Month: January 2022

Posted on

A Flurry of Privacy Bills, FLoC Flies Away, and a Smart Assistant’s Long Memory

A brown and white Pomeranian, wearing a red sweater and brown eyeglass frames, stands in front of an iPad sitting on a wooden tabletop.
Photo by Cookie the Pom on Unsplash

Congratulations on making it through the first month of 2022! As we prepare to enter the second month of the year, let’s take a few moments to catch up on a few news items in the privacy world.

A Flurry of State Data Privacy Bills

State legislators wasted no time introducing the latest round of data privacy bills at the start of the legislative year. Some states are reviving previously introduced bills with the hopes of pushing them through in the new session, while other states are finally joining the bandwagon and introducing comprehensive data privacy laws for the first time since the rush for state data privacy laws began several years ago.

Out of all the states introducing bills this legislative session, all eyes are on LDH’s home state, Washington State. The Washington Privacy Act, which failed to pass multiple times in previous legislative years, is back. However, there are currently two other competing comprehensive data privacy bills. The first bill, the People’s Privacy Act, deviates from WPA in several key places, including stricter requirements around data collection and processing (e.g., requiring covered entities to obtain opt-in consent for processing personal data), biometric data handling, and a private right of action. The second bill, the Washington Foundational Data Privacy Act, is a new bill that brings the idea of creating a new governmental commission, something that the two other bills lack. Each bill has its strengths and weaknesses concerning data privacy. Nevertheless, if Washington manages to pass one of these bills – or a completely different bill that is still yet to be introduced – the passed data privacy bill will influence other states’ efforts in passing their privacy bills.

FLoC Flew Away

Rejoice, for FLoC is no more! We previously covered Google’s attempt to replace cookies and the many privacy issues with this attempt. The pushback from the public and organizations has finally led Google to rethink its approach. It also didn’t help that major web browsers, which were supposed to play a critical role in FLoC, refused to play along.

Google didn’t completely abandon the effort to replace cookies, nevertheless. Google announced a new proposal, Topics, as an attempt to create a less privacy-invasive alternative to cookies. It’s still early to tell if this FLoC alternative is truly any better than FLoC, but initial reports seem to suggest that the Topics API is an improvement. However, we did notice that some of these reports mention that users would be primarily responsible for understanding and choosing the level of tracking in browser settings. Ultimately, we are still dealing with businesses pushing tracking user activity by default.

Smart Assistants Have Long Memories

Have you requested a copy of your personal data yet? Even if you are not a resident of the EU or California, you can still request a copy of your personal data from many major businesses and organizations. This includes library vendors! Requesting a copy of your data from a company can highlight how easy it is for a company to track your use of its services. A good library-related example is OverDrive’s tracking of patron borrowing history, even though users might assume that their borrowing history isn’t being recorded after flipping a toggle to “hide” their history in user settings.

The latest example of extensive user tracking comes from a Twitter thread of a person going through the data Amazon has collected about her throughout the years, including all the times she interacted with Amazon Alexia. We’re not surprised about the level of data collection from Amazon – the tracking of page flips, notes, and other Kindle activity by Amazon has been a point of contention around library privacy for years. Instead, this is a reminder for libraries who are currently using or planning to use smart speakers and smart assistants to provide patron services that Amazon (and other companies) will collect and store patron data generated by their use of these services by default. This is also a good reminder that your smart speaker in your work or home office is also listening in on your conversations, including conversations around patron data that is supposed to remain private and confidential.

If you have a smart speaker (or other smart-enabled devices with a microphone) at your library or in your home office, you might want to reconsider. The companies behind these products are not bound to the same level of privacy and confidentiality as libraries in protecting patron data. Request a copy of data collected by the company behind that smart speaker sitting in the library. How much of that data could be tied back to data about patrons? How much do your patrons know about the collection, use, and sharing of data by the company behind the smart speaker at the library? What can your library do to better protect patron privacy around the smart speaker? Chances are, you might end up relocating that smart speaker from the top of the desk to the bottom of a desk drawer.

Posted on

Data Privacy Day (or Week!) Celebrations and Reflections

The words "Data Privacy Week" surrounded by circles of blue dots of various sizes.

This Friday, January 28, is Data Privacy Day! Don’t worry if you don’t have anything planned to mark the data at your library – you still have some time for some last-minute planning. You can check out last year’s Data Privacy Day post for some last-minute ideas. This year’s Data Privacy Day, though, should include a couple of other things to make it more meaningful at your library.

We won’t be the first privacy folks to admit that it’s hard to get people excited about privacy – even for Data Privacy Day – unless it involves cookies or cake. Now that the National Cybersecurity Alliance expanded Data Privacy Day into an entire week, where does one even begin? The NCA suggests that organizations conduct assessments, adopt privacy frameworks, and create a culture of privacy through educating employees. However, most of these suggestions go well beyond a week that’s supposed to be celebrating and raising awareness, and there’s still a lack of baked goods. We’re not saying that everyone is motivated by baked goods, but while all the suggestions are vital to protect data privacy in daily operations, these suggestions are not precisely celebratory by default.

