LDH is proud to announce that it will now serve cookies to our blog readers! Enjoy your digital cookie without guilt! Just be sure that you don’t leave any crumbs trailing behind you as you munch away while browsing the Web…
… yeah, we thought that was a cheesy* early April Fool’s joke, too.
With April Fool’s Day in a few days, let’s take a moment to appreciate the lighter side of data privacy. Cookies are a perennial privacy humor topic by the very nature of its name, and the infamous cookie banner has become the focus of many privacy humor skits. This skit answers the question of what happens when you hit a cookie wall when you want a cookie recipe:
There are times where humor can educate users about data privacy, but only when it is done well and within an appropriate context. An example of this comes from The Onion. Another example is the segment from an Adam Ruins Everything episode explaining the cost of using “free” internet services:
[Yes, we are fully aware of the irony of linking to a YouTube video of this segment.]
We can’t forget that humor has a time and place for it to be effective, though. More often than not, humor backfires like Mark Zuckerberg’s joke about Facebook privacy at their developer conference in 2019. Going back to the beginning of this post, cookies are the subject of many privacy jokes because of the nature of the web tracker’s name. It’s an easy joke that doesn’t take much effort to think about, but the lack of thinking through a joke can leave users more frustrated with the person telling it than not. The context of when you use humor matters – cookie popups are already confusing and frustrating to end-users, and a joke in the popup is more likely to backfire than lighten the end user’s mood. And because the web tracker’s name is already confusing to end-users, joking that your staff like chocolate chip cookies in the popup banner doesn’t tell users anything about what the actual web tracker cookie does.
In short, humor has its place in communicating important privacy topics when done thoughtfully and within an appropriate context. Your privacy notice and cookie banners are not places for humor, but instead places where you need to be clear about your privacy practices and what the user can do to protect their privacy. This doesn’t mean that all data privacy jokes are off-limits. You can still serve cookies (accommodating for dietary considerations!) in the library staff area to start a discussion or awareness program about web tracking – but be mindful of your audience and the context of data privacy humor when attempting to add some levity to end-user communications.
Welcome to the first week of Spring in the Northern Hemisphere! This month marks one year of working from home for some library workers and the hybrid remote/onsite work limbo for others. In both cases, this anniversary also marks a year’s worth of patron data collected and stored all over the place due to the abrupt switch to remote work and virtual services. It’s safe to say that many disaster or business continuity plans didn’t plan for a pandemic, and the resulting scramble to virtual or reduced physical services/work created new or exacerbated existing data privacy gaps. Last year’s #DataSpringCleaning focused on setting up the home office to address a common privacy problem – the over-retention of patron data. Check out the post and the companion workshop materials about protecting patron privacy while working from home if you haven’t already done so.
This year’s #DataSpringCleaning project is ambitious as it is daunting. This year is the Sisyphean project of data cleanup projects – no matter how many times we try and fail, we keep coming back to this one project in hopes of finally completing it. Let us go back once more into the breach, friends. It’s time to scrub our work email.
Email as Major Privacy Risk to Patron Privacy
While many library workers are aware that their emails can contain patron data, they might not be aware of how much patron data is stored in their accounts. Personally identifiable information, or PII, includes data about a patron as well as data of a patron’s activity. The former can be easy to identify and easy to email without much thought about the privacy risk of doing so:
Physical and email addresses
Birthdate or age
Patron record number
Username and password
A patron’s activities, on the other hand, can be harder to identify once you factor in the types of emails a library worker can receive or send in any given day:
Help desk ticket threads
Reference form or chat tickets or transcripts
Direct email from patrons
System or application reports or alerts
Vendor service desk tickets or reports
This list is just a small selection of the types of emails that can contain data around a patron’s activities such as:
Search and circulation histories
Electronic resource authentication and access history
Library computer and wifi logs and activity
And that’s just the start of how much patron data is in staff emails!
The ease of storing and sharing data through email makes it difficult to control data sharing and retention once the data hits the email system. The risk to patron privacy compounds once the email containing patron data leaves the library’s email system and into a third-party email account, be it a vendor or even a personal email account. Another risk for many libraries is that staff emails are subject to public disclosure requests. Several state and local regulations protect patron record data from disclosure, but in some cases, this protection might not extend to patron data in staff email. If your library’s emails can be publicly requested, don’t assume that you’ll get a chance to redact patron data before the emails are released to the public.
Starting the Long Journey of Protecting Patron Privacy in Staff Email
Scrubbing patron data from library email is a Sisyphean task. You can tell patrons not to email PII only to have patrons send over their logins for the financial website they can’t log into on a public computer. You can tell staff not to store patron data in work email, only to have staff use email as their primary knowledgebase for reference chat questions and answers. However, you have more control over how staff uses library email than you do patrons – this is where we start our scrubbing journey.
