Privacy Roundup – Heat Dome Edition

8:31 am - 90 degrees at SeaTac and it's 8 a.m. Here we go.
Welcome to Monday morning in Seattle. Source: The Seattle Times.

Seattle is in the middle of a record-breaking heatwave, with Monday predicted to be in the low 100s F, making this the third consecutive day of 100+ temperatures. This week’s newsletter comes to you in three short parts as we take advantage of the cooler temperatures to write.

What’s going on in Colorado?

When we last wrote, Colorado lawmakers passed the Colorado Privacy Act, making it the third state to enact data privacy regulations, behind California and Virginia. While the bill has yet to receive the governor’s signature, the privacy world is already planning for CPA. CPA stays relatively close to California and Virginia data privacy regulation, though CPA also takes some inspiration from GDPR. There is one key distinction that sets CPA apart from the other states’ laws – the inclusion (or, more accurately, the lack of exemption) of non-profit entities alongside their commercial counterparts in the scope of the Act. This inclusion could mean that many non-profit library vendors who fell outside the scope of CCPA, CPRA, and CDPA might need to assess if their data privacy practices need to change to comply with CPA.

What does compliance to CPA all entail? The charts from the National Law Review comparing CPA with GDPR and the California data privacy laws are a good place to start. The write-up on CPA from Thompson Hine LLP provides a more focused overview of Colorado’s (soon to be) new law. Finally, an IAPP article about the CPA talks about the strengths, missed opportunities, and less than stellar parts of the Act.

Privacy webinars and websites and resources, oh my!

Are you looking for library privacy webinars? How about recordings? Resources? No matter what you’re looking for, we got you covered!

  • This Tuesday, June 29th, at 4 pm Eastern Time, Safe Data | Safe Families will be hosting a free webinar sharing materials and resources to help public libraries and patrons face the challenges around data privacy and security at the library and beyond.  Even if you can’t make it to the webinar, check out the staff training resources on the website, particularly the personas you can use for your library privacy training.
  • If you missed the Health Literacy and Privacy in a Pandemic webinar series, don’t fret! You can access and download notes, graphs, and other documentation from the conference at https://healthandprivacy.com/notes/. Looking for the videos? You can watch them as well on the front page.
  • Last but not least, if you missed our founder’s keynote at the Evergreen International Conference, you can now watch the recording on YouTube. Download the slides to follow along as well as resource notes!

Reader survey

Thank you all again for those who filled out the reader survey. While we had a small number of respondents, the responses were all positive! Based on the survey, we will hold off on membership levels and monthly subscription memberships for now but will continue to provide the vast array of content to continue to be helpful in your work.

On the other hand, the Executive Assistant was slightly disappointed that more people did not demand more cat photos in the survey. We will attempt to cheer her up with a nice cool can of tuna, though that could mean changing our donation from a cup of tea to a can of tuna.

Write about library privacy (and more) at the ALA Intellectual Freedom Blog!

Is the library privacy muse inspiring you to write a blog post or two about library privacy topics? Sign up to be a blog writer for the ALA Intellectual Freedom blog! This is an excellent opportunity for those wanting to share your thoughts about library privacy to a large library audience or those looking for a service opportunity (I’m looking at you, academic library folks!). Go to the Blogger Application page to learn more about becoming a writer for the blog.

To Build or to Target?

It’s been a busy couple of weeks in the privacy world. First, Colorado is poised to be the newest state to join the patchwork of US state data privacy law. Next, Overdrive acquires Kanopy. And then there’s what happened when a patron submits an FOIA request for their data. Privacy forgot that it’s supposed to be summer vacation! Today we’re setting aside those updates and talking about a topic that has been one of the most requested topics for the blog.

You or your colleagues might be scanning through the last couple months of American Libraries in preparation for ALA Annual later this month, only to come across the “Target Acquired” article in the May 2021 issue (page 52-53), profiling three libraries in their use of marketing and data analytic products. The profiles seem harmless enough, from email newsletter management to collection analysis. They want to understand their patrons to serve their communities better. These profiles give three different ways these products can help other libraries do the same.

