Virtual Programming and Patron Privacy

by Jaime Eastman and the ALSC Children and Technology committee
Crossposted from the ALSC Blog

As libraries continue adjusting services and moving toward more virtual programming options, we’ve often found more questions than answers.  As we experiment, share, and grow together, we’ll continue improving how we interact with and touch our communities, even if our physical spaces are inaccessible.  It’s important that as we do so, we don’t overlook a critical piece of library services:  patron privacy and security.  The forthcoming ALSC Virtual Storytime Services Resource Guide will explore these issues and more.  In the meantime, Deborah Caldwell-Stone, director of the ALA Office for Intellectual Freedom, shared some key thoughts for libraries to consider.  We’ve summarized the highlights of our discussion below.

What information about the Children’s Online Privacy Protection Act (COPPA) should all librarians know and keep in mind when offering virtual programming?

Start by asking, Is this platform COPPA compliant?  As government entities, most public libraries aren’t bound by COPPA.  We are responsible for the activities of our contracted vendors or corporations.  It’s up to us to make sure those vendors are COPPA compliant.  A good rule of thumb:  avoid platforms that require patrons to disclose personally identifiable information (PII).  This includes most social media outlets.  Are there options available that let patrons access content without logging in?  Keep in mind, a parent logging into their own account and sharing screens with a child becomes a gray area.

Key takeaway:  Don’t be so desperate to provide services that you aren’t doing your due diligence.

From a privacy standpoint, are there any platforms that are better for virtual programming?

It’s nearly impossible to find a platform that doesn’t collect at least some metadata.  Instead, look for platforms that collect the least amount of data or allow for anonymous use.  Some social media platforms, like YouTube, have recently taken more steps to become COPPA compliant.  Now content designated as “made for kids” prevents personalized advertising and limits data collection.  Facebook recently launched Messenger Kids, with new features creating a parent-controlled means to reach minors through text-based options.  Other connective platforms, like Zoom, are well aware of their current limitations and are rapidly working to improve offerings.  Vendors who already partner with schools likely have a strong understanding of children’s privacy concerns.  Look for ways to balance security and privacy.  Collecting information may be okay if used for security.  It’s not okay if it’s later being sold.

Keep these questions in mind:

• Are communications encrypted to help limit surveillance?
• Does this platform share or sell user data?
• Is the privacy policy clear on what PII the vendor collections and how they use it?
• Is there a privacy or security officer who can provide additional information?
• Does the platform require disclosure of PII to use, and if so, can libraries obtain a license to limit the PII collected?
• Does the platform have a clear data retention and use policy?

Key takeaway:  While neither ALA nor ALSC will endorse specific platforms, we can provide a list of good characteristics to look for.

From a privacy standpoint, are there any platforms that libraries should avoid for virtual programming?

While libraries protect patron privacy as much as possible, the reality is that some things are beyond our control.  Many privacy steps, like requiring parents to share screens with their children for viewing, are difficult to confirm or enforce.  Registration for programs is one option.  Social media has no friction in interacting with patrons, but the library has no control over what is happening.  Other platforms, like Go to Meeting or WebEx, allow libraries to establish vendor agreements that provide more control.  Nonprofit pricing may also help offset the cost of subscriptions.

Watch for red flags like these:

• The platform can’t or won’t tell you how it uses collected PII.
• You must enter a lot of PII to access the platform, especially for children.
• The platform uses PII for profit rather than performance improvement.
• There aren’t up-front, easily understandable policies.

Key takeaway:  Again, neither ALA nor ALSC will denounce specific platforms, but we can provide a general idea of common red flags.

What technical steps should libraries take to ensure COPPA compliance?

The legislation about children and privacy can be confusing.  While COPPA doesn’t impose obligations upon libraries themselves, it does apply to our third-party vendors.  School libraries must also comply with the Family Educational Rights and Privacy Act (FERPA).  You must ensure library vendors delivering online programs and services to children under 13 are COPPA compliant.  Schools can serve as intermediaries for parental consent.  It’s still a good idea to consult your library’s legal counsel or a privacy expert to ensure you’re following FCC guidelines for parental consent.  Public libraries, though, don’t have a good way to do so.

It’s our obligation to provide patrons with ample notice of our privacy practices and data usage.  Libraries should be aware that choosing a particular platform, even if paired with a disclaimer, could send unintentional messages to patrons.  Choose the best solution for your library and share your privacy practices and data collection/usage policies.

Key takeaway:  Look for vendors and platforms that are already COPPA compliant to provide the most security.

