Chapter 1. Introduction and Demographics

In an increasingly distributed online environment, libraries find themselves challenged in their efforts to uphold core professional tenets focused on patron privacy. The tension is not new. At a broad level, the US Federal Trade Commission (FTC) has been studying online privacy issues since 1995, releasing several reports to Congress, including Privacy Online: Fair Information Practices in the Electronic Marketplace.1 Even earlier, with origins dating to 1973, before the advent of the modern web, the FTC released its Fair Information Practice Principles, which “included a blend of substantive (e.g., data quality, use limitation) and procedural (e.g., consent, access) principles” that “reflected a wide consensus about the need for broad standards to facilitate both individual privacy and the promise of information flows in an increasingly technology-dependent, global society.”2 In 2015, the National Information Standards Organization (NISO) released its NISO Consensus Principles on User’s Digital Privacy in Library, Publisher, and Software-Provider Systems. The preamble notes, “The management of information resources increasingly involves digital networks that, by their nature, include possibilities for tracking and monitoring of user behavior. . . . Libraries, publishers, and software-providers have a shared obligation to foster a digital environment that respects library users’ privacy as they search, discover, and use those resources and services.”3 Tilting the focus even more specifically toward libraries, the American Library Association (ALA) released its first comprehensive Privacy Tool Kit in 2005. This guidance has subsequently been revised and updated through the efforts of ALA’s Office for Intellectual Freedom and the Intellectual Freedom Committee (and associated Privacy Subcommittee). Indeed, ALA has long been a staunch advocate of patron privacy, as evidenced by its extensive research, advocacy work, and published statements, including the following:

• “Policy on Confidentiality of Library Records”4
• Privacy: An Interpretation of the Library Bill of Rights5
• Resolution on the Retention of Library Usage Records6
• “Policy Concerning Confidentiality of Personally Identifiable Information about Library Users”7

The present Privacy Tool Kit’s introduction notes,

The danger of invasion of personal privacy is a very real concern and often challenges existing library state privacy and confidentiality laws. . . . In too many cases, busy librarians are not making the connections between new technology and the threats to users in the form of invasion of privacy. This threat to privacy stifles intellectual freedom and the freedom to read.8

An oft-quoted foundational passage from Privacy: An Interpretation of the Library Bill of Rights notes, “In a library (physical or virtual), the right to privacy is the right to open inquiry without having the subject of one’s interest examined or scrutinized by others.”9 ALA’s Resolution on the Retention of Library Usage Records notes, “The American Library Association urges all libraries to adopt or update a privacy policy protecting users’ personally identifiable information, communicating to library users how their information is used, and explaining the limited circumstances under which personally identifiable information could be disclosed.”10 At least part of the substance of many libraries’ local privacy policies is modeled on the recommendations found within the Privacy Tool Kit.

On the global stage, in 2002 the International Federation of Library Associations (IFLA) released The Glasgow Declaration on Libraries, Information Services and Intellectual Freedom, which includes the statement “Libraries and information services shall protect each user’s right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.”11 That same year the organization released the IFLA Internet Manifesto, which notes, “Libraries and information services should respect the privacy of their users and recognize that the resources they use should remain confidential.”12 More recently, in 2015, IFLA released a Statement on Privacy in the Library Environment. It includes eight recommendations and further notes,

Library and information services can decide what kind of personal data they will collect on users and consider principles of data security, management, storage, sharing and retention. They can negotiate with commercial service providers to ensure the protection of users’ privacy, refuse to acquire services that collect excessive data, or limit the use of technologies that could compromise users’ privacy. However, library and information services’ opportunities to influence, regulate or gain reliable knowledge of the data collection practices of commercial vendors or government institutions may be limited.13

A half century ago, Westin noted that privacy can be defined as “the claim of individuals, groups, or institutions to determine when, how, and to what extent information about them is communicated to others.”14 Malaga, summarizing published research from the late twentieth century as the consumer web began to emerge, noted, “In the context of online transactions privacy involves two major components. The first is the right to be informed about the collection of personal data. The second is a determination over who controls the data and its dissemination.”15

Privacy also involves security. As Flavian and Guinaliu noted,

Privacy is linked to a set of legal requirements and good practices with regard to the handling of personal data, such as the need to inform the consumer at the time of accepting the contract what data are going to be collected and how they will be used. Security refers to the technical guarantees that ensure that the legal requirements and good practices with regard to privacy will be effectively met.16

Herein we have several cornerstones informing the conversation related to library privacy policy efforts. Regardless of present-day technological and legal complexities, policies still matter. As Vail and colleagues noted, “One way that companies seek to increase trust is by posting a privacy policy notice on their website. . . . To increase consumer trust, it is essential that companies post privacy policies that are both concise and comprehensible.”17 As Earp and colleagues noted, “Internet privacy policies describe an organization’s practices on data collection, use, and disclosure. These privacy policies both protect the organization and signal integrity commitment to site visitors. Consumers use the stated website policies to guide browsing and transaction decisions.”18 As Magi noted, “Librarians can make ethical principles operational at the local level by adopting policies that affirm the professional code of ethics. Policies enable an organization to behave in accordance with its mission and philosophy.”19

