Chapter 6. Higher Authorities and the Potential Release of Information

The preceding chapters have focused on how library privacy policies address types of data collected, how it is used, and data security and retention. This concluding chapter focuses on higher authorities that libraries should be responsive to and circumstances in which collected data may be released. Higher authorities can include

• professional organizations
• parent organization policies; system-wide or consortia policies
• state and federal law

To some degree, these authorities can influence library privacy policies and dictate circumstances under which private information might be released.

Professional Organization Guidance, Recommendations, and Advocacy

This issue of Library Technology Reports has provided references to some of the privacy-related advocacy work from the American Library Association and other organizations. In these brief final reflections in this chapter, professional organizations can be considered a higher authority in the sense that they provide recommendations and guidance reflecting long-standing professional values. Policies from at least twenty-four of the academic and fifteen of the public libraries analyzed made reference to ALA documents and work. For example, the Ann Arbor District Library’s policies make reference to the following ALA documents:

• Access to Digital Information, Services and Networks: An Interpretation of the Library Bill of Rights1
• Privacy: An Interpretation of the Library Bill of Rights2
• Importance of Education to Intellectual Freedom: An Interpretation of the Library Bill of Rights3
• Code of Ethics of the American Library Association4
• American Library Association’s “Library Bill of Rights in Cyberspace”5

At sixty-three words, Colby College Libraries had the shortest identified library-specific privacy policy of the fifty academic libraries analyzed, and its policy notes,

The Colby College Libraries adhere to the American Library Association (ALA) standards and ethics of facilitating, not monitoring, access to information. We do not collect information about patron activities beyond what is basic and necessary to conduct and fulfill the mission of the library. For additional information, please consult the ALA Library Bill of Rights.6

Another example of a policy referencing ALA work is the University of Oregon Libraries’ privacy policy, which at the end provides a link to ALA’s Privacy Tool Kit and mentions the ALA Office of Intellectual Freedom:

This Statement has been adapted from the ALA Library Privacy Policy model, http://www.ala.org/advocacy/privacyconfidentiality/toolkitsprivacy/libraryprivacy, and was reviewed March 2015 by the ALA Office of Intellectual Freedom in order to confirm adherence to foundational library privacy principles.7

Parent Organization Policy

Libraries are not islands unto themselves. Both academic and public libraries may be responsive to library consortia or to shared system-level policies. Public libraries are typically responsive to a board of trustees that approves policy and serves in the public interest. Academic libraries are often subject to parent university or college policies, and in some cases policies associated with a broader university system. This research intentionally did not encompass parent-level policies, but numerous—perhaps all—parent universities have privacy-related policies. Approximately thirty of the academic library policies analyzed referenced corresponding university- or system-level policies or guidelines. Parent institution policies that often contain privacy aspects include

• data and website privacy, protections, practices, and governance (including information access policies and access-to-student-information policies and guidelines, among them policies and practices responsive to federal law such as FERPA)
• expected behavior and conduct policies related to the use of technology and licensed resources
• professional standards and business conduct policies
• cybersecurity policies
• privacy and confidentiality policies associated with sponsored programs and research subjects
• protected health information policies (including policies and practices responsive to federal law such as HIPAA)
• e-mail and mass communications policies

Some academic library privacy policies specifically note how other entities at the same institution may have different privacy-related practices. For example, Indiana University Libraries’ policy notes,

This privacy notice applies only to the Indiana University (IU) Libraries and explains our practices concerning the collection, use, and disclosure of user information. . . .

Other units at the University may collect and use visitor information in different ways. Therefore, visitors to other University web sites and those who interact with University units and departments should review the privacy notices for those units or for the particular University web sites they visit. The IU Libraries are not responsible for the content of other web sites or for the privacy practices of University units or web sites outside the scope of this notice.8

Several academic library privacy policies note that the library’s IT infrastructure or computer labs are managed by its university’s centralized IT organization or mention other custodians of private information, such as a campus safety department. Oftentimes, the library policy refers users to this other campus entity for associated policies, questions, or concerns. For example, the University of Denver Libraries’ policy notes,

Security cameras and security doors . . . are located throughout the Libraries and are managed by Campus Safety; the Libraries are not privy to the data collected by these systems. Information Technology provides wireless internet routers through the building, as well as zero-client workstations. Cell phones often automatically “ping” wireless routers and exchange data (this is true wherever you go), and when you log into campus networks your campus ID is needed to authenticate. Please see IT@DU’s policies and feel free to contact them if you have questions.

