Hello everyone! It’s been a while since our last post in April, and a lot has happened. A Supreme Court ruling that will change how courts interpret an individual’s right to privacy, a bipartisan federal data privacy bill gaining momentum, ICE dipping into LexisNexis data much more than initially thought – and all of that is just within the past month. A lot is going on in the privacy world right now! While we won’t be back on our regular post schedule for a little longer, we will have time to bring you analysis and updates as they come along.
Speaking of updates, we have a big one to announce – the publication of our first book! Managing Data for Patron Privacy: Comprehensive Strategies for Libraries breaks down what library workers need to do to protect the privacy of their patron’s data. In this book, Kristin Briney, Biology & Biological Engineering Librarian at the California Institute of Technology, and LDH founder Becky Yoose cover key topics as:
succinct summaries of major U.S. laws and other regulations and standards governing patron data management;
information security practices to protect patrons and libraries from common threats;
how to navigate barriers in organizational culture when implementing data privacy measures;
sources for publicly available, customizable privacy training material for library workers;
the data life cycle from planning and collecting to disposal;
how to conduct a data inventory;
understanding the associated privacy risks of different types of library data;
why the current popular model of library assessment can become a huge privacy invasion;
addressing key topics while keeping your privacy policy clear and understandable to patrons; and
data privacy and security provisions to look for in vendor contracts.
Managing Data for Patron Privacy is a great place to start for library workers and libraries looking to cultivate a sustainable, holistic approach to their data privacy practices. Come for the case studies and practical advice; stay for the cats, glitter, and pasty recipe. 😉 We hope you enjoy the book, and please let us know if you have any questions or comments as you dive into our new book!
Last week was a hectic week in the library world, but we made it! Ideally, we would be spending time in this week’s post summarizing the events that brought us to Follett’s announcement on Friday stating that they would not develop the proposed system features that would have put student privacy at risk. However, life has other plans. Today, we want to give you a quick update as to what to expect here in the coming months:
We won’t be regularly posting to The Tip of The Hat during April. We hope to have one or two regular posts this month, but don’t be surprised if we happen only to have one.
We plan to resume regular posting in May. Our Executive Assistant will see to it that this happens!
Depending on the circumstances, we might start our summer posting schedule one month early.
In the meantime, if you have any questions or topics you would like us to cover in a future post, send us an email at newsletter@ldhconsultingservices.com. In addition, let us know if you have an idea for a guest post for The Hat!
Thank you all for your understanding and readership during the three-plus years of The Tip of The Hat!
Let’s take a break to appreciate the cherry blossoms across town.
[Bonus – If you’re curious about what makes a cherry tree a cherry tree, the University of Washington created an animated illustration describing the anatomy of a cherry tree.]
Take some time to appreciate the flower blossoms wherever you are – we’ll be back next week with the latest library privacy news and updates.
In The Meantime…
Do you have a library privacy question for us? Email us at newsletter@ldhconsultingservices.com with your question or idea and we’ll feature it in a future newsletter. We also welcome guest writers for the newsletter. If you have an idea for a guest post, let us know for a chance to be featured on the blog. We look forward to your questions and ideas!
The Executive Assistant wishes everyone a happy Festivus season! It’s time to gather around the Festivus pole for the Airing of Grievances, in which we suspect there are many grievances to be aired given how 2021 played out. Nevertheless, a new year brings new opportunities and fewer grievances – unless you’re the Executive Assistant. There is the perpetual grievance of not having enough tuna in the office.
We will be back after the New Year. We have you covered if you need some privacy reads and videos to tie you over the holiday break. 2021 has been a hectic year in the privacy world, and while we covered a lot in the blog this year, there’s a lot more that we didn’t get to in our posts. Here are some of the reads that you might have missed this past year:
The Thing that Gets Us to the Thing – Shea Swauger’s talk delves into the library profession’s problematic framing of and approach to privacy. Shea challenges the profession to reconceptualize privacy – “Privacy isn’t the thing, it’s the thing that gets us to the thing.”
Understanding the Security and Privacy Advice Given to Black Lives Matter Protesters – While this paper focuses on data security and privacy practices and awareness in a specific population – novice protesters – the findings and recommendations are of interest for library workers who work with patrons through library programming or other outreach and educational services around digital privacy and security.