Magi further noted several sets of past research whose authors (Nelson and Garcia; Stueart and Moran; Becker)20 articulated the importance of library policies from both the library staff operational standpoint and the end-user information consumer standpoint, in the sense that library policies can

• reinforce library priorities
• empower library workers
• foster conduct consistency and uniformity
• encourage stability
• reduce confusion
• illustrate accountability
• advise the public on expectations and equitable treatment
• provide guidance should legal action arise21

ALA’s Privacy: An Interpretation of the Library Bill of Rights notes,

Users have the right to be informed what policies and procedures govern the amount and retention of personally identifiable information, why that information is necessary for the library, and what the user can do to maintain his or her privacy.22

Leveraging the work of various organization committees, ALA has published extensive Library Privacy Guidelines and associated Library Privacy Checklists.23 Collectively these resources provide excellent guidance on policy development and content.

Among its wealth of information ALA’s Privacy Tool Kit notes,

A privacy policy communicates the library’s commitment to protecting users’ personally identifiable information. A well-defined privacy policy tells library users how their information is utilized and explains the circumstances under which personally identifiable information might be dis-closed.24

Policies should notify users of their rights to privacy and confidentiality and of the policies of the library that govern these issues. Such notice should dictate the types of information gathered and the purposes for and limitations on its use. It is critical that library privacy policies be made widely available to users through multiple means. Safeguarding personal privacy requires that individuals know what personally identifiable information (PII) is gathered about them, where and how and for how long it is stored, who has access to it and under what conditions, and how it is used.25

All libraries—not just those that are publicly funded—should have in place privacy policies and procedures to ensure that confidential information in all formats is protected. A privacy policy communicates the library’s commitment to protecting user information and helps prevent liability and public relations problems.26

Purpose of This Report

If privacy policies are important, then how are academic and public libraries faring? This report constitutes a content analysis of privacy policies across a broad swath of academic and public libraries in the United States—fifty selected libraries within each category. The research focuses on several privacy policy aspects: specifically, do the policies

• provide details on what data is collected and what systems are involved?
• provide details on how collected data is used?
• provide details on third-party providers and services utilized by the library?
• provide details on operational data security, integrity, and retention practices?
• reference higher authorities (e.g., organizational statements, parent institution policies, state and federal law)?
• provide details on circumstances in which private information could be released?

In addition, the research surfaces further details that other libraries could consider when drafting a policy for the first time or when updating an existing policy. These include outliers that exist in one or a few policies that other libraries might wish to consider for their own organizations’ policies—whether it be a different data type to address or a different policy phrasing to express a particular concept.

The overall intent of this research is multifold. It offers a year 2020 snapshot-in-time assessment of privacy policies from one hundred libraries, offering real-world, in-effect details on what such policies include. In some cases, policies followed a generic template regarding ordering, structure, and topics covered; in many cases, they did not. At another level, this research identifies some not-so-common items found within some of the policies—differences, nuances, and detail outliers when compared to the bulk of the policies analyzed. Some libraries have short and succinct policies, others are more extensive, and many libraries have multiple policies touching on privacy considerations. Finally, and perhaps most significant, while many policies address similar central tenets, a real richness can be found in the variety of verbiage and phrasing found across the policies. For any particular aspect of privacy that a policy seeks to incorporate, there are multiple ways to address that aspect. As a great former boss oft noted, “It’s not always what you say, but how you say it.” Accordingly, the author has provided numerous examples quoting from the sample set of policies and organized them by topic. It’s hoped this approach helps illustrate the myriad ways library privacy policies approach and address particular topics. The quotes are not meant to be taken out of context, but due to manuscript length limitations, snippets (and not necessarily full passages) are provided to address the particular content topic at hand. Readers can always use the references to see the complete policy text of any particular library. In the end, one or more particular policy phrasings quoted in this work may resonate with a particular reader as their own library chooses to draft or revise its privacy policy.