Although these data are not collected or maintained by the Libraries, it is important to know all these systems are also subject to DU’s Privacy Statement.9

Some library privacy policies reference higher level, system-wide policies. For example, the University of California Berkeley Library makes reference to the University of California system’s Electronic Communications Policy and “RMP-8: Requirements on Privacy of and Access to Information.”10 While not necessarily higher level entities, other groups, such as a university’s student government organization, can influence policy development. For example, the University of Texas Libraries’ policy notes, “Developed in consultation with Student Government.”11

Policies of library consortia represent another instance of what could be considered a higher level policy. Several public library policies note consortia policies or practices. For example, the Pinellas Public Library Cooperative in Florida consists of fourteen member libraries and has a public services and circulation policy that notes,

Although each member library is operated by a separate local governmental unit or board which retains authority over any policy decisions for internal operations and the handling of local funds, member libraries have agreed, wherever possible, to work together to establish consistent public service policies. In keeping with the intent of the Interlocal Agreement, which supports member libraries’ autonomy, individual libraries may establish additional service policies. Therefore, variations in official policies and procedures may exist between libraries.12

State and Federal Law

A very common component of many library privacy policies is references to legal statutes, often to statute-level privacy protections for library records and circumstances under which private information can be released. Legal statutes exist at the local, state, and federal levels. Regarding state-level statutes, as noted in ALA’s “State Privacy Laws Regarding Library Records,” “Forty-eight states and the District of Columbia have laws protecting the confidentiality of library records. Two states, Kentucky and Hawaii, have attorney general’s opinions protecting library users’ privacy. The language of these provisions var[ies] from state to state.”13

Present federal-level statutes are rather lacking or outdated, increasing the complexity of privacy considerations. To note but one example—social media services—Lamdan noted,

A lack of cohesive statutes on Internet privacy leaves a mere patchwork of inconsistent laws for social media outlets to follow. . . . Scattered and inconsistent state laws deal with tiny facets of social media privacy in different ways, but there is no comprehensive 50-state solution to social media’s privacy invasions in the legal framework of the United States.14

Discussing recent initiatives at the federal level, Orlofsky noted,

Members of the Congressional House and Senate subcommittees have been working for the past few years on different bills related to privacy. Given the impetus of the California law, the European Union’s General Data Protection Regulation, and newsmaking data breaches such as the 2018 Facebook/Cambridge Analytica scandal, there has been recently a greater push to construct a national data privacy law. . . . One stated reason for a federal law would be to prevent a patchwork of state laws that offer varying levels of protection.15

Orlovsky’s blog post provides additional information on existing and proposed federal statutes related to consumer protections. Such work is high on the radar of professional associations, such as the Association of College and Research Libraries (ACRL). Consumer data privacy ranks fourth out of five priorities on ACRL’s legislative agenda focus for 2020.16 In discussing this focus, ACRL notes that states continue to work on consumer data privacy laws. The agenda notes recently introduced Congressional bills under consideration. At time of writing, the potential of updated consumer privacy protections materializing at the federal level remains uncertain. As noted in the ACRL legislative agenda, “The ongoing concern over the erosion of individual privacy and predatorial online data mining practices warrants attention, engagement, and advocacy for government protections of the individualʼs right to privacy.”17 ALA’s Privacy Tool Kit offers additional substantive content to inform the conversation. ALA’s “Privacy and Confidentiality Q&A” notes, “Library policies must not violate applicable federal, state, and local laws. However, in accordance with Article IV of the ‘Library Bill of Rights,’ librarians should oppose the adoption of laws that abridge the privacy rights of any library user.”18

ALA’s extensive guidelines and checklists make various references to the law and the closely associated topic of enforcement-related requests for private patron information. Examples include the following:

“Library Privacy Checklist for Library Management Systems/Integrated Library Systems”

Develop procedures for library staff on how to handle law enforcement and government requests for patron records.19

“Library Privacy Guidelines for Vendors”

Libraries and vendors must work together to ensure that the contracts and licenses governing the collection, processing, disclosure, and retention of library user data reflect library ethics, policies, and legal obligations concerning user privacy and confidentiality.