Did you notice, though, that none of the profiles talked about patron privacy?

There’s a reason for that. Marketing and data analytics products such as customer relationship management systems (CRMS) rely on personal data – the more, the better. The more data you feed into the system, the more accurate the user profile is to create a personalized experience or more effective marketing campaigns. CRMS are increasingly integrated into the ILS – OCLC Wise is an example of such an integration, and other ILS companies plan to release their own versions or create better integrations with existing products on the market. The libraries using Engage and Wise are excited about the possibilities of better understanding their patrons through the data generated by patron use of the library. However, we wonder if these libraries considered the consequences of turning patrons into data points to be managed in a vendor system.

It should be no surprise to our readers that LDH’s approach to marketing and data analytics in libraries does not place data above all else. Data ultimately does not replace the relationship-building work that libraries must do through meeting with community members. However, advertisement pieces such as the one in American Libraries aim to normalize user profiles in CRMS and other analytics products in libraries. As the article states at the beginning, data plays a large part in library outreach. With the pressure to prove their value to the community, library administration and management will reach for data to secure their library’s future in the community. The cost of over-relying on data to prove a library’s value, however, is usually left unexamined in these situations.

With that said, let’s do a little exercise. We have the chance to write a sequel to the advertisement piece. Instead of questions about the products, our questions will turn the tables and focus on the libraries themselves:

What are the privacy risks and potential harms to different patron groups from using the product?

Increased patron surveillance via data collection and user profiling can lead to disproportionate privacy risks for several patron groups. In addition, the business models of several vendors create additional harm by targetting specific minoritized groups, such as reselling data to data brokers or providing data to government agencies such as ICE.

What business need(s) does the product meet? What other products can meet the same need that doesn’t create a user profile or require increased patron surveillance?

Sometimes libraries buy one system that doesn’t match the actual business need for the library. For example, several collection management systems on the market do not require individual-level data to provide analysis as to how to spend collection budgets or meet patron demand. In addition, libraries do not need market segmentation products to perform collection usage analysis.

How does the library reconcile the use of the product with Article III of the ALA Code of Ethics, Article VII of the ALA Library Bill of Rights (and the accompanying Privacy Interpretation document), and other applicable library standards and best practices around patron privacy?

This one is self-explanatory. FYI – “Other libraries are doing the same thing” is not an answer.

What are social, economic, and cultural biases encoded into the product? What biases and assumptions are in the data collection and analysis processes?

Library services and systems are not free from bias, including vendor systems. One bias that some libraries miss is that the data in these systems do not reflect the community but only those who use the library. Even the list of inactive users in the system does not fully reflect the community. Moreover, data alone doesn’t tell you why someone in your community doesn’t have a relationship with the library. Data doesn’t tell you, for example, that some patrons view the library as a governmental agency that will pass along data to other agencies. Data also won’t fix broken relationships, such as libraries violating patron trust or expectations.

What is the library doing to inform patrons about the use of the product? Do patrons fully understand and consent to the library using their data in the product, including pulling data from data brokers and creating profiles of their library use?

More likely than not, your library does not give patrons proper or sufficient notice, nor give patrons the chance to explicitly consent for their data to be collected and used in these products. Refer to the Santa Cruz Civil Grand Jury report on what happens when the public calls out a library using a product in the advertisement article without full patron notification or consent.

Keep these questions in mind the next time you read about marketing and data analytics products in professional magazines such as American Libraries. These advertisement articles are designed to fly under the radar for readers who might not be thinking about the privacy implications of highlighted products and practices. Building relationships with the community require a considerable amount of time and care from the library. Data might seem to be a shortcut in speeding up the process. Nonetheless, choosing to view patrons as targets and metrics can ultimately undermine the foundation of any sustainable relationship.

Reader Survey Open Until June 15th

Thank you to everyone who has filled out the reader survey. If you haven’t filled out the survey yet, we want to hear from you! Take five minutes to help shape the future of the blog by filling out our short survey.