We’ll break this journey into two parts: the short and long term. The following are some actions workers and organizations can take in mitigating patron privacy risk in library emails:
Short term (individual) actions
First, get familiar with your email system’s filter and search capabilities! These will make the deletion process less painful.
Find and delete system-generated emails that contain patron data. These can be found through searching by a shared email address or subject line.
Search for emails with attachments and delete attachments if they contain patron data
Before deleting the email, migrate patron data that absolutely must be retained for a demonstrated operational need from email to a secured storage area designated by work (if one is available)
Create email rules to automatically delete incoming system-generated emails containing patron data
Learn how to use the ticketing system or other help desk or information desk systems as the primary mode of communication with other library staff about tickets and other
Long term (organizational) actions
Create policies and procedures around restricting the use of staff email to transmit or store certain types of patron data based on data classification level and/or privacy risk
Create secured data/file transfer options for sharing patron data, particularly between staff and authorized third parties
Set up applications and systems to not include patron data in system-generated reports and emails
Set up retention policies in email systems to automatically delete email based on organizational retention schedules or retention schedules set by legal regulation
Create procedures or processes to use the ticketing system or other help desk or information desk systems as the primary mode of communication between staff as well as between staff and patrons
Create secured storage outside of staff email for patron data that absolutely must be retained for a demonstrated operational need, and create retention schedules for the data retained in storage
The short-term actions can take a while with manual reviewing of attachments and individual emails. But, with the magic of search and filter options, you can quickly eliminate a good portion of privacy risks by deleting the archive of system-generated emails. The long-term actions require a team effort in the organization, from administration drafting policies to IT creating automatic retention policies and secured storage and transmission options.
None of us want to spend more time dealing with email than we have to, and trying to keep up with the current email inbox count is near impossible as it is. Nonetheless, we need to keep in mind that work email can put patron privacy at risk, and we must address that risk as part of our library duties. It’s a #DataSpringCleaning project that never ends, but as long as we have email, there will always be the need to clean our inboxes to protect patron privacy.
Welcome back to our series on information fiduciaries and libraries! We introduced the concept of information fiduciaries in Part One. In this series entry, we will focus on libraries as possible information fiduciaries.
A Question of Interest
Jack M. Belkin, who popularized the information fiduciary concept in 2014, expanded the traditionary fiduciary concept to a trusted party managing personal data on behalf of another. In the context of the library, what would be considered the best interest of the person? In the 10th edition of the Intellectual Freedom Manual, we have one possible interpretation of “best interest” in the way of privacy and confidentiality:
“In brief, libraries and library workers must act as information fiduciaries, assuring that in every circumstance the library user’s information is protected from misuse and unauthorized disclosure, and ensuring that the library itself does not misuse or exploit the library user’s information.”
On the surface, this appears straightforward enough. However, how a library defines “misuse or exploit” leads to a question about how libraries interpret “best interest” in the fiduciary relationship. Some organizations might interpret “best interest” in ways that others would consider exploitative. Such is the case with academic institutions and learning analytics as described in “A matter of trust: Higher education institutions as information fiduciaries in an age of educational data mining and learning analytics.” Jones, Rubel, and LeClere describe how current learning analytics initiatives violate not only student privacy but also student trust in the institution. At the same time, the institution is acting in the perceived best interest of both students and the institution.
Like academic institutions, libraries are under immense pressure to engage in data practices at the expense of patron privacy. A key component of fiduciary relationships is acting in the best interest of the represented person. While it might be in the best interest for libraries to extensively collect patron data for operations, marketing, and analysis, this level of collection and data processing would violate the best interest of their patrons’ privacy. Libraries committing to an information fiduciary relationship with their patrons must scrutinize their data privacy practices and recalibrate these practices to center on patron privacy interests.
A Question of Ownership
It becomes clear while evaluating practices and interests that the relationship between libraries, patrons, and third parties complicates matters not only in competing best interests but also in matters of data ownership. Personal data is collected in several ways. Sometimes the data collection is direct – an example is when a patron gives the library personal data to obtain a library card. Other times libraries collect personal data generated from a patron’s library resources and services use, even though the patron might not be aware of this data generation and collection. Patrons also directly give personal data to vendors when signing up for accounts and generate data when they use vendor services and resources, possibly unaware of such generation and collection happening on the vendor’s end. On top of all of this, libraries directly give vendors patron personal data. So, who owns what data?
