[Content warning – reproductive rights, abortion]Continue reading “The Trials to Come – An Initial Analysis of SB 8’s Impact on Libraries and Patrons”
Virginia joined California last week in the data privacy regulation club as the state governor signed the Virginia Consumer Data Protection Act (CDPA) into law on March 2nd, 2021. This law shares some similarities with the CCPA and the upcoming CPRA, but there are just enough differences that will cause some possible confusion for library vendors who fall under the scope of the new law.
What Virginia Libraries Need to Know About CDPA Right Now
Virginia libraries paying attention to what happened in California might have a head start with what to expect in the coming years when the law comes into effect in 2023. If you were hoping that Virginia lawmakers would keep close to CCPA in an attempt to create consistent expectations and requirements for consumer data privacy, you might be out of luck. Nonetheless, there are some similarities: some good, others not so much.
First thing’s first – as was the case in California and CCPA, the vast majority of Virginia libraries do not fall under the scope of CDPA. The law pertains to entities conducting business in the state that meet a threshold of either controlling/processing personal data of at least 100,000 Virginia consumers in a calendar year OR controlling/processing personal data of at least 25,000 Virginia consumers and deriving at least 50% of their revenue from selling personal data. Combined with the exceptions made for government entities, non-profits, and higher education institutions, many libraries most likely are exempt from the CDPA, as well as non-profit library vendors.
CDPA stays close to the GDPR model of data controller (an entity determining the purpose of as well as the ways of processing personal data) and data processor (an entity that processes data on behalf of the controller). This eliminates the confusion that CCPA created by going with a different model (and CPRA added more to the confusion with the introduction of a new contractor role in that model!). Library vendors covered by CDPA could be both controller and processor in that the vendor collects and processes data on their behalf but also collects and processes data on behalf of the libraries and library patrons. Data controllers must include data collection and processing information in a publicly posted privacy notice, including what type of data is collected and shared with third parties.
Beyond scope and updates to vendor privacy notices, what do Virginia libraries need to know about CDPA?
Data rights – The new law grants the rights to access, correct, and delete their personal data with a data controller, as well as the right to request a copy of their personal data from the controller. Unlike CCPA, CDPA seems to not include household data in these rights; therefore, there might be a lesser chance of patrons requesting data that might include other patron data from their household.
Opt-out vs opt-in rights – Virginia consumers have the right to opt-out of the sale of their personal data, processing their personal data for targeted marketing, and using their personal data for profiling. This goes beyond the initial sale opt-out of CCPA. Even with the addition of “sharing” to the opt-out in CPRA, there might be confusion with vendors trying to accommodate different types of opt-out between CA and VA consumers.
Here’s where more confusion might set in – CDPA requires consumers to opt-inbefore their sensitive data is processed. Sensitive data in CDPA include race/ethnicity, sexual orientation, religious affiliation, mental and physical health, immigration status, biometric data, and precise geolocation data. On top of all this, sensitive data also includes any data collected from children under 13 years of age. CCPA requires affirmative opt-in of collecting personal data from 13- to 16-year-olds, so both laws are coming at collecting and processing minors’ data in very different ways.
Barring clarifications and amendments to either state’s regulations, expect some confusion from patrons when vendors attempt to comply with CDPA and the California data privacy laws.
A Heads Up to Libraries Outside of Virginia and California
While it took a while for another state outside of California to pass a data privacy law, the reality is that Virginia might be the first of a rapid succession of states to pass their own data privacy laws. At the time of this post, there are at least 13 states with active data privacy bills. Many of these bills share some similarities with CCPA/CPRA, but some have more in common with GDPR. The US currently has no federal data privacy law, and as time progresses, it might be that any successful federal data privacy regulation will not preempt stricter state laws. What we are looking at is a possible repeat of what we have with US data breach notification laws – 50+ different approaches, all just different enough to require their own processes. We’ll keep you updated on the latest regulations as they make their way through the legislative process, but it’s starting to look like 2021 might be a very busy year for data privacy regulation.
Related CDPA Resources and Commentary
A lot happened in the privacy world last week! Let’s go over a couple of news items that affect libraries and library patrons alike.
LastPass Free Tier Woes
The popular password manager LastPass announced changes to their free tier accounts last week that could leave many libraries and library patrons scrambling for an alternative. Starting March 16th, LastPass will require free account users to choose where to use LastPass: mobile or computer. Free account users will also lose access to email support to troubleshoot any problems with the password manager. For many free tier account users, being forced to choose to have their primary password manager only installed on one platform severely limits the usefulness and protection of their chosen password manager.
