Summer Homework – Requesting Your Data

Welcome to this week’s Tip of the Hat!

Have you ever wondered what data OverDrive collects while you’re reading the latest ebook? Or what Kanopy collects when you’re watching a documentary? As library workers, we have some sense as to what vendors are collecting, but we are also patrons – what exactly are vendors collecting about *us*?

GDPR and CCPA both give different sets of users (EU residents and CA consumers, respectively) the right to access the data collected by organizations and businesses; however, some organizations extended that right to all users, regardless of geographic residency. Below are some of the more well-known library vendors who are offering some form of data request process for their users (aka library patrons, including you!):

  • Cengage
  • Elsevier
  • Kanopy’s data request appears only to apply to CA consumers: “Under California Civil Code Section 1798.83, if you are a California resident and your business relationship with us is primarily for personal, family or household purposes, you may request certain data regarding our disclosure, if any, of personal information to third parties for the third parties’ direct marketing purposes. To make such a request, please send an email to privacy@kanopy.com with “Request for California Privacy Information” in the subject line. You may make such a request up to once per calendar year. If applicable, we will provide to you via email a list of the categories of personal information disclosed to third parties for their direct marketing purposes during the immediately-preceding calendar year, along with the third parties’ names and addresses. Please note that not all personal information sharing is covered by Section 1798.83’s requirements.”
  • LexisNexis
  • OverDrive
  • ProQuest
    • ExLibris, owned by ProQuest, appears to have a different data request process: “You may request to review, correct or delete the personal information that you have previously provided to us through the Ex Libris Sites. For requests to access, correct or delete your personal information, please send your request along with any details you may have regarding the method by which the information was submitted to privacy@exlibrisgroup.com. Requests to access, change, or delete your information will be addressed within a reasonable timeframe.”

What is surprising is that there are not more library vendors that offer this option, or not extending the option to all users. This might change over time, depending on how the newest data privacy ballot initiative in California goes in November, or if additional regulations are passed in other states or even in the federal government. If more companies provide this right to access for all users, then it’s more likely that this practice will become a standard practice industry-wide. LDH will provide the latest updates around data access options from library vendors when they come along!

“It’s complicated”: GDPR Compliance and US Libraries

Hello and welcome to the inaugural issue of Tip of The Hat! Today’s topic is the complicated relationship between GDPR compliance and US Libraries.

We mean it when we say it’s complicated.

Many academic and public libraries scrambled in 2018 to determine if they would need to comply with the European Union’s launch of the General Data Protection Regulation (GDPR). Some libraries, particularly academic and special libraries, are following the lead of their parent organization in deciding if they need to comply. In the case of academic libraries, some higher education institutions have satellite campuses in the European Union, making compliance almost a certainty. Public libraries find themselves wondering if they need to comply even though they do not have a physical presence in the EU. Instead, public libraries might have EU citizens with library cards (if they are visiting workers or students, for example) or otherwise have EU citizens using library resources that collect user information.

In her article for the The Privacy Advisor, Katya Kulesova, CIPP/US, lays out five questions for US organizations wondering if they fall under the scope of GDPR:

  1. Do you personalize your goods or services for EU customers?
  2. Do you target EU users with advertising campaigns?
  3. Is there an establishment in the EU that is processing personal data on your entity’s behalf?
  4. Do you monitor European users?
  5. Do you have a large customer base in the EU?

Katya explores each question, noting key gray areas that can pop up in each question. For example, does using web analytic software, such as Google Analytics, on the library website count as monitoring EU users? If you are using that data to create user profiles that would then be used to influence user behavior, you might fall under the scope of GDPR.

The best way to determine if your library needs to comply with GDPR is to talk with your legal staff . Nonetheless, GDPR case law is few and in between, and it could take a couple of years to build a solid foundation of case law surrounding GDPR enforcement. In the meantime, these questions can help you and your legal staff start the conversation about GDPR compliance.

Even if your legal staff advises that your library does not fall under the scope of GDPR, you may still want to implement some of the privacy requirements laid out in the regulation. Many state laws, including the California Consumer Privacy Act, share many similarities with GDPR. With talk of a federal privacy law in recent months, it’s only a matter of time until US libraries will need to look into revising data privacy policies and procedures to comply to state and/or federal law. Take advantage of the advanced notice GDPR is giving you and start work now on your procedures and policies – you’ll be in good standing when your library is covered under an upcoming state or federal privacy law!

A few more resources surrounding GDPR and US libraries: