In this story one of the directors of the organization is cited as saying that, "... he did not know until this week that the organization was using an outside company to collect data or that collection had expanded from major donors to those who contribute as little as $20. 'Honestly, I don't know the details of how they do it because that's not something a board member would be involved in,' he said"
Big problem here. Knowing the privacy guidelines for personal information collection sufficiently well to know that privacy is not being violated is EXACTLY the responsibility of the board. Hiding this as 'too detailed' for our attention is, at best, a serious misunderstanding the role of governance and privacy. At worst it could quality as malfeasance in office. When you add that the organization in question is the ACLU, you have to add hypocrisy to the mix