Have a safe and quiet rest of 2021, and we’ll see you next year!
We’re going to start the post with a quick exercise. Where do you live and work? Easy enough, right? Some of you probably can name a street, neighborhood, town, city, or state off the top of your head.
Let’s take the first question and change a couple of words – whose land do you live and work on?
Some of you might already know whose land that you live and work on. For those who do not, you can visit https://native-land.ca/ to find more information about the indigenous lands you currently occupy.
As we wrap up Native American Heritage Month this week, we are taking some time to give some context around the land acknowledgment included in our recent talks. You can use the resources at the end of the post for your acknowledgments that go beyond a statement of whose land you’re on.
Acknowledgment as The First Step
LDH lives and works on the unceded, traditional land of the Duwamish People, the first people of Seattle.
The above-italicized sentence is the start of the land acknowledgment in recent LDH talks. Many of us have encountered similar statements in various events and presentations. Land (or territory) acknowledgments sometimes stop here, naming the peoples whose land we’re on. However, this approach lacks the full acknowledgment of how the land became occupied. It also doesn’t acknowledge the present-day impact this occupation has on the people.
The Duwamish Tribe was the first signatories on the Treaty of Point Elliott in 1855. The Tribe has been denied the rights established in the treaty for over 165 years. The United States Federal Government currently does not recognize the Duwamish Tribe, denying the Tribe the rights and protections of federal recognition.
Naming the treaty is important in giving the historical context around the occupation of the land, but equally important is the explicit statement that the treaty has still to be honored by the federal government. The Duwamish Tribe is not federally recognized, which is important to acknowledge because of its historical impact on the Tribe and its current impact on the Tribe’s rights to funding for and access to housing, social services, and education, among other resources and services.
The Duwamish People are still here, continuing to honor and bring to light their ancient heritage.
Indigenouspeoplearestillhere. It’s easy to leave the land acknowledgment to acknowledge the past and not venture into the present. But an acknowledgment of the present has to go beyond education and head into action.
Calls to Action
A portion of the speaker’s fee from the conference will be donated to Real Rent Duwamish. Real Rent serves as a way for people occupying this land to provide financial compensation to the Tribe for use of their land and resources – https://www.realrentduwamish.org/
The Tribe has started a petition to send to our state congresspeople to create and support a bill in Congress that would grant the Tribe federal recognition. The link to the petition is on the slide – https://www.standwiththeduwamish.org/
You are welcome to join me in donating to Real Rent or signing the petition.
The second half of the acknowledgment are two specific calls to action. Each action provides the opportunity for event attendees to support or advocate for the Duwamish People whose land LDH occupies. Real Rent Duwamish provides financial support and resources for the Tribe through a voluntary land tax. The petition aims to gather support for a bill granting the Tribe federal recognition, giving the Tribe access to services and resources available to other treaty tribes. If attendees cannot financially donate to Real Rent, they can provide non-financial support through the petition.
LDH’s acknowledgment focuses on calls to action around solidarity with the Duwamish People. Other land acknowledgments make the additional call for event attendees to research whose lands they occupy through https://native-land.ca/. Clicking on a specific territory will provide a page with resources where attendees can learn more about the Indigenous people whose land they’re on. For example, the Duwamish Tribe page on the site also links to ways to support the Tribe. Other calls to action found in land acknowledgments include supporting water protectors, such as supporting water protectors in stopping Line 3.
Resources
The list below is some resources you can use to inform not only yourself and others about the land you occupy but also what you and others can do to be in solidarity with Indigenous people in your acknowledgments and beyond.
Seattle is in the middle of a record-breaking heatwave, with Monday predicted to be in the low 100s F, making this the third consecutive day of 100+ temperatures. This week’s newsletter comes to you in three short parts as we take advantage of the cooler temperatures to write.
What’s going on in Colorado?
When we last wrote, Colorado lawmakers passed the Colorado Privacy Act, making it the third state to enact data privacy regulations, behind California and Virginia. While the bill has yet to receive the governor’s signature, the privacy world is already planning for CPA. CPA stays relatively close to California and Virginia data privacy regulation, though CPA also takes some inspiration from GDPR. There is one key distinction that sets CPA apart from the other states’ laws – the inclusion (or, more accurately, the lack of exemption) of non-profit entities alongside their commercial counterparts in the scope of the Act. This inclusion could mean that many non-profit library vendors who fell outside the scope of CCPA, CPRA, and CDPA might need to assess if their data privacy practices need to change to comply with CPA.
