You've got 500 entries in a spreadsheet. Someone has to win. The obvious move is to add a column with =RAND(), sort by it, and pick the top row. It works, everyone does it, and it's slightly broken. Here's how to do it properly.
The Problem with RAND()
Excel's RAND() and Google Sheets' RAND() both use pseudorandom number generators. In Excel's case, it's the Mersenne Twister (since Excel 2010). In Google Sheets, the algorithm isn't publicly documented. Both are fine for statistical simulations, but they have a quirk that matters for drawings: RAND() recalculates every time the spreadsheet changes.
Add a column of =RAND(), sort by it, and the winner is row 1. But press Ctrl+Z to undo, and the RAND values regenerate — now a different person is on top. Resize a column? New values. Open the file tomorrow? New values. The "result" isn't stable, which means it's not auditable. If someone challenges the outcome, you can't reproduce it.
There's also a subtler issue: sorting by RAND() in a spreadsheet doesn't perform a proper Fisher-Yates shuffle. Depending on the sort algorithm Excel uses internally, there can be a slight positional bias — entries near the original top of the list may have a marginally higher or lower chance of ending up first after sorting. The bias is small (fractions of a percent for most list sizes), but it exists, and it's entirely unnecessary.
How to Run a Fair Drawing
A defensible random drawing has four properties: uniform probability (every entry has the same chance), reproducibility (the result can be verified), transparency (the process is documented), and integrity (entries aren't manipulated after submission).
Step 1: Lock the Entry List
Before you draw, freeze the list. Export it as a CSV or copy it to a clean file. No more additions, deletions, or edits. Record the total entry count and a timestamp. If you want to go further, hash the file (SHA-256) so you can prove the list wasn't modified after the freeze.
sha256sum entries.csv > entries-hash.txt
Anyone who has the CSV and the hash can verify the list is the same one you drew from.
Step 2: Remove Duplicate Entries
Decide your duplicate policy before you draw, not after. Common approaches:
- One entry per person: Deduplicate by email address or name. Be explicit about which field you're using.
- Multiple entries allowed: If your rules allow multiple entries (e.g., extra entries for sharing or referring), keep them all, but verify each one is legitimate.
- Unique identifier required: Require a unique field (email, phone number, social handle) so deduplication is unambiguous.
Document how many entries were removed and why. "500 entries submitted, 12 duplicates removed by email address, 488 entries in final list."
Step 3: Shuffle, Don't Sort-by-Random
Instead of adding a random column and sorting, shuffle the entire list using a Fisher-Yates shuffle and take the first entry. Fisher-Yates guarantees that every permutation is equally likely (assuming the underlying RNG is unbiased), which means every entry has an exactly equal probability of ending up in position 1.
You can do this with our list shuffler — paste your entries, click shuffle, and the first item in the result is your winner. If you need multiple winners, take the first N.
For extra rigor, use a tool backed by crypto.getRandomValues() rather than Math.random(). Our list shuffler uses Math.random() (Fisher-Yates), which is fine for fairness — the bias from Math.random() is on the order of 2^-52, which is irrelevant for lists under a few billion entries — but if your audience includes cryptography-conscious participants who might scrutinize the method, using a CSPRNG-backed shuffle eliminates the objection entirely.
Step 4: Document Everything
Screenshot or record the process. At minimum, document:
- The final entry list (with count)
- The tool or method used for selection
- The date and time of the drawing
- The result
- Who was present during the drawing (if applicable)
For high-value giveaways, consider doing the drawing live on video. It doesn't need to be fancy — a screen recording of you pasting the list into a shuffler and clicking "shuffle" is sufficient. The point is creating an artifact that proves the outcome wasn't cherry-picked.
Legal Considerations for Sweepstakes in the US
If you're running a giveaway in the United States, there are actual laws you need to follow. This is not legal advice — consult a lawyer for your specific situation — but here are the basics that catch people off guard:
Sweepstakes vs. Contest vs. Lottery: A sweepstakes is a random drawing (winner chosen by chance). A contest selects winners based on skill or merit. A lottery requires payment for entry + selection by chance. Lotteries are illegal for private parties in all 50 states — only government-operated lotteries are legal. If your giveaway requires a purchase to enter, it may legally be classified as a lottery. Always provide a free entry method (a "no purchase necessary" alternative, like mailing in an entry).
Official rules are required. Sweepstakes of any meaningful size should have published official rules covering: eligibility (age, residency), entry period, how winners are selected, prize description and approximate retail value, odds of winning, how winners will be notified, and the sponsor's name and address.
State registration: Some states require sweepstakes to be registered if the prize value exceeds a threshold. New York requires registration for prizes over $5,000. Florida requires a trust account for prizes over $5,000 and registration with the Department of Agriculture. Rhode Island requires registration for prizes over $500. Check the rules for every state where your entrants might reside.
Tax reporting: Prizes valued at $600 or more require the sponsor to file a 1099-MISC with the IRS. The winner is responsible for paying income tax on the prize value. For prizes over $5,000, you may be required to withhold 24% for federal taxes. You need the winner's SSN or TIN to file the 1099, which means your winner notification process needs to include collecting this information.
Void where prohibited: Some states and jurisdictions have specific restrictions. Including "void where prohibited" in your rules is standard, but you should actually check where it's prohibited rather than using it as a blanket disclaimer.
Preventing Duplicate and Fraudulent Entries
Duplicate entries are the most common integrity problem in online giveaways. Depending on your rules, here are common mitigation approaches:
Email verification: Require entrants to confirm their email address via a verification link. This prevents someone from entering 100 times with fake emails. It doesn't prevent someone from using 100 real email addresses, but it raises the effort considerably.
CAPTCHA or rate limiting: Add a CAPTCHA to your entry form and limit submissions per IP address. This blocks automated bulk entry scripts. Don't rely on IP limiting alone — many legitimate users share IPs (corporate networks, universities, VPNs).
Social account linking: Require entry through a social media account (Twitter, Instagram, etc.). This ties entries to accounts that have some cost to create and maintain, making mass-entry harder.
Manual review: For small giveaways (under 1,000 entries), manual review of the entry list before drawing is feasible and catches obvious patterns — clusters of similar email addresses, entries from the same IP in rapid succession, names that are clearly fake.
The Takeaway
Running a fair giveaway isn't complicated, but it requires more intention than dragging a RAND() column. Lock your list, deduplicate it, shuffle with a proper algorithm, and document the process. If there's real money involved, check your state's sweepstakes registration requirements and get legal advice.
Our list shuffler handles the randomization part — paste your entries, shuffle, and take the top result. For everything else, document your process and make it verifiable.