Before You Share a Patron’s Story, Part 2

A square white neon conversational bubble against a black wall.
Photo by Jason Leung on Unsplash

Welcome back to our series about responsibly sharing patron stories! Last week we talked about the importance of consent for libraries publishing stories about individual patrons. This week we get into the mechanics of consent and some of the complications around seeking consent to share particular stories.

A couple of housekeeping points before we get started:

  • This week’s post is pretty long! We decided to keep the post as-is instead of breaking it up into two more posts because we felt it essential to present the mechanics and complications of consent together in the same post.
  • We primarily focus on libraries sharing patron stories around events and services for marketing and outreach purposes. Consent also plays a critical role in library assessment and research. Though we will not cover specific issues around privacy and consent in this post’s assessment and research processes, we’ll touch on an overlap point between these two topics.

Asking for (Explicit) Consent

There are two types of consent. The first is implied consent. We encounter this through statements in public notices: “by using this service, you give us permission to use your posts, comments, and other content and likeness for…”. Many physical events still rely on implied consent through conspicuous signage depending on the intended use of the photographs and video and what is captured by the photograph or video (e.g., one patron vs. a group of patrons). Implied consent is passive, which means patrons have to seek out these notices and understand what they are consenting to by attending the program or using a service. Patrons might not even know that these notices exist, or they might not fully understand what might be shared by the library, leading to possible data and ethics breaches, among other consequences. Even when patrons share their own stories on library social media pages, some might not expect libraries to republish their stories in different mediums, such as an annual report or a fundraising campaign.

Instead, libraries should seek explicit consent, which requires affirmative action from the patron. When a library wishes to publicly share a story, quote, or other information about an individual patron’s library use, include at least the following in the ask to the patron:

  • Who you are
  • What information you wish to share and why
  • Where and who you want to share the information
  • How to contact you if the patron has any questions or concerns about sharing or privacy

The consent request should be informative and easy to understand. For example, a library can ask for consent to share patron feedback gathered through a program survey or evaluation form by creating a question asking the patron if the library has permission to quote the patron’s feedback in a library report or other publication. The library should also ask if the patron would like to have their name published alongside the feedback in case the patron would rather have their comment published without their name attached to it. In another example, the following is a sample message to a patron asking to share a patron’s post on the library’s social media page:

“Hello! I’m the outreach coordinator for the library. Thank you for sharing your story about our new service. Would it be okay to share your post in our weekly library newsletter to our patrons to show how other patrons benefited from our new service? Would you also be okay with being named along with the post in the newsletter? You can respond back to this message to us know if you would be okay with us sharing the post, and if you have other questions or concerns.”

However, if you wish to share the same story in the annual report, you will need to check back with the patron since the patron only gave explicit consent for publication in the newsletter. Reusing the story for the annual report without explicit consent can violate the patron’s expectations.

Gaining explicit consent can be more involved with events and programs, particularly when the event is being photographed and/or recorded for publication. Web-based programs and events might have consent features built into the application used to host the program, such as Zoom’s consent popup to users when a session is recorded. Physical events and programs can include consent forms before or at the event for presenters and attendees, particularly for individuals prominently featured in photographs or recordings of the event.

Consent Considerations Regarding Publishing Patron Stories

Some of you might notice one critical component missing in the earlier sample ask – the ability for the patron to withdraw their consent at any time. While libraries should honor the withdrawal of previously given consent when a patron requests that a library social media post mentioning them by name be taken down, the library must weigh potential consequences of making a patron’s use of the library public through sharing their story. The persistent nature of published information – physical or online – requires careful thinking and approach regarding sharing patron stories.

One consideration before asking for consent is the nature of the service or topic featured in the story or quote. Publicly associating an individual patron with a late evening study event at a college library does not carry the same potential harms and consequences as associating a particular patron who receives tutoring through a program at the same library. The latter could result in embarrassment and negatively impact relationships based on others’ perceived or actual judgment of the patron’s need for additional educational assistance while attending college. Some patrons in the latter group might be okay with the library sharing their comments about the tutoring program, and that’s okay! It is still the responsibility of the library to gain informed explicit consent before publication. The library should exercise caution with when and how they approach patrons in asking for their consent in publishing their stories depending on the sensitivity of the topic or service, particularly around any story that can reveal patron information about their identity or status, such as race/ethnicity, disability, or class status.