State of The Hat: What’s Brewing and Reader Survey

A black plushie llama flanked by two blocky yellow and green rubber duckies. The llama has a sticker of a brown hat on top of their head. Text on the hat: "follow the hat, libdataprivacy.com"
Back in our early days…

Welcome to June! Today marks the start of the blog’s “summer schedule,” where we post on a bi-weekly basis. This month also marks the beginning of the summer for many in the Northern Hemisphere. We say “many” because in Seattle the summer season is replaced by construction season. For our East Coast readers, summer is becoming Brood X season.

Now that we are halfway through 2021 let’s take a peek behind the scenes of the blog, including a chance to help shape the future of the Hat!

What’s brewing at The Hat?

There are few certainties in today’s world: death and taxes are two. The third is the rapid pace of change in the privacy world. It’s hard to keep up with all the updates, even for privacy professionals such as ourselves at LDH! The Tip of The Hat is doing its best to keep up with the latest news and updates in the library privacy world. From major vendor acquisitions and library policies around COVID-19 to tracking privacy implications of the newest library technology trends and significant tech company developments, we’ll keep you covered! We are also keeping track of the ongoing deluge of state and federal data privacy bills. While we are not lawyers at LDH, we will continue to alert our readers of new data privacy laws that will affect how libraries work with vendors in protecting patron privacy.

We also have several ongoing series and reader requests in the middle of all these news and updates! The third installment of our “Librarians as Information Fiduciaries?” is in the works, as well as additional writeups for tools to add to your privacy tech toolkit or cybersecurity awareness programming. We might even make a habit of doing our #DataSpringCleaning throughout the year, particularly for library workers who are making the transition back to the office or who are now planning to continue a hybrid of onsite and virtual work and programming. And we will never not post about the patron data lifecycle, including posts questioning why we are collecting data that, if we are honest, is not needed for our patrons to use the library.

We’ve had several requests for more content around the privacy, ethical, and equity implications of handling data in libraries, particularly around data analytics and how libraries use customer relationship management systems (CRMs) for market segmentation projects. More posts are in the works as major library vendors release new data analytics and CRMs into the library market. Yes, we did notice the “Target Acquired” article in the May 2021 issue of American Libraries (page 52-53). Yes, we plan to write about where that article misses the privacy mark with its product profiles. Analytics is not far removed from surveillance. We will continue to highlight how libraries can avoid becoming another major player in the surveillance economy, including the various privacy risks involved in tracking patron use of libraries, be it by libraries or by vendors.

How you can shape the future of The Hat

We at LDH are doing our best to keep the library world up to date with the latest news and updates in the privacy world, as well as delivering more in-depth pieces around library privacy. The Tip of The Hat has been going strong since February 2019 – this post is #102! Best of all, every blog post is free for all to read and will continue to be free to the library world and beyond.

This free model has been sustainable, but up to a point. Each week (or every other week during our summer posting schedule), we research, write, edit, and post timely and thought-provoking content about all matters of library privacy. We want to explore a few ways in which those who can financially support this work can help us continue the blog for the long term.

If you visited the blog last week, you might have noticed a new link in the blog menu inviting people to buy us tea. Readers of the blog can now donate a few dollars through our new Buy Me a Coffee page! Currently, we have the page set up for readers interested in a one-time donation to keep The Tip of The Hat running via cups of tea. No site account is required to donate – you only need a credit card or PayPal account for a one-time donation.

[The fine print – Readers can visit the privacy policy to learn more about what information is and is not collected and processed on the donation site. Readers who want to donate without attaching a name to the donation can do so following the instructions on the Supporter FAQ page.]

We also want to hear from our readers! We created a quick reader survey asking about other possibilities for the future of The Hat, including future content ideas and possible membership levels to help fund the continued work on the blog. Again, we will continue to make the content on the blog free for all to access, even if we introduce a membership level for those who want to make a monthly donation to support the blog.

The survey will be open to our readers until June 15th, 2021. Please take a few moments to let us know your thoughts about the future of The Hat! Thank you all again for your support and readership throughout the years. We look forward to hearing from you all about the future of the blog and beyond.

We’ll be back on June 14th – enjoy the start of the new month!