Privacy webinars and websites and resources, oh my!
Are you looking for library privacy webinars? How about recordings? Resources? No matter what you’re looking for, we got you covered!
This Tuesday, June 29th, at 4 pm Eastern Time, Safe Data | Safe Families will be hosting a free webinar sharing materials and resources to help public libraries and patrons face the challenges around data privacy and security at the library and beyond. Even if you can’t make it to the webinar, check out the staff training resources on the website, particularly the personas you can use for your library privacy training.
If you missed the Health Literacy and Privacy in a Pandemic webinar series, don’t fret! You can access and download notes, graphs, and other documentation from the conference at https://healthandprivacy.com/notes/. Looking for the videos? You can watch them as well on the front page.
Last but not least, if you missed our founder’s keynote at the Evergreen International Conference, you can now watch the recording on YouTube. Download the slides to follow along as well as resource notes!
Reader survey
Thank you all again for those who filled out the reader survey. While we had a small number of respondents, the responses were all positive! Based on the survey, we will hold off on membership levels and monthly subscription memberships for now but will continue to provide the vast array of content to continue to be helpful in your work.
On the other hand, the Executive Assistant was slightly disappointed that more people did not demand more cat photos in the survey. We will attempt to cheer her up with a nice cool can of tuna, though that could mean changing our donation from a cup of tea to a can of tuna.
Write about library privacy (and more) at the ALA Intellectual Freedom Blog!
Is the library privacy muse inspiring you to write a blog post or two about library privacy topics? Sign up to be a blog writer for the ALA Intellectual Freedom blog! This is an excellent opportunity for those wanting to share your thoughts about library privacy to a large library audience or those looking for a service opportunity (I’m looking at you, academic library folks!). Go to the Blogger Application page to learn more about becoming a writer for the blog.
Welcome to June! Today marks the start of the blog’s “summer schedule,” where we post on a bi-weekly basis. This month also marks the beginning of the summer for many in the Northern Hemisphere. We say “many” because in Seattle the summer season is replaced by construction season. For our East Coast readers, summer is becoming Brood X season.
Now that we are halfway through 2021 let’s take a peek behind the scenes of the blog, including a chance to help shape the future of the Hat!
What’s brewing at The Hat?
There are few certainties in today’s world: death and taxes are two. The third is the rapid pace of change in the privacy world. It’s hard to keep up with all the updates, even for privacy professionals such as ourselves at LDH! The Tip of The Hat is doing its best to keep up with the latest news and updates in the library privacy world. From major vendor acquisitions and library policies around COVID-19 to tracking privacy implications of the newest library technology trends and significant tech company developments, we’ll keep you covered! We are also keeping track of the ongoing deluge of state and federal data privacy bills. While we are not lawyers at LDH, we will continue to alert our readers of new data privacy laws that will affect how libraries work with vendors in protecting patron privacy.
We’ve had several requests for more content around the privacy, ethical, and equity implications of handling data in libraries, particularly around data analytics and how libraries use customer relationship management systems (CRMs) for market segmentation projects. More posts are in the works as major library vendors release new data analytics and CRMs into the library market. Yes, we did notice the “Target Acquired” article in the May 2021 issue of American Libraries (page 52-53). Yes, we plan to write about where that article misses the privacy mark with its product profiles. Analytics is not far removed from surveillance. We will continue to highlight how libraries can avoid becoming another major player in the surveillance economy, including the various privacy risks involved in tracking patron use of libraries, be it by libraries or by vendors.
How you can shape the future of The Hat
We at LDH are doing our best to keep the library world up to date with the latest news and updates in the privacy world, as well as delivering more in-depth pieces around library privacy. The Tip of The Hat has been going strong since February 2019 – this post is #102! Best of all, every blog post is free for all to read and will continue to be free to the library world and beyond.
This free model has been sustainable, but up to a point. Each week (or every other week during our summer posting schedule), we research, write, edit, and post timely and thought-provoking content about all matters of library privacy. We want to explore a few ways in which those who can financially support this work can help us continue the blog for the long term.
