Privacy experts are concerned that the way presidential campaigns collect, store and sometimes sell personal data is putting people at risk in ways they might not anticipate when they fork over their email address or make a donation.

Campaigns increasingly seek to build sophisticated data sets that can help them gain an edge, much the way President Obama’s campaign did in 2012.

{mosads}But unlike in the commercial sector, campaign data remains a kind of Wild West, with the candidates under no obligation to safeguard the information.

A recent report by the Online Trust Alliance (OTA) found that only six of 23 presidential campaign sites for 2016 met sufficient standards on privacy, security and consumer protections.

“It’s not just your credit card information [campaigns are collecting],” Craig Spiezle, executive director of OTA, told The Hill.

“Many of the sites will ask you profile questions when you donate. What is your view on gun control? On women’s rights? There’s a good reason a candidate would want to know that, but what happens when that’s let out?”

There’s no real consensus on whether campaign data practices should be monitored or regulated. Legal experts note the heightened protections that the First Amendment gives to political speech.

“There really is very little regulation in this area because you have the fear of the First Amendment and infringing on the constitutional right to communicate with voters, and that is really what the data is being used for,” Glen Kopp, a white-collar crime attorney and former assistant United States attorney, told The Hill.

Still, “it’s one thing to try to limit the ability of campaigns to collect the data,” Kopp said. “It’s another thing to say you have a First Amendment right to poorly protect the data.”

The OTA study found that most of the 2016 campaigns were doing a pretty good job of protecting voter data from a technical perspective — most encrypt transactions, for example — while falling woefully short on privacy protections.  

There are several major distinctions between how campaigns and the commercial sector are expected to handle personal data.

For one thing, campaigns are largely exempt from many of the communications laws that apply to businesses, such as anti-SPAM laws.

For another, it’s unclear who would have responsibility for oversight of campaign data collection. There’s no consensus on what federal agency, if any, would take enforcement action against a campaign in the event of a hack.

The Federal Trade Commission (FTC) is seen as the de facto cop on the beat for commercial cybersecurity, having brought more than 50 data security cases against companies accused of lax digital practices.

But those who watch campaign data practices closely say the FTC isn’t likely to wade into the political realm, since their bailiwick is consumer protection.

The Federal Election Commission (FEC), which regulates campaign financing, is also likely to pass on cyber regulation.

An FEC representative told The Hill, “I’m not sure how campaign cybersecurity would fit” into the agency’s mission.

There’s also the question of whether commercial standards for data protection are adequate for campaign data, since the information given to campaigns is often far more personal than a credit card number.

“Is the commercial standard sufficient for politics?” said Ira Rubinstein, a fellow at New York University who has written extensively on privacy in the big data era. “We’re not talking about which sneaker I want to buy. We’re talking about exercising the right to vote as a basic democratic right.”

Campaigns often reserve the right to sell voter data to other groups with similar politics, a practice that consumers have rebelled against in the commercial world.

While most business give people an option to opt out if they do not want their email address used or shared, that option is rarely offered on campaign websites.

The question of what happens to data freely given to a campaign grows more pressing as the election progresses and more candidates drop out.

Lincoln Chafee on Friday became the latest candidate to quite the race, following in the footsteps of Jim Webb, Rick Perry and Scott Walker. All of the campaigns now have to decide what to do with the information they collected.

“As different campaigns fold up shop on their way to the nomination, what do they do with their databases? Do they throw them out, donate them to the nominee, sell them to a commercial entity?” Rubinstein asked.

The practice of selling or passing along voter data isn’t new, but the stakes are higher in an era when sophisticated data-collection machines in both parties are aggregating vast swaths of information from countless sources.

The problem, according to Spiezle, is that there’s just no way to know how campaigns will use the data they’re given.

According to the OTA study, four campaign sites don’t even have published privacy policies.

“It’s not clear what they are doing or aren’t doing, but it’s clear in their privacy policies that they’re reserving the right to do what they want to do,” Spiezle said.

Some candidates are explicit in their practices, offering voters some idea of what they’re agreeing to when they provide information.

Former HP executive and GOP hopeful Carly Fiorina’s policy states that the campaign “may provide or sell your email address or other personal information to third parties for fundraising or other purposes.”

That so-called “promiscuous policy” is part of what the reason why OTA gave her campaign a failing grade in its study.

Other high-profile candidates that received failing grades include Republicans Donald Trump and Marco Rubio and Democratic front-runner Hillary Clinton.

Republican Jeb Bush and Democrat Martin O’Malley made the sudy’s “honor roll,” as did Chafee and Walker.

Spiezle said he got no pushback from campaigns that received failing grades, with the exception of Louisiana governor Bobby Jindal (R), whose campaign threatened a cease-and-desist order after the study was published.

Jindal’s campaign did not respond to requests for comment.

Even though polls show voters would be less likely to vote for a candidate whose campaign buys information about their online activities in order to tailor its messaging —so-called “microtargeting”— onlookers say the status quo is likely to persist for now.

“Politicians don’t really have a lot of incentive to pass legislation to limit or somehow impinge on their ability to collect and use data because they’re the ones doing it,” Kopp said.