Another component of a fiduciary relationship is the concept of management of valuable assets, particularly in sensitive matters. As demonstrated in the previous paragraph, data ownership can easily be contested if there is no clear sense as to who owns what data. Libraries can (and should!) use vendor contracts to state that the library and its patrons own the data collected by the vendor, defining some clearer ownership roles. Once again, however, technology and data practices can throw this clarity back to uncertainty, particularly with data aggregation and analytics practices by vendors and fourth parties, sometimes in the interests of the customers (libraries and patrons) and sometimes in the interest of the vendor which conflict with patron/library interests. As Jones, Thomson, and Arnold argue in “Questions of Data Ownership on Campus,” adopting an information fiduciary role can help navigate the issue of determining who owns what through focusing on shared ownership and asset management in the best interest of the patron. Even when libraries and third parties claim ownership over patron data collected through patron use of resources and services, any collection or processing of this data must center around the patrons’ best interests with regards to patron privacy.
We would be amiss, though, if we didn’t address a potential issue of treating data as an asset, even in a fiduciary role. In Kerry and Morris Jr.’s “Why data ownership is the wrong approach to protecting privacy,” commodifying data provides little protection for user privacy. Treating data as property reinforces current practices of placing market interests over individual interests. Placing the onus of data privacy management on the individual when there’s evidence that notice and consent currently fail to protect data privacy. Instead of focusing primarily on data ownership and transactional relationships, Kerry and Morris Jr. argue for federal regulation that falls in line with information fiduciary’s emphasis on acting in the interest of the individual. Nonetheless, the concept of data as property or an asset for individuals to manage and organizations to commodify has socioeconomic implications, including perpetuating harms created by the privacy violations embedded in societal systems and institutions, including the library.
Personal Data as a Collection…
We’ve only started to explore the concept of libraries as information fiduciaries. The last two posts focused on personal data collected and generated through a patron’s library use. What happens, then, when personal data is *part* of a collection? This often happens in special collections, archives, and institutional repositories that collect research data, to name a few places. What type of information fiduciary relationship exists between the people in the collection and the library or archive that hosts that collection, if any? Stay tuned for the next installment of the series!
Virginia joined California last week in the data privacy regulation club as the state governor signed the Virginia Consumer Data Protection Act (CDPA) into law on March 2nd, 2021. This law shares some similarities with the CCPA and the upcoming CPRA, but there are just enough differences that will cause some possible confusion for library vendors who fall under the scope of the new law.
What Virginia Libraries Need to Know About CDPA Right Now
Virginia libraries paying attention to what happened in California might have a head start with what to expect in the coming years when the law comes into effect in 2023. If you were hoping that Virginia lawmakers would keep close to CCPA in an attempt to create consistent expectations and requirements for consumer data privacy, you might be out of luck. Nonetheless, there are some similarities: some good, others not so much.
First thing’s first – as was the case in California and CCPA, the vast majority of Virginia libraries do not fall under the scope of CDPA. The law pertains to entities conducting business in the state that meet a threshold of either controlling/processing personal data of at least 100,000 Virginia consumers in a calendar year OR controlling/processing personal data of at least 25,000 Virginia consumers and deriving at least 50% of their revenue from selling personal data. Combined with the exceptions made for government entities, non-profits, and higher education institutions, many libraries most likely are exempt from the CDPA, as well as non-profit library vendors.
CDPA stays close to the GDPR model of data controller (an entity determining the purpose of as well as the ways of processing personal data) and data processor (an entity that processes data on behalf of the controller). This eliminates the confusion that CCPA created by going with a different model (and CPRA added more to the confusion with the introduction of a new contractor role in that model!). Library vendors covered by CDPA could be both controller and processor in that the vendor collects and processes data on their behalf but also collects and processes data on behalf of the libraries and library patrons. Data controllers must include data collection and processing information in a publicly posted privacy notice, including what type of data is collected and shared with third parties.
Beyond scope and updates to vendor privacy notices, what do Virginia libraries need to know about CDPA?
Data rights – The new law grants the rights to access, correct, and delete their personal data with a data controller, as well as the right to request a copy of their personal data from the controller. Unlike CCPA, CDPA seems to not include household data in these rights; therefore, there might be a lesser chance of patrons requesting data that might include other patron data from their household.
Opt-out vs opt-inrights – Virginia consumers have the right to opt-out of the sale of their personal data, processing their personal data for targeted marketing, and using their personal data for profiling. This goes beyond the initial sale opt-out of CCPA. Even with the addition of “sharing” to the opt-out in CPRA, there might be confusion with vendors trying to accommodate different types of opt-out between CA and VA consumers.