If you have a LastPass free tier account and don’t want these restrictions, your options are limited:
- If you have room in your budget and want to stay with LastPass, you can upgrade to a paid account. This option not only avoids migrating your passwords to another manager and instead unlocks additional features, such as encrypted file storage. While we’re used to having “free” accounts, it might be time to make peace with the fact that it’s time to start paying for password managers.
- You can migrate to another password manager. There are several choices in the marketplace; however, not many have free tier accounts, which means you might end up paying for a password manager anyway. Bitwarden, an open-source password manager, does have a free tier account that allows for syncing between multiple devices if you need a free account. KeePassXP is another free option for the more technically-inclined who can self-host their password manager.
You can read more about the basics of password managers in our Obligatory Password Manager post from April 2020.
Clubhouse Is Not Your Library’s New Social Media App
So… Clubhouse, that new shiny app that everyone’s talking about. You’re curious about it, aren’t you? You’re wondering if you can add it to the family of social media accounts for your library when you get an invite to join.
Let us stop you right there.
- Clubhouse: Privacy concerns raised over how app uses people’s data when they sign up
- When FOMO Trumps Privacy: The Clubhouse Edition
- You’ve been invited to Clubhouse. Your privacy hasn’t.
- Clubhouse Is Suggesting Users Invite Their Drug Dealers and Therapists (and related Twitter thread)
Virginia Getting a New Data Privacy Law?
Virginia libraries! You might have heard about a new data privacy bill that currently sits on the governor’s desk at the time of this writing (it might be signed by the time this post is published!). What is the library tl;dr of the Virginia Consumer Data Protection Act?
- The bill provides similar data rights as California’s two new privacy regulations, CCPA and CPRA, including rights for consumers to request access and deletion of personal data, as well as the right to opt-out of businesses selling their data.
- The bill’s scope is also similar to CCPA’s and CPRA’s scopes, targeting for-profit businesses doing business in the state who meet certain thresholds, such as controlling or processing data from 100,000 consumers. Non-profits and higher education institutions are exempt.
Once this bill is signed into law, library vendors who do business in the state and meet the scope thresholds will need to comply with the new law. Library vendors who already comply with CCPA have a head start, but libraries might find themselves with vendors who have to play catchup. It might be time to start reviewing contracts and vendor privacy policies as well as the Act to determine what data rights your patrons have and how they can exercise those rights with those vendors.
LDH in The News
LDH is proud to announce that our founder, Becky Yoose, will give the Keynote Address at the Evergreen International Online Conference on May 25th, 2021! This annual conference draws Evergreen users, developers, advocates, vendors, and others interested in the Evergreen ILS or open-source software community from around the library world and beyond. This year’s conference is online and registration is now open! If you want to join in on the presentation fun, the call for proposals is open until March. We look forward to seeing you at the conference!
Welcome to this week’s Tip of the Hat!
Today we’re happy to announce the publication of the Data Privacy Best Practices Toolkit for Libraries. This toolkit is part of the Data Privacy Best Practices Training for Libraries project, an LSTA-funded collaborative project between the Pacific Library Partnership and LDH focusing on teaching libraries the basics of data privacy. This introduction into data privacy in libraries serves as a guide for both administration and front-line workers, providing practical advice and knowledge in protecting patron data privacy.
What does the toolkit cover? The topics range from the data lifecycle and managing vendor relationships to creating policies and procedures to protect patron privacy. The toolkit covers specific privacy concerns in the library, including law enforcement requests, surveillance, and data analytics. We also get to meet Mel and Rafaël, two library patrons who have unique privacy issues that libraries need to consider when thinking about patron privacy. At the end of the toolkit is an extensive resource section with library privacy scholarship, professional standards, and regulations for further reading.
This toolkit is part of a larger group of resources, including templates and examples libraries can use to develop contract addendums, privacy policies and procedures, and data inventories and privacy risk assessments. In short, there are a lot of resources that are freely available for you to use in your library! Please let us know if you have any questions about the project resources.
Finally, stay tuned – the project is going into its second year, focusing on “train the trainer” workshops for both data privacy and cybersecurity. We’ll keep you updated as more materials are published!