There are times when explicit consent cannot be not freely given. Sometimes this is because there are legal constraints as to the age where one can give consent (in the case of minors). Other times the power dynamic between people might compel or pressure someone to consent to something they wouldn’t have otherwise. Patron groups such as students, minoritized populations, and incarcerated people might feel compelled to consent based on the power dynamic between the individual and the library. Unlike research and assessment, where the Institutional Review Board (IRB) or ethics committee would address issues around consent with vulnerable participants, there might not be a formal process in place for marketing or outreach to locate and handle potential situations where patron consent is coerced, be it intentional or not.

For example, the public library is the only place to offer ESL classes in a rural town. The library reserves the right to use individual patron photos and stories from those classes for library publications. For a patron who is an undocumented immigrant, the publication of their personal data and likeness can put themselves and others in harm’s way. Because the library is the only place where they have access to ESL classes, the patron might feel compelled to consent to the library publishing their identifying photo or story in order to access a much-needed service.

In the example, the patron is likely to experience privacy harms – perceived or actual – through the library, not fully realizing the power dynamics that come into play when consenting to publish individual patron stories. Recognizing when patrons may not freely give consent can mitigate privacy harms. This recognition can also prompt a conversation about the intended purpose of publishing individual patron stories and the actual impact publication might have on the patron. When posting a feel-good patron story, good intentions do not cancel out the negative impact of exploiting specific patron stories (e.g., inspiration porn or performative allyship) for the library’s reputational or financial gain.

The Role of Consent in Sharing Patron Stories

Consent is vital in protecting patron privacy. Consent is also not an automatic “get out of jail free” card for the library when privacy harms are realized after publishing a patron story. Libraries need to recognize the importance of consent – as well as its limitations – in determining which patron stories to share with others. Consent gives patrons control over the “what and how” regarding the library sharing their story, but only if the consent is informed, explicit, and freely given. Taking the time and care around determining how to ask for consent can limit some of the potential pitfalls and limitations discussed earlier, such as recognizing when consent might not protect patrons from privacy harms or when consent might be coerced.

Some patrons are more than happy for the library to share their stories with the world, while others expect the library not to betray their rights to confidentiality and privacy. Nevertheless, libraries should not automatically assume that a patron sharing their story with others gives the library implicit permission to share on behalf of the patron. A patron might be comfortable sharing their story with others they know but might not be as comfortable if the library shared it with strangers. Having a consent process creates a check to protect patron privacy and not take advantage of the relationship the patron has with the library. The process of gaining informed, explicit, and freely given consent should not only take into consideration how the library can responsibly share a patron’s story with minimal privacy risk to the patron but feed into a larger conversation around patron control over how the library uses their information in both daily operations and public communications.

Before You Share a Patron’s Story: Part 1

A view of a street with the words "share with care" written on the pavement in white.
Image source: https://www.flickr.com/photos/4nitsirk/27234818658/ (CC BY SA 2.0)

We sometimes encounter a heartwarming story that restores a little of our faith in humanity during our regularly scheduled doomscrolling. In the library world, we commonly come across stories of people remembering the excitement they felt with getting their first library card or a book they checked out at the library that changed their lives for the better. Libraries also tell many heartwarming stories of how library services impacted patrons’ lives, be it homework assistance, language classes, or technology workshops. Sharing personal stories of how the library impacted the lives of patrons can not only provide a much-needed respite from doomscrolling and persuade the public by demonstrating the value libraries bring to their organization or community.

When Sharing is Not Caring, Depending on Who’s Doing The Sharing

Nevertheless, sharing individual patron stories about their library use is not without its risks. Take, for example, the now-deleted post from a university library telling a story about a student checking out books from the library for their mom during Covid lockdown. It’s a nice story, but one commenter asked if the library asked the student for their consent to publish their individual story. We soon learn afterward that the library fabricated the story. The library later explained that the fabricated story was an aggregation of personal stories from patrons.

Barring the issues around publishing a hypothetical story without clear disclosure that the story was not real, the problem of publishing individual patron stories is sometimes overlooked. Libraries must understand that a library sharing a personal patron story is different than a patron sharing the same story by their own volition in terms of privacy. These differences center around patron privacy expectations and consent.