While engaging with patrons through virtual outlets, what steps can libraries take to ensure patron privacy?

Libraries should be careful to use social media in a way that doesn’t collect sensitive information from patrons.  Virtual chats and reference questions through social media are unprotected.  Allowing access to the library website via a social media login, like Facebook, creates a backdoor for information access.  Social media is more appropriate to push out rather than collect information.  Consider other options to engage with the library that complement your social media presence.

Key takeaway:  Be responsible in how you use platforms.  Teach your patrons privacy self-defense to improve their individual experiences.  You may not have everything figured out at first, but it’s okay to adapt and change throughout the process.  We are all doing the best we can with the resources we have.  We’re all learning as we go.

What steps, if any, should libraries take to limit access to their virtual programming?

Virtual programming is much more difficult to control and manage than in-person programming.  Given what we have seen with hacking and malicious use, the best practice is to require some form of patron registration for live programs.  However, to protect patron privacy, look at options like registering by library card number.  This can limit the amount of PII collected, which helps with security and misuse of data.  Keep in mind, privacy and security go hand in hand.  Libraries can then post these recordings afterward, allowing wider access without registration.  Look for resources from the wider tech community to help answer questions about best practices and how to implement them.  Eliminate options like chat rights, screen sharing, open microphones, and commenting.

Key takeaway:  With most virtual programming, libraries need patrons to be attendees but not necessarily active participants.  Find creative ways to provide access without taking away from security.

What are some of the most common mistakes in protecting patron privacy virtually, and how can libraries address them?

The biggest mistake libraries can make is to rush into a platform or service without doing their research.  Take time to research what is available specifically for nonprofits and government agencies.  Quick and easy isn’t always the best solution.  Free solutions generally make either the library or its patrons the product being sold to corporations or the government.  Take a deep breath and slow down before you start using a platform or modality.  Allowing 48 to 72 hours to research and consider isn’t unreasonable.  Consider applications that you can purchase and host on your own server.  For more information, check out Julie Oborny’s “Library Tools” chapter in Protecting Patron Privacy:  A LITA Guide (2017).

Libraries should also avoid creating situations that require either/or use of a service, which forces the patron to use a specific platform to access the content because it’s not available in another format or option.  Have a privacy policy in place that actively covers all platforms, services, and program offerings.  Look at examples for New York Public Library or Multnomah County Library.

Key takeaway:  If your library is having trouble interpreting privacy or data use policies, reach out for help.  Entities like the Office for Intellectual Freedom are available to assist with interpretation and answering questions.  Take a deep breath and go through all the layers – you may have to be good enough and not perfect.

What resources would you recommend for librarians who want more information?

There are many resources available to help untangle privacy concerns and libraries, particularly as they relate to children.

• COPPA Guidance for Ed Tech Companies and Schools during the Coronavirus:  This website includes a giant FAQ for more information.  Section M in particular is relevant to educational institutions.
• Choose Privacy Every Day:  This website is currently pivoting from public facing to more library resources.  While it’s in transition, there are still valuable resources available.
• Guidelines and Checklists for Libraries:  A variety of checklists for all types of privacy concerns, from general information to OPACs.
• Personal Identifiable Information, Parental Consent, and Public Libraries:  A look at the relationship between COPPA, vendors, and public libraries.
• Privacy Toolkit:  An essential resource from ALA to assist in developing and implementing library policies and procedures.
• Security and Privacy Implications of Zoom:  While content in this post is already somewhat dated with Zoom’s continued updates, a worthwhile look at this topic.
• To Zoom or Not to Zoom:  An educator and librarian’s take on using Zoom and its alternatives.

Bottom line:  As libraries, we need to provide services to our patrons, and there’s no way to be 100% secure while we do so.  As librarians, we become “privacy fiduciaries,” taking on the additional duty of care to support and protect patron privacy as much as we are capable.  Libraries must continue to look for that balance between ease of use and privacy/security.  With that in mind, don’t let your quest for perfection be the enemy of good, valuable services that you provide your communities.  As with every new challenge, we will continue to learn and improve together.

These issues of privacy and cybersecurity will be some of the many included in the forthcoming Virtual Storytime Services guide, which is expected by the end of the month.

Jaime Eastman is a Senior Public Services Librarian and the Family Place Coordinator at Harrington Library, one of the Plano Public Libraries.  She currently serves as the chair of the Children and Technology Committee.  She can be reached at jaimee@plano.gov.  All photos courtesy of Pixabay.  Any misunderstandings or misinterpretations are her own.