Data Privacy Day (or Week) should not only raise awareness around data privacy issues, but it should also be a time for recognition and celebration of the work done around data privacy. Like other work in libraries, privacy work can go unacknowledged or unnoticed, even though the work impacts all levels of library operations and services. Data Privacy Day is an opportunity to take stock of what your library has accomplished in the past year and acknowledge the people behind those accomplishments, be it individuals, teams, or collaborations between groups. Highlighting these accomplishments can also help push back against the feeling like no progress is being made. Privacy is multifaceted – it’s not uncommon for us at LDH to get comments from library workers about not realizing just how complex data privacy can be. Making a concerted effort to acknowledge and celebrate progress – no matter how small – can help mitigate feeling overwhelmed about data privacy overall.

Data Privacy Day should also be a day where your library can set priorities around privacy for the following year. Perhaps that could be continuing ongoing work planning to make that work sustainable in the long run. New projects and initiatives can also be on the privacy priority list, but don’t limit yourself to projects that can be wrapped up neatly in a bow by the end of the year. Instead, focus on what can be realistically achieved by next year. Having a dedicated day like Data Privacy Day can also help with accountability – what are persistent privacy issues at your library? How will your library address these ongoing privacy issues? Make an action plan and check in with that plan the next time Data Privacy Day comes around – what progress has been made? What barriers and challenges did you overcome, and which ones still need to be addressed to continue progress?

Overall, Data Privacy Day should be a day to raise awareness of data privacy issues and a day for celebration and reflection. It should be a day where your library recognizes the often-invisible work many library workers do around privacy. It should also be a day where the library holds itself accountable and determine what needs to be done to address persistent privacy issues in the upcoming year. Being deliberate in the day’s celebrations can make Data Privacy Day into something more meaningful for your library.

Three Years and Counting

This last week also marked the third (!) anniversary of LDH! 2021 proved to be as challenging as 2020; nevertheless, we persevered thanks to your support throughout the year. 2021 also proved to be a hectic year! ICYMI, here are some of the things that happened at LDH in the past year:

LDH can help your library or organization protect patron privacy in your data practices, from privacy training and policy reviews to data audits and risk assessments. Contact us to set up an initial consultation – we look forward to hearing from you in the coming year.

Posted on

Training is Only One Part of the Library Privacy Equation

A person wearing a red shirt is presenting from a raised stage in a very large, windowless presentation hall. The audience is divided into two long sections of seats.
Photo by Claudio Schwarz on Unsplash

Wouldn’t it be nice if you never had to take another work-mandated training ever again? No more having to block an entire day off to head over to sit in a stuffy windowless room trying to focus on the training slides while all the lights are still on, making the projection barely readable, and you can barely make out what the trainer is saying? Even when you take the pandemic into account, do you really want to sit through a day-long Zoom training session?

If you said no to either question, you’re in good company. Training is either a critical component or a bureaucratic hurdle in the workplace, depending on who you ask. Training quality widely differs from workplace to workplace. Some training sessions are well designed and practical, while others fail. Nevertheless, training serves several critical functions in any organization, including library privacy training:

  • Orienting workers to library privacy policies and procedures
  • Providing opportunities for practicing specific procedures or skills in a controlled environment through the use of scenarios and other exercises
  • Ensuring a baseline knowledge of library privacy codes, ethics, and standards
  • Developing new or updating existing knowledge or skills around protecting patron privacy

Privacy protections are only as strong as those who have the least amount of knowledge about those protections. Lack of training or undertraining library workers creates additional risks to patron privacy through not following or understanding policy or procedure. Regular up-to-date training of library workers reduces that risk to patrons and library alike.

With that said, training can only do so much in protecting patron privacy. Training is only one part of a comprehensive approach to library privacy. On its own, privacy training – no matter how well-designed – cannot reduce or eliminate all privacy risks. Training alone is ineffective when a tool, policy, or procedure is inherently privacy-invasive. Training will not solve the flawed policy, procedure, or tool – as long as the invasiveness is left unaddressed, you’ll continue to see the same results from said bad design. If there is a process that repeatedly leaks or provides unauthorized access to patron data, for example, and there is no dedicated effort on the part of the library in changing this process, training will not fundamentally address the risk to the fullest extent possible.

You might be thinking that training could bring a library’s attention to the risks of such a process, but this is where we have to confront the uncomfortable truth around privacy training. Library privacy training is only as effective as the lowest number of resources or staff dedicated to protecting patron privacy in library operations. If the library only spends dedicated resources and staff time in creating and conducting privacy training, library workers are left trying to implement what they learned in training without the support needed to have a chance to succeed in reducing privacy risks in their daily work. For example, a library privacy training that teaches library workers to write a privacy policy might produce a policy that the library can then adopt. But what happens afterward? There needs to be support in ensuring that library procedures line up with the privacy policy. The privacy policy also needs to be communicated to patrons – how can a library do that effectively so that patrons can easily access and understand the policy without being given the required time and resources to do the necessary work? Where is the time to review vendor contracts and privacy policies to identify misalignment with the library privacy policy, and how will library workers address these risks with the vendors if they cannot get the time dedicated to this work?