. . .

In addition, agreements between libraries and vendors should reflect and incorporate restrictions on the potential dissemination and use of library users’ records and data imposed by local, state, and federal law.20

“Library Privacy Guidelines for Library Management Systems”

Government Requests

The library should develop and implement procedures for dealing with government and law enforcement requests for library patrons’ personally identifiable information and use data held within the LMS. The library should consider a government or law enforcement request only if it is issued by a court of competent jurisdiction that shows good cause and is in proper form. The library should also inform users through its privacy policies about the legal conditions under which it might be required to release personally identifiable information.

The library could consider publishing a warrant canary notice to inform users that they have not been served with a secret government subpoena or national security letter. If a canary notice is not updated or it is removed, users can assume that a subpoena or national security letter has been served.21

“Developing or Revising a Library Privacy Policy”

In addition, policy drafts should be reviewed against existing local policies, state and local laws, and ALA recommendations and guidelines.

. . .

When preparing a privacy policy, librarians need to consult an attorney to ensure that the library’s statement harmonizes with state and federal laws governing the collection and sharing of personally identifiable information and confidential records.

. . .

Libraries must ensure they have well-established procedures to enforce their policies by informing users about the legal conditions under which they might be required to release personally identifiable information (PII). Libraries should only consider a law enforcement request for any library record if it is issued by a court of competent jurisdiction that shows good cause and is in proper form. Only library administrators, after conferring with legal counsel, should be authorized to accept or comply with subpoenas, warrants, court orders, or other investigatory documents directed to the library or pertaining to library property. All library staff should be trained and required to contact a designated Library Privacy Officer or previously designated administrator immediately should a law enforcement officer appear requesting library compliance with a request to release PII.

Libraries should develop and implement procedures for dealing with law enforcement requests before, during, and after a visit.22

ALA’s “Library Privacy Talking Points: Key Messages and Tough Questions” notes,

• Librarians have always cooperated with law enforcement within the framework of state and federal laws and regulations.
• Librarians have a responsibility to protect the privacy and confidentiality of our patrons while responding to legitimate national security concerns.

. . .

• If librarians do not follow state confidentiality laws and legal procedures, they run the risk of actually hurting ongoing police investigations. The American judicial system provides the mechanism for seeking release of confidential records: the issuance of a court order, showing probable cause based on specific facts and in proper form.23

In terms of the policies analyzed, references to municipal-level ordinances are rare, but one example is Lanesboro Public Library’s “Data Privacy Policy,” which notes,

This policy will provide the guidelines and framework for library staff members to appropriately protect patron privacy and handle requests for public data. All City of Northfield policies and procedures related to government data also apply at the library. However, this additional policy is necessary to address data practices that are unique to the library.24

Conversely, at least forty-five academic and forty-four public libraries had policies referencing state or federal law. Georgia Tech Library’s identified library privacy policy appears exclusively composed of references to Georgia law (the official Code of Georgia),25 and there were several other instances where an academic library privacy policy was primarily composed of references citing state law. Several policies make reference to freedom of information statutes (which can vary across states). For example, the University of Michigan’s “Library Privacy Statement—Frequently Asked Questions,” notes,

Can data be obtained through a FOIA request?

The Michigan Freedom of Information Act is a broad disclosure law that requires the University to make many of its records publicly available upon request. Library records, however, get special protection under Michigan Law, which specifically shields library records from FOIA. A “Library record” is a document, record, or other method of storing information retained by a library that contains information that personally identifies a library patron, including the patron’s name, address, or telephone number, or that identifies a person as having requested or obtained specific materials from a library. Deidentified and aggregated data that does not include identifying material is not protected by Michigan Law and is subject to FOIA.26

Several public library policies reference how circulation, registration, or other information tying an individual to materials is confidential and not considered a public record. For example:

Cherokee Regional Library System

Circulation records and similar records of a library that identify the user of library materials shall not be public records but shall be confidential and may not be disclosed except under the conditions established under Georgia Law, Code 24-9-46.27

Ocean County Library

Library records are still considered confidential under this law and require a subpoena issued by a court before release. Types of materials that would require immediate access are budgets, bills, vouchers, contracts, including collective negotiations agreements and individual employment contracts, and public employee salary and overtime information.28