Welcome to this week’s Tip of the Hat! This week we bring you an important state legislative update, a resource guide, and three quizzes to start your week.
Michigan library patron data law amendment update
Last December LDH reported on SB 0611, an amendment that would considerably weaken Michigan’s library data privacy laws. The bill allows for libraries to release patron data to law enforcement without a court order:
A library may disclose library records without a court order or the written consent described in subsection (2) under any of the following circumstances:
(a) Upon the request of a law enforcement officer who is investigating criminal activity alleged to have occurred at the library or if the library requests the assistance of a law enforcement officer regarding criminal activity alleged to have occurred at the library, the library may disclose to the law enforcement officer any library record pertinent to the alleged criminal activity. The library director and any other person designated by the library board or commission is authorized to determine whether to disclose library records subject to this subdivision. The library is not required to release library records under this subdivision and may require the law enforcement officer to obtain written consent or an order of the court as required in subsection (2)
After almost a year of inactivity, the bill is now progressing through the state legislature. If you are a Michigan library and concerned about this bill, please contact your state representative and senator about your concerns.
Privacy literacy clearinghouse
If you are searching for resources or examples of privacy literacy instruction after reading our last post, you’re in luck! Digital Shred is a collection of teaching resources and case studies for anyone wanting to incorporate privacy literacy into their instruction work, from information literacy sessions to dedicated privacy workshops. Created and curated by Sarah Hartman-Caverly and Alexandria Chisholm, the authors of the article featured in the last TotH post, Digital Shred also provides another way to keep current on ongoing privacy and surveillance news and issues. Explore the site, and don’t forget to check out the teaching resources and materials for the privacy workshop series created by the authors!
The school year is in full swing, and students are now facing their first round of quizzes and tests. We want to share the
pain joy of test-taking by highlighting three quizzes to test your information security – as well as literacy! – knowledge and skills:
- Spot the Phish – This quiz tests how well you can spot a phishing email in the Gmail email service. While the focus is only on one email platform, the lessons here can apply to any email service!
- Spot the Deepfake – Deepfakes are images or videos that have been altered to create a realistic image or recording of someone’s likeness doing or saying things that, in reality, did not happen. AI, machine learning, and other developments in technology have made it so that some deepfakes are almost indistinguishable from unaltered media. This quiz will test your observational skills along with your critical thinking by asking you which videos are deepfakes and which ones are the real thing.
- Spot the Troll – our last quiz focuses on identifying which social media accounts are real, and which ones are fake. It’s not as easy as you’d think…
Welcome to this week’s Tip of the Hat!
Have you always dreamed of spending countless hours reading legal regulations and reviews? If so, you might be suited for legal life! Reading laws is probably not high on your list of things to do; nonetheless, it’s always good to know how to navigate the text of a legal regulation when you are researching what laws could apply to you or to the third parties that you do business with. Even though we’re not lawyers, knowing how to read legal regulation text enables people to have more productive conversations with legal staff.
Here are three questions that can help you start understanding a law or statute:
- Who is covered by this law?
- Does your state library privacy law cover only for publicly-funded libraries, or does the scope include other types of libraries, no matter the funding source? Does it include third parties acting on behalf of the library?
- What types of information (and what uses of information) are covered?
- What does the law mean when it says “patron data”? Are there any definitions or descriptions of specific data points covered by the law?
- What exactly is required or prohibited?
- In particular, what exemptions are listed in the law?
You might not be able to answer all the questions depending on what law you choose to study. However, not being able to answer a question might be a topic of discussion with legal staff, particularly around the specifics of who is within the scope of the law. There’s also the question of preemption between different governmental levels of legal regulation (or even within the same level of government). Sometimes a lower government’s law is stricter than a higher government’s law, but if the higher government’s law states that their law preempts any laws from lower governments, then you are not bound to follow the lower government’s law in that specific matter.
Now it’s time to take what you learned and put it into practice. Find your state’s library privacy law and read the law while trying to answer the questions above. Let us know if these questions help you through the legal text! Don’t be afraid to let us know if this exercise brings up more questions than it answers – we’ll do our best in addressing them, or at least help you prepare in asking these questions to your legal staff.
[Legal questions source: Swire, Peter, and DeBrae Kennedy-Mayo. (2018). U.S. Private-Sector Privacy: Law and Practice for Information Privacy Professionals, 2nd ed.]