A brown and white Pomeranian, wearing a red sweater and brown eyeglass frames, stands in front of an iPad sitting on a wooden tabletop. — Photo by Cookie the Pom on Unsplash

Congratulations on making it through the first month of 2022! As we prepare to enter the second month of the year, let’s take a few moments to catch up on a few news items in the privacy world.

A Flurry of State Data Privacy Bills

State legislators wasted no time introducing the latest round of data privacy bills at the start of the legislative year. Some states are reviving previously introduced bills with the hopes of pushing them through in the new session, while other states are finally joining the bandwagon and introducing comprehensive data privacy laws for the first time since the rush for state data privacy laws began several years ago.

Out of all the states introducing bills this legislative session, all eyes are on LDH’s home state, Washington State. The Washington Privacy Act, which failed to pass multiple times in previous legislative years, is back. However, there are currently two other competing comprehensive data privacy bills. The first bill, the People’s Privacy Act, deviates from WPA in several key places, including stricter requirements around data collection and processing (e.g., requiring covered entities to obtain opt-in consent for processing personal data), biometric data handling, and a private right of action. The second bill, the Washington Foundational Data Privacy Act, is a new bill that brings the idea of creating a new governmental commission, something that the two other bills lack. Each bill has its strengths and weaknesses concerning data privacy. Nevertheless, if Washington manages to pass one of these bills – or a completely different bill that is still yet to be introduced – the passed data privacy bill will influence other states’ efforts in passing their privacy bills.

FLoC Flew Away

Rejoice, for FLoC is no more! We previously covered Google’s attempt to replace cookies and the many privacy issues with this attempt. The pushback from the public and organizations has finally led Google to rethink its approach. It also didn’t help that major web browsers, which were supposed to play a critical role in FLoC, refused to play along.

Google didn’t completely abandon the effort to replace cookies, nevertheless. Google announced a new proposal, Topics, as an attempt to create a less privacy-invasive alternative to cookies. It’s still early to tell if this FLoC alternative is truly any better than FLoC, but initial reports seem to suggest that the Topics API is an improvement. However, we did notice that some of these reports mention that users would be primarily responsible for understanding and choosing the level of tracking in browser settings. Ultimately, we are still dealing with businesses pushing tracking user activity by default.

Smart Assistants Have Long Memories

Have you requested a copy of your personal data yet? Even if you are not a resident of the EU or California, you can still request a copy of your personal data from many major businesses and organizations. This includes library vendors! Requesting a copy of your data from a company can highlight how easy it is for a company to track your use of its services. A good library-related example is OverDrive’s tracking of patron borrowing history, even though users might assume that their borrowing history isn’t being recorded after flipping a toggle to “hide” their history in user settings.

The latest example of extensive user tracking comes from a Twitter thread of a person going through the data Amazon has collected about her throughout the years, including all the times she interacted with Amazon Alexia. We’re not surprised about the level of data collection from Amazon – the tracking of page flips, notes, and other Kindle activity by Amazon has been a point of contention around library privacy for years. Instead, this is a reminder for libraries who are currently using or planning to use smart speakers and smart assistants to provide patron services that Amazon (and other companies) will collect and store patron data generated by their use of these services by default. This is also a good reminder that your smart speaker in your work or home office is also listening in on your conversations, including conversations around patron data that is supposed to remain private and confidential.

If you have a smart speaker (or other smart-enabled devices with a microphone) at your library or in your home office, you might want to reconsider. The companies behind these products are not bound to the same level of privacy and confidentiality as libraries in protecting patron data. Request a copy of data collected by the company behind that smart speaker sitting in the library. How much of that data could be tied back to data about patrons? How much do your patrons know about the collection, use, and sharing of data by the company behind the smart speaker at the library? What can your library do to better protect patron privacy around the smart speaker? Chances are, you might end up relocating that smart speaker from the top of the desk to the bottom of a desk drawer.

Smart devices

Smartwatches, smart speakers, smart TVs – what new internet-enabled smart device has taken residence in your home, office, or even on your person? You might not know that these devices eavesdrop on your conversations and, in some instances, eavesdrop on what you type. If you are working with a patron or talking with a colleague that includes patron information, what smart devices are in listening range that weren’t before the new year?

Depending on the device, you might be able to prevent eavesdropping; however, other devices might not have this option. Disconnecting the internet from the device is also an option, but this might be more of a hassle than a help. The one sure way to stop a device from eavesdropping is to remove it from listening range, or, better yet, disconnecting the device from its power source.

Computers and mobile devices

A new year could mean a new computer or mobile device. If this is you, and if you are using a personal computer or mobile device for working with patrons or patron data, don’t forget to do the following while setting up your new device:

Install antivirus software (depending on your organization, you might have access to free or discounted software)

Install the VPN client provided by your organization

Install privacy-preserving tools and browser extensions

Enable auto-updates for the operating system and any applications installed on the device

Review the privacy and security settings for your operating system:

Windows 10 – recommendations from Virginia Tech and Computerworld

Mac and iOS devices – Apple recently published a document listing security and privacy settings on all Apple devices. The tl;dr summary by Lifehacker is a good resource if you’re not sure where to begin

Android – Computerworld’s guide to Android privacy is long but worthwhile if you want a list of actions to take based on the level of privacy you want on your device. Also, visit Google’s Data Privacy Settings and Controls page to change your Google account privacy settings (because now is a good time as any to review Google settings).

Evergreen recommendations

Even if you didn’t get a new smart device or computer for the holidays, here are a few actions you can do with any device to start the new year right by protecting your and your patrons’ privacy:

Take a few moments this week to review privacy settings and risks – a moment of prevention can prevent a privacy breach down the road.

Tag: smart devices

A Flurry of Privacy Bills, FLoC Flies Away, and a Smart Assistant’s Long Memory