Jessamine County Public Library

What constitutes a public record? “Public record” means all books, papers, maps, photographs, cards, tapes, discs, diskettes, records, or other documentary materials prepared, owned, used, in the possession of, or retained by the Library. It does not include any records owned by a private person or corporation that are (a) in the possession of the Library or one of its employees and (b) do not relate to any function, activity, program, or operation funded by the state.29

Several public library policies reference how social media content is subject to public record law. For example, the St. Louis Public Library’s policy notes,

The content of the Libraryʼs social media is subject to public records laws, including the Missouri Sunshine laws. Relevant record retention schedules apply to social media content. Content must be managed, stored, and retrieved to comply with open records laws and e-discovery laws and policies.30

Some policies note that e-mail addresses are public records. For example, the Pinellas Public Library Cooperative’s policy notes,

Under Florida law, e-mail addresses are public records. If you do not want your e-mail address released in response to a public-records request, do not send electronic mail to this entity. Instead, contact this office by phone or in writing.31

Illustrating how state laws can vary (in this instance, between Florida and Oregon), the University of Oregon Libraries’ policy notes that state law prevents e-mail addresses from public disclosure: “Oregon Revised Statute 192.502 (23) exempts from disclosure under open records law the records of a library, including . . . the electronic mail address of a patron.”32

Of course, federal law represents the highest authority. As noted in Lanesboro Public Library’s policy,

Although state privacy laws regarding privacy in libraries are still in force, including laws protecting the confidentiality of library records, as federal laws the provisions of the Foreign Intelligence Surveillance Act (FISA), the Electronic Communications Privacy Act (ECPA), and the statute authorizing National Security Letters can supersede state privacy laws.33

The USA PATRIOT Act was referenced in at least fourteen academic and eleven public library policies analyzed. ALA’s USA PATRIOT Act web page provides substantive information on the USA PATRIOT Act.34 Several policies also reference the US Constitution. For example, Van Horne Public Library’s policy notes,

Confidentiality is essential to protect the exercise of First and Fourth Amendment rights. In accordance with First and Fourth Amendments of the U.S. Constitution, the Iowa Code and professional ethics, the Board of Trustees of the Van Horne Public Library respects the privacy of users and recognizes its responsibility to protect their privacy.35

Several policies provide detailed information on library procedures for how legal inquiries are handled. Perhaps the best example is the University of Utah J. Willard Marriot Library’s privacy policy, which references

• procedures for how staff should respond to a law enforcement officer
• the role of university counsel
• the need to inventory any items viewed or confiscated as well as associated costs
• the requirement to call the ALA Office for Intellectual Freedom about the visit, if allowed
• the differences between search warrants issued by a FISA court and by a non-FISA court36

Several public library policies also provide details on their procedures, such as the Sequoyah Regional Library System, which has a policy noting that the library’s executive director is the official custodian of records and outlines a detailed process flow and procedures should the library receive a request for confidential information.37 The San José Public Library’s policy appears to be the only one of those analyzed that includes a canary notice:

This library has not been served with a government subpoena or national security letter under Section 215 of the USA PATRIOT ACT. If this notice is removed, customers can assume that a subpoena or national security letter has been served.38

Release of Information

Responding to an official law enforcement request is the most frequently mentioned circumstance under which private information might be released. Policies frequently note that the request must be a subpoena, search warrant, other court order, or otherwise required by law. A few policies note there may be exceptions in an emergency situation, when an official document in proper form is not practical. For example, Mount Prospect Public Library’s “Circulation Policy and Library Records Confidentiality Policy,” referencing Illinois public statutes, notes that certain information could be subject to release without a court order to a sworn law enforcement officer in an emergency or imminent danger situation and quotes the state law.39 The policy includes an appendix reproducing the form the officer must sign to obtain the information. A large majority of library policies note that things must be in “proper form.” As just one example, the San José Public Library’s policy notes,

Library records are not made available to any agency of state, federal, or local government without a subpoena, warrant, court order or other legal document requiring us to do so. These orders must show good cause and be in proper form.40

In addition to other references found within its policy, the Queens Borough Public Library’s policy includes an overarching statement:

Queens Public Library recognizes that law enforcement agencies and officers may occasionally believe that library records contain information which may be helpful to the investigation of criminal activity. If there is a reasonable basis to believe such records are necessary to the progress of an investigation or prosecution, the American judicial system provides the mechanism for seeking release of such confidential records. Library records will not be made available to any agency of state, federal, or local government except pursuant to such process, order, or subpoena as may be authorized under the authority of, and pursuant to, federal, state, or local law relating to civil, criminal, or administrative discovery procedures or legislative investigatory power.41

Policies may include other reasons why information might be released. Several reference the possibility of information release to prevent the threat of significant body harm or loss, to answer a threat to the personal safety of users, or to protect library property. For example,

Josephine Louise Public Library—Walden, New York Web sites will disclose your personal information, without notice, only if required to do so by law or in the good faith belief that such action is necessary to: (a) conform to the edicts of the law or comply with legal process served on Josephine Louise Public Library—Walden, New York or the site; (b) protect and defend the rights or property of Josephine Louise Public Library—Walden, New York; and, (c) act under exigent circumstances to protect the personal safety of users of Josephine Louise Public Library—Walden, New York, or the public.42

At least nine academic library policies note the potential disclosure of information related to investigations of suspected misuse of systems or violations of university or library policies. At least fourteen academic and nine public library policies note that information can be released upon user consent (and many indicate the consent has to be in writing). Regarding children, at least eight academic library policies reference the rights of parents and legal guardians who request the release of a child’s information. At least nineteen public library policies state whether parents do or don’t have access to the records of their minor child, and further, many specify an upper age where this can happen. Some public library policies specify whether such access is full access to the record (such as specific titles checked out) or more generalized information (such as number of items checked out, but not the titles). Several also detail the circumstances under which this information can be released to the parent (e.g., some libraries will release the information only if the materials the child has checked out are overdue and accruing fines). Many public libraries specifically cite state law as regards the release of information related to minors. Examples include the following:

Pinellas Public Library Cooperative

In accordance with FL Statute 257.261 (B.2), library staff hold all registration and circulation records confidential and will not surrender them or make them available to the public except by a properly executed court order, although circulation information may be disclosed to the parent or guardian of a cardholder under age 16 only for the purpose of collecting fines or recovering overdue library materials.43

Contra Costa County Library

Library staff cannot give any information about a patron’s registration and circulation record to anyone other than the patron, no matter what the age or relationship to the patron. For example, a parent cannot be told what material a child has checked out on the child’s card without the child’s consent.44

San José Public Library

If the library cardholder is under the age of 18, the parent or guardian listed in the library record may only be given limited information about that child’s record. Proof of the parent or guardian’s identity is required through photo identification. Library staff will only tell customers the number of books checked out, due dates, and fines owed.45

Deer Park Public Library

Children’s records have the same confidentiality protection under New York Civil Practice Law and Rules, section 4509. Parents may pay fines and receive information as to the number of items a minor child, under 18, has checked out only with the child’s card number, (telephone request), and with the child’s card at the Library. Specific title and reserves are not accessible to the parent/guardian of a minor child. Parents/guardians who do not wish their children’s records to remain private should check out materials on their own cards.46

In ending this chapter on higher authorities and circumstances under which private information may be released, the privacy policy of the University of New Mexico Libraries provides a fitting conclusion. Their concise privacy policy includes bulleted references to many categorical items discussed within this chapter—professional organization standards, parent institution policies, state law, and federal law. Their policy includes bulleted references to the following:

• professional standards from the American Library Association (with two documents noted)
• University of New Mexico policies (with two items noted, related to acceptable computer use)
• State of New Mexico law (with two statutes noted)
• United States law (with three federal statutes noted)47