Without the organization’s support, the effectiveness of library privacy training is limited at best. Over-relying on privacy training to protect patron privacy is like waiting to address privacy risks at the end of a project – attempts to mitigate risk will be hampered by a lack of resources and time. It will most likely not solve fundamental issues inherent in the end product’s design. Like Privacy by Design in project management, a privacy program prioritizing privacy in all levels of library operations and services can systematically address these fundamental privacy issues. Unlike training, privacy programs focus on the long term – what resources are needed to embed privacy into every level of library work? How can we build a sustainable relationship with our patrons to address their privacy concerns? How can patrons have more agency in helping with determining how the library does privacy?

Library privacy requires every part of library operations to prioritize privacy. Strong privacy policies, privacy-preserving technologies, vendor contract negotiations and privacy assessments, privacy audits, data inventories – these are only some of the things that libraries need to do to protect patron privacy better. Training is part of that library privacy equation, but without dedicating resources and time to a sustainable library privacy program, training alone cannot protect patron privacy.

Posted on

So, What’s Going On With Data Privacy Regulation Nowadays?

An adult white woman wearing a black dotted white shirt and jeans stands facing a white wall with black text. The text lists and describes the five data privacy principles by Mozilla: sensible settings, no surprises, defense in depth, user control, and limited data.
Image source: https://www.flickr.com/photos/vintagedept/15704560667/ (CC BY 2.0)

Welcome to the first post of the year! We hope you all had a restful holiday break. Now that most of us are back from our holiday break, it’s time to figure out what exactly is going on and what to expect in the new year.

2022 is shaping up to be another busy year for privacy professionals. A lot of that work will be around tracking data privacy regulations worldwide, from China’s new data protection regulation (PIPL) to India’s proposed changes to their Personal Data Protection bill. News from the EU is steady with GDPR violations and fines and will continue throughout the year. The EU is also poised to introduce more data regulations, including regulations around AI and cybersecurity.

While other countries are implementing and revising data privacy regulations, the US remains in a perpetual cycle of failed data privacy and security bills. A glance at the US State Privacy Legislation Tracker shows that despite 23 states introducing data privacy bills last year, Virginia and Colorado were the only states to sign a bill into law in 2021. Like LDH’s home state of Washington, some states failed to pass multiple data privacy bills, including bills that were re-introduced after earlier attempts to pass the same bill in previous years.

On a federal level, several data privacy and security bills – such as the Data Care Act of 2021, the Mind Your Own Business Act of 2021, and the Children and Teens’ Online Privacy Protection Act – remain active; however, there is no strong indication about the fate of these bills in the current session of Congress. Comprehensive data privacy and security legislation, such as the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act and the Consumer Data Privacy and Security Act of 2021, remain in committee. Again, there’s no firm indication if either of these comprehensive bills will become law in 2022.

Where does all of this leave US libraries and library vendors? Internationally, data privacy regulation updates will mean more changes for vendors who fall within the scope of said regulations. The upcoming data initiatives in the EU, for example, can impact the data privacy practices of library vendors and other organizations that fall under the scope of GDPR. In addition, as was the case with GDPR, international data privacy regulations can influence the overall shape of the data privacy legislation in the US. Nevertheless, the US continues to march to the beat of their own drum, still relying on a sectorial approach to data privacy regulation, with states trying to figure out comprehensive data privacy regulation on their terms.

Most of the existing comprehensive data privacy regulations, like CCPA and VCDPA, target for-profit and/or organizations that meet specific revenue or data sharing/selling thresholds, leaving most libraries outside of the scope of these laws. Just because libraries are not currently required to comply with these laws does not mean that they are not impacted by this patchwork approach to data privacy in the US. While GDPR impacted some libraries via their parent institutions (such as higher education institutions with campuses or partnerships in the EU), most libraries have probably noticed changes with library vendor services throughout the year as vendors work toward CCPA compliance. Some of these changes include allowing patrons to request a copy of the personal data the vendor has in their systems. If other states pass data privacy bills, libraries should expect additional change concerning how the vendor handles data privacy, regardless of where the library is located in the US.

In short, the data privacy regulation landscape for 2022 looks a bit like 2021 – a lot of legislative activity, but we’re not sure if that activity will lead to actual regulation. As always, LDH will keep you up to date on data privacy regulations that will impact libraries and library vendors. In the meantime, libraries should continue to work with vendors in not only ensuring compliance to specific data privacy regulations but going beyond a compliance-only approach to better protect patron privacy at the library.