Protecting user privacy and confidentiality has long been an integral part of the intellectual freedom mission of libraries. The right to free inquiry as assured by the First Amendment depends upon the ability to read and access information free from scrutiny by the government or other third parties. In their provision of services to library users, librarians have an ethical obligation, expressed in the Code of Ethics of the American Library Association and the Library Bill of Rights, to preserve users’ right to privacy and to prevent any unauthorized use of user data. Librarians and libraries may also have a legal obligation to protect library users’ data from unauthorized disclosure.
Libraries enter into licenses or agreements with third-party vendors in order to provide library service to users and to meet library operational needs. Third-party vendors include digital content providers, program facilitators, and even other libraries, such as a consortium. In the course of providing software, hardware, or services, most third-party vendors collect and use library user data for a variety of reasons, including consumer analytics and segmentation, personalization, digital rights management, and digital collection development. Libraries and vendors must work together to ensure that the contracts and licenses governing the collection, processing, disclosure, and retention of library user data reflect library ethics, policies, and legal obligations concerning user privacy and confidentiality.
Choosing a Third-Party Vendor
When libraries start the search for a product or service, there are several ways in which libraries approach vendors about their privacy practices. Libraries should include privacy requirements and questions for the vendor in their Request For Proposal (RFP) or similar bidding process. Requirements and questions can include what data is collected, how the data is collected and stored, how long data is stored with the vendor, and if and how the data is shared with other third parties.
Libraries inviting bids from vendors should also ask questions throughout the search process related to both the service/product and the vendor’s policies and practices around data privacy and security. If the service or product does not meet a privacy requirement listed in the RFP, libraries should ask vendors their plans in addressing that requirement. Libraries should inquire about how the vendor handles data breaches, as well as reports from libraries or users about potential service or product vulnerability.
Agreements, Ownership of User Data, and Legal Requirements
Agreements between libraries and vendors should address appropriate restrictions on the use, aggregation, retention, and disclosure of user data, particularly information about minors. Agreements between libraries and vendors should also specify that libraries retain ownership of all user data and that the vendor agrees to observe the library’s privacy policies and data retention and security policies.
Vendors are strongly encouraged to implement the principles of privacy by design, i.e. products and services should have privacy concerns “built-in, not bolted on.” If currently marketed products do not take into account these privacy guidelines, vendors should incorporate them into future updates. In addition, agreements between libraries and vendors should reflect and incorporate restrictions on the potential dissemination and use of library users’ records and data imposed by local, state, and federal law.
The rights of minors vary from state to state, and the legal responsibilities and standing of library staff in regard to minor users differ substantially in school, academic, and public libraries. Generally, a minor’s right to keep his or her library records private will be governed by a state’s library confidentiality statute; however, in public educational institutions, the Family Educational Rights and Privacy Act (FERPA) also determines the confidentiality and release of minors’ library records.
Vendors who allow minors under the age of 13 access to their platforms must follow the federal Children’s Online Privacy Protection Act (COPPA) and any other state or federal legislation regarding the collection and sharing of minors’ data. Libraries should establish clear privacy policies in conjunction with local, state, and federal agencies that detail how and what data about minors is collected and shared with vendors and schools.
Clear Privacy Policies
Privacy policies should be made readily accessible and understandable to users. Safeguarding user privacy requires that individuals know what information is gathered about them, how long it is stored, who has access to it and under what conditions, and how it is used. There should be a way to actively notify ongoing users of any changes to the vendor’s privacy policies.
The vendor should give users options as to how much personal information is collected from them and how it may be used. Users should have the choice to opt-in to any data collection that is not essential to library operations and the opportunity to opt-out again at any future time. All nonessential data collection should be turned off by default. In all areas of librarianship, best practice leaves users in control of as many choices as possible regarding their privacy.
Access to Personal Data
Users should have the right to access their own personal information and correct incorrect information. Verifying accuracy helps ensure that vendor services that rely on personal user information can function properly. Guidance on how the user can access their personal data should be clear and easy to find. Users should also have the ability to download their personal data into an open file format such as CSV for their own use.
Access to personal information should be restricted to the user, vendor, and library workers as required for the provision of services and administration of the library and must conform to the applicable state laws addressing the confidentiality of library records as well as other applicable local, state, and federal law.