Notes

1. American Library Association, Access to Digital Resources and Services: An Interpretation of the Library Bill of Rights [formerly titled Access to Digital Information, Services, and Networks] (Chicago: American Library Association, 1996, amended 2005, 2009), www.ala.org/advocacy/intfreedom/librarybill/interpretations/digital, cited in Ann Arbor District Library, “Internet Use Policy,” Materials Selection and Access, last updated February 17, 2014, https://aadl.org/aboutus/materials.
2. American Library Association, Privacy: An Interpretation of the Library Bill of Rights (Chicago: American Library Association, 2002, amended 2014, 2019), www.ala.org/advocacy/sites/ala.org.advocacy/files/content/intfreedom/librarybill/interpretations/privacyinterpretation.pdf, cited in Ann Arbor District Library, “Internet Use Policy.”
3. American Library Association, Advocating for Intellectual Freedom: An Interpretation of the Library Bill of Rights [formerly titled Importance of Education to Intellectual Freedom: An Interpretation of the Library Bill of Rights] (Chicago: American Library Association, 2009, amended 2014), www.ala.org/aboutala/sites/ala.org.aboutala/files/content/governance/policymanual/Links/B.2.1.21.pdf, cited in Ann Arbor District Library, “Internet Use Policy.”
4. American Library Association, Code of Ethics of the American Library Association (Chicago: American Library Association, 1939, amended 1981, 1995, 2008), www.ala.org/advocacy/sites/ala.org.advocacy/files/content/proethics/codeofethics/Code%20of%20Ethics%20of%20the%20American%20Library%20Association.pdf, cited in Ann Arbor District Library, “Code of Ethics,” Philosophical Statements, Ann Arbor District Library Policy Manual, https://aadl.org/aboutus/Philosophical#ETHICS.
5. American Library Association, “Library Bill of Rights in Cyberspace,” cited in Ann Arbor District Library, “Ann Arbor District Library Internet Policy,” last updated June 19, 2006, https://aadl.org/aboutus/policies/internet.
6. Colby College Libraries, “What Are the Privacy Policies in the Library?” Guidelines and Policies, https://www.colby.edu/libraries/about/guidelines-and-policies/.
7. University of Oregon Libraries, “UO Libraries Privacy Statement,” last updated March 3, 2020, https://library.uoregon.edu/policies/privacystatement.
8. Indiana University Libraries, “Indiana University Libraries Privacy Policy,” last updated February 1, 2012, https://policies.iu.edu/policies/lib-01-libraries-privacy/index.html.
9. University of Denver Libraries, “Your Privacy and University Libraries,” https://library.du.edu/policies/records-privacy.html.
10. University of California, Electronic Communications Policy (Oakland: University of California, 2000, revised 2005), https://policy.ucop.edu/doc/7000470/ElectronicCommunications, University of California, “RMP-8: Requirements on Privacy of and Access to Information,” policy rescinded November 13, 2015, https://policy.ucop.edu/doc/7020463/BFB-RMP-8, cited in University of California Berkeley Library, “Collection, Use, and Disclosure of Electronic Information,” last updated September 22, 2008, https://www.lib.berkeley.edu/about/privacy-electronic-information.
11. University of Texas Libraries, “Privacy and Confidentiality of Library Records Policy,” https://www.lib.utexas.edu/about/policies/privacy-and-confidentiality-library-records-policy.
12. Pinellas Public Library Cooperative, “Public Services Policies,” May 31, 2019, www.pplc.us/misc-pdf/CirculationPolicy_2019.pdf.
13. American Library Association, “State Privacy Laws Regarding Library Records,” www.ala.org/advocacy/privacy/statelaws.
14. Sarah Lamdan, “Social Media Privacy: A Rallying Cry to Librarians,” Library Quarterly: Information, Community, Policy 85, no. 3 (2015): 266–67.
15. Vicky Ludas Orlofsky, “Consumer Data Privacy and the Federal Government,” Intellectual Freedom Blog, March 27, 2019, https://www.oif.ala.org/oif/?p=17391.
16. Association of College and Research Libraries, “ACRL Legislative Agenda 2020,” www.ala.org/acrl/sites/ala.org.acrl/files/content/issues/washingtonwatch/legislativeagenda20.pdf.
17. Association of College and Research Libraries, “ACRL Legislative Agenda 2020.”
18. American Library Association, “Privacy and Confidentiality Q&A,” last updated July 29, 2019, www.ala.org/advocacy/intfreedom/privacyconfidentialityqa.