Here’s where more confusion might set in – CDPA requires consumers to opt-inbefore their sensitive data is processed. Sensitive data in CDPA include race/ethnicity, sexual orientation, religious affiliation, mental and physical health, immigration status, biometric data, and precise geolocation data. On top of all this, sensitive data also includes any data collected from children under 13 years of age. CCPA requires affirmative opt-in of collecting personal data from 13- to 16-year-olds, so both laws are coming at collecting and processing minors’ data in very different ways.
Barring clarifications and amendments to either state’s regulations, expect some confusion from patrons when vendors attempt to comply with CDPA and the California data privacy laws.
A Heads Up to Libraries Outside of Virginia and California
While it took a while for another state outside of California to pass a data privacy law, the reality is that Virginia might be the first of a rapid succession of states to pass their own data privacy laws. At the time of this post, there are at least 13 states with active data privacy bills. Many of these bills share some similarities with CCPA/CPRA, but some have more in common with GDPR. The US currently has no federal data privacy law, and as time progresses, it might be that any successful federal data privacy regulation will not preempt stricter state laws. What we are looking at is a possible repeat of what we have with US data breach notification laws – 50+ different approaches, all just different enough to require their own processes. We’ll keep you updated on the latest regulations as they make their way through the legislative process, but it’s starting to look like 2021 might be a very busy year for data privacy regulation.
The Resolution on the Misuse of Behavioral Data Surveillance in Libraries, recently passed at ALA Midwinter, calls for libraries and vendors to reject behavioral data surveillance of patrons. While we are familiar with the concept of data surveillance, the last item in the resolution contains something that some in the library world are not as familiar with – information fiduciaries. This concept also appears in the recently published 10th edition of the Intellectual Freedom Manual. There’s a likely chance that “libraries as information fiduciaries” will continue to gain ground in the professional discourse around library privacy, so let’s take some time to explore this concept.
Information Fiduciaries Basics
The fiduciary concept is centuries old. Typically, a fiduciary is a person(s) who is entrusted with a valuable asset from another person(s). You might have come across the fiduciary term when dealing with finances – for example, a financial advisor might be considered a fiduciary for a client. A fiduciary relationship is built on trust. The fiduciary is trusted to act in the interest of the party that trusts them enough to manage valuable assets or represent them in sensitive matters.
The concept of information fiduciaries, popularized by Jack M. Balkin in his 2014 blog post about the concept, took the fiduciary concept of managing assets and expanded the assets definition to include information about a person. This expansion would then charge the fiduciary to manage the person’s information with the person’s interests. In Balkin’s post, the expansion to information assets would call on fiduciaries to practice a higher level of information privacy, including not using or disclosing personal information against the user’s interests.
If this seems similar to the legal concept of “duty of care,” it should be! Duty of care is a legal concept that can be a part of fiduciary duties. The fiduciary is required to act in an informed and responsible way that will not harm others in the relationship. In the case of information fiduciaries, the fiduciary duty of care would be on the company that collects the user’s data; therefore, the company would need to put the user’s interests ahead of their interest.
Too Little, Too Late?
Nonetheless, the information fiduciary concept isn’t without its critics. David E. Pozen and Lina M. Khan argue that the concept cannot reconcile the business models of social media companies who rely on using personal data with the interests of the person to sustain the company’s business model. Pozen and Khan point out the tension between the already existing financial fiduciary relationship with shareholders (that rely on the business model) and the proposed information fiduciary relationship with users. Even Balkin admits that behavioral advertising, which exploits personal information for business gain, might continue after a company takes on an information fiduciary role. In a sense, applying an information fiduciary model to existing digital company business models is trying to close the barn door after the horses escaped – you’re asking a company who has built their revenue model on exploiting user information to give up their revenue stream. Having a company become an information fiduciary after the fact isn’t going to resolve them to move away from personal information abuse.
There are other critiques of the information fiduciary concept to consider. While the Electronic Freedom Frontier generally supports information fiduciary regulations, they recognize that the concept has several limitations including governance of third-party data relationships with other third-parties, limitations around restricting the collection of user data, and the uncertainty of how the recently created concept of information fiduciary would work in practice concerning legal enforcement of any fiduciary regulations. EFF argues that information fiduciary must not replace other data privacy regulations and practices. Information fiduciaries are not comprehensive in protecting user privacy and must be approached as such.
What About Libraries?
The information fiduciary is still relatively new, but there have already been calls from the library world to adopt the fiduciary role in patron data management. We will explore some of these calls, as well as how information fiduciary might look like at the library, in part two in the coming weeks!