Vendors should have a practice in place to delete user data upon request. Data should be purged from hard drives and servers, not just hidden from view.
Data Integrity and Security
Whenever user data is collected, libraries, vendors, and any subcontractors must take reasonable steps to ensure integrity and security, including compliance with applicable statutory requirements.
Security: Security involves both managerial and technical measures to protect against loss and unauthorized access, destruction, use, or disclosure of data. Security measures should be integrated into the design, implementation, and day-to-day practices of the vendor’s entire operating environment as part of its continuing commitment to risk management. The vendor should seek compliance with published cybersecurity standards from organizations such as the National Institute of Standards and Technology (NIST).
Encryption: The use of data encryption helps enhance security. All online transactions between client applications (web browsers, mobile apps, etc.) and server applications should be encrypted. In addition, any user data housed by the vendor off-site (cloud-based infrastructure, tape backups, etc.) should use encrypted storage.
Data Minimization: Vendors and libraries should only collect, process, retain, or disclose user data sufficient for a specific process or task. Excessive data collection and/or retention puts users at an increased risk in the case of a data breach.
Anonymization: Data used for customer analytics and other types of analysis should be anonymized by removing or encrypting personally identifiable information. While data anonymization is a good practice, it is not foolproof.
Retention: User data should not be retained in perpetuity. Vendors and libraries should establish policies for how long to retain different types of data and methods for securely destroying data that is no longer needed. For example, accounts that are expired or inactive for a certain amount of time should be purged. Retention policies should also cover archival copies and backups. Libraries should refer to record retention laws and policies of governing bodies.
Data Sharing: User data should not be shared with additional third-party vendors or other business associates without user consent. Most state statutes on the confidentiality of library records do not permit the release of library users’ personally identifiable information or data about their use of library resources and services without user consent or a court order.
Government Requests: Vendors and libraries should develop and implement procedures for dealing with government and law enforcement requests for library users’ personally identifiable information and use data. Vendors and libraries should consider a government or law enforcement request only if it is issued by a court of competent jurisdiction that shows good cause and is in proper form. Vendors should inform and consult with the library when it believes it is obligated to release library users’ information unless prevented from doing so by the operation of law. The vendor should also inform users through its privacy policies about the legal conditions under which it might be required to release personally identifiable information.
Privacy protections for library users’ personally identifiable information and usage data should extend to the user’s device, including the web browser or any applications provided by the vendor. All communications between the user’s device and the vendor’s services should be encrypted. If the vendor wishes to employ personalization technology such as persistent cookies on its website or allows third-party web tracking, it should notify the user and give them the chance to opt-in before initiating these features for the user. Users should be aware that enhanced experiences from vendors may require the disclosure of additional personal data.
If a vendor-provided application stores personally identifiable information or use data on the user’s device, it should be encrypted. The user should be able to remove a vendor-provided application and delete any data stored on the device.
Library’s Ongoing Relationship with a Third-Party
Audit and Notification Vendors should establish and maintain effective mechanisms to enforce their privacy policies. They should conduct regular privacy audits to ensure that all operations and services comply with these policies. The results of these audits should be made available upon request to libraries that are customers or potential customers.
Incident Response A vendor that experiences a data breach in its security policies must notify the affected libraries and users about this matter as soon as the vendor is aware of the data breach. The notification timeline, along with what to include in the notification to libraries and library users, differs from state to state, and it is the responsibility of vendors to comply with state data breach notification regulations. Libraries and vendors should plan the incident response procedure and this plan should be included in the vendor contract.
Ending the Library-Vendor Relationship
Libraries that choose not to renew a vendor service or product should work with the vendor to ensure personally identifiable library user data is deleted from the vendor’s systems, including data in backups, archived copies, and system logs.
Vendors that have services or products that allow for user-generated content should allow for library users to export their data in a portable format.
The “Library Privacy Checklist for Vendors” is intended to help libraries of all capacities take practical steps to implement the principles that are laid out in this guideline.
Approved June 29, 2015 by the Intellectual Freedom Committee of the American Library Association under previous title “Library Privacy Guidelines for E-book Lending and Digital Content Vendors”; revised January 26, 2020.