19. American Library Association, “Library Privacy Checklist for Library Management Systems/Integrated Library Systems,” last updated January 26, 2020, www.ala.org/advocacy/privacy/checklists/library-management-systems.
20. American Library Association, “Library Privacy Guidelines for Vendors,” last updated January 26, 2020, www.ala.org/advocacy/privacy/guidelines/vendors.
21. American Library Association, “Library Privacy Guidelines for Library Management Systems,” last updated January 26, 2020, www.ala.org/advocacy/privacy/guidelines/library-management-systems.
22. American Library Association, “Developing or Revising a Library Privacy Policy,” Privacy Tool Kit, last updated April 2017, www.ala.org/advocacy/privacy/toolkit/policy.
23. American Library Association, “Library Privacy Talking Points: Key Messages and Tough Questions,” January 2014, www.ala.org/advocacy/privacy/toolkit/talkingpoints.
24. Lanesboro Public Library, “Data Privacy Policy,” February 2012, https://www.lanesboro.lib.mn.us/wp-content/uploads/2014/03/data-privacy.htm.
25. Georgia Tech Library, “Privacy Policy,” https://www.library.gatech.edu/privacy-policy.
26. University of Michigan Library, “Library Privacy Statement—Frequently Asked Questions (FAQ),” last updated June 14, 2018, https://www.lib.umich.edu/library-privacy-statement/frequently-asked-questions.
27. Cherokee Regional Library System, “Privacy Policy,” Policies and Laws, October 21, 2004, https://www.chrl.org/wp-content/uploads/2015/04/Privacy-Policy.pdf.
28. Ocean County Library, “Fines and Fees Schedule,” Policies, Fees, and Forms, last revised April 19, 2016, https://theoceancountylibrary.org/policies-fees-forms#all_des544.
29. Jessamine County Public Library, “Open Records Policy,” last updated June 24, 2019, https://jesspublib.org/wp-content/uploads/6.6-Open-Records-Policy-2019-06-24.pdf.
30. St. Louis Public Library, “Social Media Guidelines,” last updated April 3, 2017, https://www.slpl.org/service-policies/social-media-policy/.
31. Pinellas Public Library Cooperative, “PPLC Privacy Policy,” May 28, 2008, http://www.pplc.us/misc-pdf/PPLC_PrivacyPolicy.pdf.
32. University of Oregon Libraries, “Privacy Statement.”
33. Lanesboro Public Library, “Data Privacy Policy.”
34. American Library Association, “USA PATRIOT Act,” www.ala.org/advocacy/advleg/federallegislation/theusapatriotact.
35. Van Horne Public Library, “Van Horne Public Library Policies,” last updated January 8, 2018, https://www.vanhorne.lib.ia.us/library-information/policies/van-horne-public-library-policies-updated-1-8-18.doc/at_download/file.
36. University of Utah, J. Willard Marriott Library, “Privacy Policy,” https://lib.utah.edu/pdf/Privacy_Policy_Procedures.pdf.
37. Sequoyah Regional Library System, “USA Patriot Act & Confidentiality of Library Records,” MAN-1, Management Policies, Public Service Policy, last updated October 24, 2017, https://www.sequoyahregionallibrary.org/wp-content/uploads/2017/11/Public-Service-Policy-10.24.17.pdf.
38. San José Public Library, “Privacy Policy,” last updated March 12, 2018, https://www.sjpl.org/privacy-policy.
39. Mount Prospect Public Library, “Circulation Policy and Library Records Confidentiality Policy,” https://mppl.org/wp-content/uploads/2019/10/Circulation-Policy_all-docs-07-01-19.pdf.
40. San José Public Library, “Privacy Policy.”
41. Queens Borough Public Library, “Privacy Policy,” December 2003, https://www.queenslibrary.org/about-us/library-policies/privacy.
42. Josephine-Louise Public Library, “Privacy Statement,” https://www.waldenlibrary.org/privacy.aspx.
43. Pinellas Public Library Cooperative, “1. Library Accounts—Registration Policies,” in “Public Services Policies,” May 31, 2019, www.pplc.us/misc-pdf/CirculationPolicy_2019.pdf.
44. Contra Costa County Library, “About Privacy,” https://ccclib.org/policies/privacy/.
45. San José Public Library, “Privacy Policy.”
46. Deer Park Public Library, “Library Patron Records Confidentiality Policy,” February 23, 2011, https://deerparklibrary.org/wp-content/uploads/2017/06/Library-Patron-Records-Confidentiality.pdf.
47. University of New Mexico Libraries, “User Privacy Policy,” July 6, 2016, https://elibrary.unm.edu/services/docs/library-privacy-and-confidentiality-policy.pdf.