Research Sample and Demographics

For academic libraries, the sample is comprised of major private and public academic libraries based in the United States. The definition of major can be subjective. For this research, the author combined and deduplicated library membership lists for academic libraries that were members of all three of the following major organizations—the Association of Research Libraries, the Digital Library Federation, and the Coalition for Networked Information27—and subsequently removed libraries not found in the United States. The distilled list of 210 academic libraries was randomized, after which the author proceeded in order down the randomized list, visiting each academic library home page, until fifty libraries were reached that appeared to have their own distinct library privacy policies posted on their library websites. This is an important distinction. In each instance, the larger parent university also appeared to have a (larger, institutional-level) privacy policy, and in many cases the library websites may have provided a link to their parent institutional policy (or referenced it within their own library privacy policy). However, this research intentionally and specifically focuses on library-drafted privacy policies—library policies drafted and linked to the library website that spoke to something unique, additional, or otherwise seemingly important enough for the library to author and publicly post its own policy—regardless of how long, comprehensive, or unique the specific library policy appeared when compared to any parent institution privacy policy. This is not meant to imply that libraries that appeared not to have their own drafted and posted library privacy policy (and thus were not included in the study sample) do not value or safeguard privacy. Such a fact could mean any number of things, including that the library simply and directly adheres to the parent institution privacy policy and has no interest (or time or authority) to draft its own library policy that may more specifically address some unique aspect, concern, or value of the library. It’s also possible that some libraries in the distilled list could have a library-specific privacy policy that simply isn’t linked to the library’s website, or, if it is linked, the author could simply have failed to find it. However, part of a policy’s value lies in being easily found and available to those wishing to review it and who are bound by the policy. For context, the author had to review the websites of the first eighty-five academic libraries in the randomized list until fifty academic libraries appearing to have their own distinct library privacy policies were identified. Privacy policies from these fifty academic libraries were subsequently analyzed for this study. Of the fifty:

• Thirty-three were public institutions, sixteen were private, and one categorizes itself as neither (Penn State University).
• The libraries were spread across twenty-six states from all four regions (West, Midwest, South, Northeast) of the United States.
• Institutional enrollment ranged from 2,000 students (Colby College) to 71,000 students (Rutgers University). The average enrollment for the fifty institutions was 27,940 students, and the median was 27,320 students.

For public libraries, the author leveraged data associated with the Institute of Museum and Library Services’ FY 2017 Public Libraries Survey, encompassing data from over 9,200 United States public libraries.28 The author sorted the libraries by population served, grouping the sets into five size categories: 1–25,000; 25,001–50,000; 50,001–250,000; 250,000–1 million; and > 1 million. The author randomized the libraries within each size group and reviewed the websites of each library until the first ten libraries from each group were identified that appeared to possess their own distinct privacy policies. Given the far greater number of small public libraries in the United States, this approach skews the proportion of overall policies analyzed toward larger service population libraries. While the author analyzed in detail the policies of ten of thirty-four libraries present in the largest service population group, only ten of 7,069 libraries (.14 percent) within the smallest service population group were analyzed. For context, the author had to review the websites of a total of 104 public libraries until fifty were found that appeared to have their own publicly posted and distinct library privacy policy. Regarding the other fifty-four public libraries, in some but not all cases the library website did provide a link to some other privacy policy, such as that for the overarching city or county government entity that library was administratively under. The fifty public libraries analyzed were spread across twenty-five states and all four regions.

Some libraries appeared to have a single unified or encompassing privacy policy, while others incorporated aspects of privacy into multiple policies. For example, one public library—the Alpha Park Public Library—appeared to have eight policies that each in some way touches on privacy:

• “Security/Surveillance System Policy”
• “Reference Policy”
• “Photography and Video Policy”
• “Identity Protection Policy”
• “Ethics Statement for Public Library Trustees”
• “Confidentiality Policy”
• “Computer and Internet Policy”
• “Circulation Policy”29

The next chapter details particular data types and systems referenced within library policies. Chapter 3 discusses the stated reasons why data is collected and how it’s used, chapter 4 discusses third-party providers and how library policies address such providers, and chapter 5 discusses references to data security, integrity, and retention. The final chapter focuses on references to higher authorities that impact privacy and situations in which private information may be subject to release.