Consent, or Why You Need to Ask Before Sharing

We know some patrons are eager to share their library stories with the world, and many of them do on their personal social media posts, talking with others, or even writing a friendly letter to the editor. What is the difference between a patron posting their story versus a library posting the same story? While the patron posting their own story is willingly sharing their story to the public, the library sharing the same story might violate the patron’s privacy rights. Library workers are obligated by professional standards, library policies, and legal regulations to not disclose patron use of library resources and services.

For example, if a patron finds that the latest post about a new service or resource in the library news blog features mentions them by name and the patron didn’t give the library permission to publish their name attached to the resource or service, the library committed two types of breaches: a data breach (through the unauthorized disclosure of data about a patron’s use of the library) and an ethics breach (through a patron’s expectations that the library would not share their activities at the library). Other examples of possible data and ethics breaches through library news posts and updates include:

  • Publishing historical checkout cards with patron names on the card
  • Posting historical reference questions that contain personal data about patrons
  • Announcing unscheduled library visits of notable people on social media or otherwise publicly broadcasting an individual’s presence at the library
  • Publishing identifiable patron stories and quotes (collected from surveys, feedback forms, focus groups, or individual interviews) in reports and research articles

There is one instance where a library sharing a patron’s story might not result in either breach, and that is when the library obtains the explicit consent of the patron to share their story. We’ll use GDPR’s definition of consent for this post – consent must be “freely given, specific, informed and unambiguous.” Asking consent gives the patron control over disclosing their use of library services and resources. It also allows the patron to choose what type of information is disclosed and where it is disclosed. One patron might be okay with the library posting their name and a quote about their experience at a library program. In contrast, another patron might be fine with the library posting a quote but not having their name attached to the quote. Each patron has their level of privacy preferences, and asking for consent informs the library what each patron is comfortable with in publishing their story. It is the responsibility of the library to respect the privacy preferences of each patron through the act of asking for consent.

The process of gaining consent to share patron stories might be as simple as sending a short message to the patron, but consent is much more than a “yes or no” question. Next week’s post will cover what explicit consent could look like depending on the ask. We’ll also discuss the considerations around the consent process around sharing patron stories, including one major consideration that tends to be missed in conversations about consent… you’ll have to check back next week to find out what that is, so stay tuned!

Don’t Forget About Privacy While Turning Back The Clock

Last weekend was when we finally got our one hour back (for those of us still observing Daylight Savings Time [DST] in the US). Instead of sleeping in, though, we are barraged with public service announcements and reminders to spend that hour taking care of things that otherwise get ignored. That fire alarm battery isn’t going to change itself! Like #DataSpringCleaning, the end of DST is a great opportunity to take care of privacy-related things that we’ve been putting off since spring.

What are some things you can do with the reclaimed hour from DST?

  • Choose and sign up for a password manager – If you’re still on the fence about choosing a password manager, check out our post about the basics of selecting a manager. Once you get past the inertia of selecting a password manager, switching to a password manager becomes a smoother process. Instead of switching all your accounts to the password manager at once, you can enter the account information into the manager when you sign into that specific account. Using the password manager’s password generator, you can also use that time to change the password to a stronger password. And while you’re logged in…
  • Set up multifactor authentication (MFA) – You should really turn on MFA if you haven’t already done so for your accounts. Use a security key (like a YubiKey) or an authenticator app for MFA if possible; nevertheless, the less secure versions of MFA – SMS and email – are better than no MFA. Read about MFA on the blog if you’re curious to learn more about MFA.
  • Review privacy and security settings for social media accounts – Social media sites are constantly adding and changing features. It’s good to get into the habit of checking your social media account settings to make sure that your privacy and security settings are where you want them to be. Another thing you might want to check is how much of your data is being shared with advertisers. Sites like Facebook and Twitter have account setting sections dedicated to how they use your data to generate targeted ads.

Your library also has a reclaimed hour from DST. What can you do at work with that reclaimed hour?