If you visited the blog last week, you might have noticed a new link in the blog menu inviting people to buy us tea. Readers of the blog can now donate a few dollars through our new Buy Me a Coffee page! Currently, we have the page set up for readers interested in a one-time donation to keep The Tip of The Hat running via cups of tea. No site account is required to donate – you only need a credit card or PayPal account for a one-time donation.
[The fine print – Readers can visit the privacy policy to learn more about what information is and is not collected and processed on the donation site. Readers who want to donate without attaching a name to the donation can do so following the instructions on the Supporter FAQ page.]
We also want to hear from our readers! We created a quick reader survey asking about other possibilities for the future of The Hat, including future content ideas and possible membership levels to help fund the continued work on the blog. Again, we will continue to make the content on the blog free for all to access, even if we introduce a membership level for those who want to make a monthly donation to support the blog.
The survey will be open to our readers until June 15th, 2021. Please take a few moments to let us know your thoughts about the future of The Hat! Thank you all again for your support and readership throughout the years. We look forward to hearing from you all about the future of the blog and beyond.
We’ll be back on June 14th – enjoy the start of the new month!
We’re taking some time to appreciate the cherry blossoms this week.
Take some time to appreciate the flower blossoms wherever you are – we’ll be back next week with the latest library privacy news and updates.
In the meantime…
Do you have a library privacy question for us? Email us at newsletter@ldhconsultingservices.com with your question or idea and we’ll feature it in a future newsletter. We also welcome guest writers for the newsletter. If you have an idea for a guest post, let us know for a chance to be featured on the blog. We look forward to your questions and ideas!
Virginia joined California last week in the data privacy regulation club as the state governor signed the Virginia Consumer Data Protection Act (CDPA) into law on March 2nd, 2021. This law shares some similarities with the CCPA and the upcoming CPRA, but there are just enough differences that will cause some possible confusion for library vendors who fall under the scope of the new law.
What Virginia Libraries Need to Know About CDPA Right Now
Virginia libraries paying attention to what happened in California might have a head start with what to expect in the coming years when the law comes into effect in 2023. If you were hoping that Virginia lawmakers would keep close to CCPA in an attempt to create consistent expectations and requirements for consumer data privacy, you might be out of luck. Nonetheless, there are some similarities: some good, others not so much.
First thing’s first – as was the case in California and CCPA, the vast majority of Virginia libraries do not fall under the scope of CDPA. The law pertains to entities conducting business in the state that meet a threshold of either controlling/processing personal data of at least 100,000 Virginia consumers in a calendar year OR controlling/processing personal data of at least 25,000 Virginia consumers and deriving at least 50% of their revenue from selling personal data. Combined with the exceptions made for government entities, non-profits, and higher education institutions, many libraries most likely are exempt from the CDPA, as well as non-profit library vendors.
CDPA stays close to the GDPR model of data controller (an entity determining the purpose of as well as the ways of processing personal data) and data processor (an entity that processes data on behalf of the controller). This eliminates the confusion that CCPA created by going with a different model (and CPRA added more to the confusion with the introduction of a new contractor role in that model!). Library vendors covered by CDPA could be both controller and processor in that the vendor collects and processes data on their behalf but also collects and processes data on behalf of the libraries and library patrons. Data controllers must include data collection and processing information in a publicly posted privacy notice, including what type of data is collected and shared with third parties.
Beyond scope and updates to vendor privacy notices, what do Virginia libraries need to know about CDPA?
Data rights – The new law grants the rights to access, correct, and delete their personal data with a data controller, as well as the right to request a copy of their personal data from the controller. Unlike CCPA, CDPA seems to not include household data in these rights; therefore, there might be a lesser chance of patrons requesting data that might include other patron data from their household.
Opt-out vs opt-inrights – Virginia consumers have the right to opt-out of the sale of their personal data, processing their personal data for targeted marketing, and using their personal data for profiling. This goes beyond the initial sale opt-out of CCPA. Even with the addition of “sharing” to the opt-out in CPRA, there might be confusion with vendors trying to accommodate different types of opt-out between CA and VA consumers.
