental health data. Behavioral patterns of people in crisis.
That data has value. Pharmaceutical companies want to know about drug efficacy. Insurance companies want to know about risk patterns. Employers want to know about productivity and wellness. Researchers want datasets to train models.
None of these uses are inherently bad. But the question is: did you consent? Did you understand?
The "Greater Good" Defense
Many nonprofits defend data monetization with the greater good argument. "We use these insights to help people."
But here's the problem: it's hard to trace from "we sold anonymized health data to a pharmaceutical company" to "this actually helped people." The connection is theoretical.
And in the meantime, your intimate information is in someone else's database.
The Ethical Dilemma
It gets worse when children are involved. A child using a mental health app consented to what, exactly? Their parents consented to what?
There's a difference between implicit and informed consent. "You can use this app" is not the same as "we will monetize insights from your mental health data and share them with third parties."
Transparency and Accountability
The EU's GDPR has forced some transparency and accountability around data. If a company processes your data, you have rights. You can ask what data they have. You can ask who they shared it with.
The United States has no equivalent. We have sector-specific rules - HIPAA for health, FERPA for education - but no comprehensive framework.
The Vulnerability Problem
Here's what really bothers me. People using these services are often vulnerable. They're in crisis. They're struggling with mental health. They're desperate for help.
When you're desperate, you don't carefully review privacy policies. You don't contemplate the long-term implications of handing over your data. You just sign up because you need help now.
AI as a New Frontier
AI makes this all more urgent. Machine learning algorithms can extract deeper insights from data than ever before. They can predict behavior. They can infer sensitive information you never explicitly shared.
The data you gave to a nonprofit five years ago becomes infinitely more valuable and infinitely more revealing with modern AI.
The Call for Honesty
I'm not saying nonprofits shouldn't monetize data. I'm saying they should be honest about it. Product leaders building AI features face the same question: when the data your users generate becomes the product, who owns that relationship? The Trust and Safety chapter covers how to build those guardrails into the product from day one.
If you're offering a free service and generating revenue from user data, say so. Be transparent about:
- What data you collect
- How you use it
- Who you share it with
- What legal protections apply
- What users can do to opt out
And for vulnerable populations - especially children - you need informed consent. Real informed consent. Not fine print. Not "the service is free because we monetize your data." Clear, explicit agreement.
What Comes Next
This matters because the line between nonprofits and for-profits is blurring. Many "nonprofits" are now venture-backed. They have exit strategies. They're businesses wearing nonprofit clothing. For a broader view of where AI product ethics intersect with business model design, see When Not to Use AI and Agents vs. Workflows vs. Automations.
That's not inherently bad. But it means they should follow the same ethical and legal frameworks as for-profit companies.
Transparency. Accountability. User rights. Informed consent.
Your data is valuable. If someone is profiting from it, you should know. You should understand what's happening. And you should have the right to say no.
Also on Medium
Full archive →AI Agents and the Future of Work: A Pixar-Inspired Journey
What product managers can learn about AI agents from how Pixar runs a film team.
Many AI Agents Are Actually Workflows or Automations in Disguise
How to tell agents from workflows from cron jobs, and why it matters for what you ship.
Frequently asked
Can nonprofits legally sell user data?+
In the US, there is no comprehensive data privacy law that prohibits it. Sector-specific rules apply: HIPAA covers health data, FERPA covers education records. Outside those sectors, nonprofits can monetize user data with disclosure in a privacy policy, even one most users never read. The GDPR provides much stronger protections in the EU, including the right to know what data is held and who it was shared with.
What is the greater-good defense and why is it problematic?+
The greater-good defense is the argument that monetizing user data is justified because the insights help people at a population level. The problem is that the chain from 'we sold anonymized health data to a pharmaceutical company' to 'this helped a specific person' is nearly impossible to trace. The individual bears the privacy cost while the benefit is diffuse and theoretical.
How does AI make data monetization by nonprofits more concerning?+
Machine learning can extract far deeper insights from historical data than was possible when users consented. Data donated five years ago under a simple privacy policy may now reveal health predictions, behavioral patterns, or sensitive inferences the user never explicitly shared. The value of the data, and the risk, compounds as AI capabilities improve.
What does informed consent look like for vulnerable populations?+
Real informed consent for vulnerable users (people in mental health crisis, children, people in financial distress) means plain-language disclosure before signup, not buried in terms and conditions. It means explicitly stating: what data is collected, how it is used, who it is sold or licensed to, and what the user can do to opt out. Fine print does not constitute informed consent when the user is in crisis.
What practical steps can a product leader take to build ethical data practices?+
Audit the data flow before any monetization decision. Map every data source to every third-party recipient. Require vendor contracts that prohibit training on your user data. Build a trust center that documents data practices in plain language. For any vulnerable population segment, run explicit opt-in consent rather than opt-out. Then review the entire chain annually as AI capabilities change.
Comments (0)
Sign in with LinkedIn to leave a comment.
Sign in with LinkedIn