Notes

1. Federal Trade Commission, Privacy Online: Fair Information Practices in the Electronic Marketplace, report to Congress (Washington, DC: Federal Trade Commission, May 2000), https://www.ftc.gov/sites/default/files/documents/reports/privacy-online-fair-information-practices-electronic-marketplace-federal-trade-commission-report/privacy2000.pdf.
2. Fred H. Cate, “The Failure of Fair Information Practice Principles,” in Consumer Protection in the Age of the “Information Economy,” ed. Jane K. Winn (Burlington, VT: Ashgate Publishing, 2006), 343.
3. National Information Standards Organization, NISO Consensus Principles on User’s Digital Privacy in Library, Publisher, and Software-Provider Systems (NISO Privacy Principles) (Baltimore, MD: National Information Standards Organization, December 10, 2015), https://groups.niso.org/apps/group_public/download.php/16064/NISO%20Privacy%20Principles.pdf.
4. American Library Association, “Policy on Confidentiality of Library Records,” last updated July 2, 1986, www.ala.org/advocacy/intfreedom/statementspols/otherpolicies/policyconfidentiality.
5. American Library Association, Privacy: An Interpretation of the Library Bill of Rights (Chicago: American Library Association, 2002, amended 2014, 2019), www.ala.org/advocacy/sites/ala.org.advocacy/files/content/intfreedom/librarybill/interpretations/privacyinterpretation.pdf.
6. American Library Association, Resolution on the Retention of Library Usage Records (Chicago: American Library Association, 2006), https://alair.ala.org/bitstream/handle/11213/1594/52.4.4%20Retention%20of%20Library%20Records.pdf.
7. American Library Association, “Policy Concerning Confidentiality of Personally Identifiable Information about Library Users,” last updated June 30, 2004, www.ala.org/advocacy/intfreedom/statementspols/otherpolicies/policyconcerning.
8. American Library Association, “Introduction,” Privacy Tool Kit, last updated January 2014, www.ala.org/advocacy/privacy/toolkit/introduction.
9. American Library Association, Privacy, 1.
10. American Library Association, Resolution on the Retention, 2.
11. International Federation of Library Associations, The Glasgow Declaration on Libraries, Information Services and Intellectual Freedom (The Hague, Netherlands: International Federation of Library Associations, 2002), https://www.ifla.org/publications/the-glasgow-declaration-on-libraries-information-services-and-intellectual-freedom.
12. International Federation of Library Associations, IFLA Internet Manifesto (The Hague, Netherlands: International Federation of Library Associations, 2002), 4, https://www.ifla.org/files/assets/faife/publications/policy-documents/internet-manifesto-en.pdf.
13. International Federation of Library Associations, IFLA Statement on Privacy in the Library Environment (The Hague, Netherlands: International Federation of Library Associations, 2015), 2, https://www.ifla.org/files/assets/hq/news/documents/ifla-statement-on-privacy-in-the-library-environment.pdf.
14. Alan F. Westin, Privacy and Freedom (New York: Atheneum, 1967), 7.
15. Ross Malaga, “Do Web Privacy Policies Still Matter?” Academy of Information and Management Sciences Journal 17, no. 1 (2014): 95.
16. Carlos Flavian and Miquel Guinaliu, “Consumer Trust, Perceived Security and Privacy Policy,” Industrial Management and Data Systems 106, no. 5 (2006): 604.
17. Matthew Vail, Julia Earp, and Annie Anton, “An Empirical Study of Consumer Perceptions and Comprehension of Web Site Privacy Policies,” IEEE Transactions on Engineering Management 55, no. 3 (2008): 442.
18. Julia Earp, Annie Anton, Lynda Aiman-Smith, and William Stufflebeam, “Examining Internet Privacy Policies within the Context of User Privacy Values,” IEEE Transactions on Engineering Management 52, no. 2 (2005): 227.
19. Trina Magi, “The Gap between Theory and Practice: A Study of the Prevalence and Strength of Patron Confidentiality Policies in Public and Academic Libraries,” Library and Information Science Research 29, no. 4 (2007): 459.
20. Sandra Nelson and June Garcia, “Issues,” in Creating Policies for Results: From Chaos to Clarity (Chicago: American Library Association, 2003), 1–21; Robert D. Stueart and Barbara Moran, “Planning Information Services,” in Library and Information Center Management, 6th ed. (Westport, CT: Libraries Unlimited, 2002), 62–90; Beverley Becker, “Essential Preparation,” in Intellectual Freedom Manual, 7th ed. (Chicago: Office for Intellectual Freedom, American Library Association, 2006), 417–28.
21. Magi, “Gap between Theory and Practice,” 459.
22. American Library Association, Privacy, 1.
23. American Library Association, “Library Privacy Guidelines,” 2017, www.ala.org/advocacy/privacy/guidelines; American Library Association, “Library Privacy Checklists,” 2017, www.ala.org/advocacy/privacy/checklists.
24. American Library Association, “Developing or Revising a Library Privacy Policy,” Privacy Tool Kit, last updated April 2017, www.ala.org/advocacy/privacy/toolkit/policy.
25. American Library Association, “Developing or Revising.”
26. American Library Association, “Privacy and Confidentiality Q&A,” last updated July 29, 2019, www.ala.org/advocacy/intfreedom/privacyconfidentialityqa.
27. Association of Research Libraries, “List of ARL Members,” https://www.arl.org/list-of-arl-members/; Digital Library Federation, “Our Member Institutions,” https://www.diglib.org/about/members/; Coa-lition for Networked Information, “Members,” last updated April 22, 2020, https://www.cni.org/about-cni/membership/members.
28. Institute of Museum and Library Services, “Public Libraries Survey: FY 2017,” 2019, https://www.imls.gov/research-evaluation/data-collection/public-libraries-survey.
29. Alpha Park Public Library, “Library Policies and Ordinances,” www.alphapark.org/policiesandprocedures.html.