Here’s where more confusion might set in – CDPA requires consumers to opt-inbefore their sensitive data is processed. Sensitive data in CDPA include race/ethnicity, sexual orientation, religious affiliation, mental and physical health, immigration status, biometric data, and precise geolocation data. On top of all this, sensitive data also includes any data collected from children under 13 years of age. CCPA requires affirmative opt-in of collecting personal data from 13- to 16-year-olds, so both laws are coming at collecting and processing minors’ data in very different ways.
Barring clarifications and amendments to either state’s regulations, expect some confusion from patrons when vendors attempt to comply with CDPA and the California data privacy laws.
A Heads Up to Libraries Outside of Virginia and California
While it took a while for another state outside of California to pass a data privacy law, the reality is that Virginia might be the first of a rapid succession of states to pass their own data privacy laws. At the time of this post, there are at least 13 states with active data privacy bills. Many of these bills share some similarities with CCPA/CPRA, but some have more in common with GDPR. The US currently has no federal data privacy law, and as time progresses, it might be that any successful federal data privacy regulation will not preempt stricter state laws. What we are looking at is a possible repeat of what we have with US data breach notification laws – 50+ different approaches, all just different enough to require their own processes. We’ll keep you updated on the latest regulations as they make their way through the legislative process, but it’s starting to look like 2021 might be a very busy year for data privacy regulation.
A lot happened in the privacy world last week! Let’s go over a couple of news items that affect libraries and library patrons alike.
LastPass Free Tier Woes
The popular password manager LastPass announced changes to their free tier accounts last week that could leave many libraries and library patrons scrambling for an alternative. Starting March 16th, LastPass will require free account users to choose where to use LastPass: mobile or computer. Free account users will also lose access to email support to troubleshoot any problems with the password manager. For many free tier account users, being forced to choose to have their primary password manager only installed on one platform severely limits the usefulness and protection of their chosen password manager.
If you have a LastPass free tier account and don’t want these restrictions, your options are limited:
If you have room in your budget and want to stay with LastPass, you can upgrade to a paid account. This option not only avoids migrating your passwords to another manager and instead unlocks additional features, such as encrypted file storage. While we’re used to having “free” accounts, it might be time to make peace with the fact that it’s time to start paying for password managers.
You can migrate to another password manager. There are several choices in the marketplace; however, not many have free tier accounts, which means you might end up paying for a password manager anyway. Bitwarden, an open-source password manager, does have a free tier account that allows for syncing between multiple devices if you need a free account. KeePassXP is another free option for the more technically-inclined who can self-host their password manager.
Clubhouse Is Not Your Library’s New Social Media App
So… Clubhouse, that new shiny app that everyone’s talking about. You’re curious about it, aren’t you? You’re wondering if you can add it to the family of social media accounts for your library when you get an invite to join.
Some folks will say that other social media companies engage in some of the same practices. However, the overall poor quality and construction of the privacy policy combined with privacy practices that violate several privacy laws in the US and the EU, the best way to protect patron privacy while using Clubhouse at your library is to not use Clubhouse.
Virginia Getting a New Data Privacy Law?
Virginia libraries! You might have heard about a new data privacy bill that currently sits on the governor’s desk at the time of this writing (it might be signed by the time this post is published!). What is the library tl;dr of the Virginia Consumer Data Protection Act?
The bill provides similar data rights as California’s two new privacy regulations, CCPA and CPRA, including rights for consumers to request access and deletion of personal data, as well as the right to opt-out of businesses selling their data.
The bill’s scope is also similar to CCPA’s and CPRA’s scopes, targeting for-profit businesses doing business in the state who meet certain thresholds, such as controlling or processing data from 100,000 consumers. Non-profits and higher education institutions are exempt.
Once this bill is signed into law, library vendors who do business in the state and meet the scope thresholds will need to comply with the new law. Library vendors who already comply with CCPA have a head start, but libraries might find themselves with vendors who have to play catchup. It might be time to start reviewing contracts and vendor privacy policies as well as the Act to determine what data rights your patrons have and how they can exercise those rights with those vendors.
LDH in The News
LDH is proud to announce that our founder, Becky Yoose, will give the Keynote Address at the Evergreen International Online Conference on May 25th, 2021! This annual conference draws Evergreen users, developers, advocates, vendors, and others interested in the Evergreen ILS or open-source software community from around the library world and beyond. This year’s conference is online and registration is now open! If you want to join in on the presentation fun, the call for proposals is open until March. We look forward to seeing you at the conference!