  • Review the privacy policy – It never hurts to review the privacy policy. Ideally, the privacy policy should be updated regularly, but sometimes even having a review schedule in place doesn’t necessarily guarantee that the review actually gets done. If the policy missed its regularly scheduled review, it might be worthwhile to push for the overdue review of the policy to ensure the policy’s alignment with current professional standards, codes, and legal regulations.
  • Check your department or team procedures against the privacy policy – Your department work procedures change regularly for various reasons, such as changes in technology or personnel. These changes might take these procedures out of alignment with the current privacy policy. Relatedly, an update to the privacy policy might need to be reflected in changes to the procedure. Review the two sets of documents – if they’re not in alignment, it’s time to set up a more formal document review with the rest of the department. Now is also an excellent time to set up a schedule for reviewing procedures against the privacy policy (as well as privacy-adjacent policies) on a regular basis if such a schedule doesn’t already exist.
  • Shred paper! – Take time to look around your workspace for all the pieces of paper that have sensitive or patron data. Do you need that piece of paper anymore? If not, off to the office shredder it goes. Grab a coffee or a treat on your way back from the shredder while you’re at it – you earned it ☕🍫

We won’t judge you if you ultimately decide to spend your reclaimed hour sleeping in (or changing that fire alarm battery). Nevertheless, making a habit of regularly checking in with your privacy practices can save you both time and trouble down the road.

LastPass and Clubhouse and Virginia, Oh My!

A grey tabby cat curled up and sleeping between newspaper sheets.
It’s hard to get started on a Monday morning… image source: https://www.flickr.com/photos/cyawan/2325855567/ (CC BY 2.0)

A lot happened in the privacy world last week! Let’s go over a couple of news items that affect libraries and library patrons alike.

LastPass Free Tier Woes

The popular password manager LastPass announced changes to their free tier accounts last week that could leave many libraries and library patrons scrambling for an alternative. Starting March 16th, LastPass will require free account users to choose where to use LastPass: mobile or computer. Free account users will also lose access to email support to troubleshoot any problems with the password manager.  For many free tier account users, being forced to choose to have their primary password manager only installed on one platform severely limits the usefulness and protection of their chosen password manager.

If you have a LastPass free tier account and don’t want these restrictions, your options are limited:

  • If you have room in your budget and want to stay with LastPass, you can upgrade to a paid account. This option not only avoids migrating your passwords to another manager and instead unlocks additional features, such as encrypted file storage. While we’re used to having “free” accounts, it might be time to make peace with the fact that it’s time to start paying for password managers.
  • You can migrate to another password manager. There are several choices in the marketplace; however, not many have free tier accounts, which means you might end up paying for a password manager anyway. Bitwarden, an open-source password manager, does have a free tier account that allows for syncing between multiple devices if you need a free account. KeePassXP is another free option for the more technically-inclined who can self-host their password manager.

You can read more about the basics of password managers in our Obligatory Password Manager post from April 2020.

Clubhouse Is Not Your Library’s New Social Media App

So… Clubhouse, that new shiny app that everyone’s talking about. You’re curious about it, aren’t you? You’re wondering if you can add it to the family of social media accounts for your library when you get an invite to join.

Let us stop you right there.

In addition to being exclusive to iOS, being inaccessible, and being a free-for-all for harassment, Clubhouse’s privacy practices are almost non-existent. Literally – the privacy policy did disappear for a while! Nonetheless, the privacy policy is up, and it’s one of the more invasive privacy policies that should make you pause before using the product for any library program, service, or process. We’ve rounded up several articles that describe these invasive data privacy practices in detail:

Some folks will say that other social media companies engage in some of the same practices. However, the overall poor quality and construction of the privacy policy combined with privacy practices that violate several privacy laws in the US and the EU,  the best way to protect patron privacy while using Clubhouse at your library is to not use Clubhouse.

Virginia Getting a New Data Privacy Law?

Virginia libraries! You might have heard about a new data privacy bill that currently sits on the governor’s desk at the time of this writing (it might be signed by the time this post is published!). What is the library tl;dr of the Virginia Consumer Data Protection Act?

  • The bill provides similar data rights as California’s two new privacy regulations, CCPA and CPRA, including rights for consumers to request access and deletion of personal data, as well as the right to opt-out of businesses selling their data.
  • The bill’s scope is also similar to CCPA’s and CPRA’s scopes, targeting for-profit businesses doing business in the state who meet certain thresholds, such as controlling or processing data from 100,000 consumers. Non-profits and higher education institutions are exempt.

Once this bill is signed into law, library vendors who do business in the state and meet the scope thresholds will need to comply with the new law. Library vendors who already comply with CCPA have a head start, but libraries might find themselves with vendors who have to play catchup. It might be time to start reviewing contracts and vendor privacy policies as well as the Act to determine what data rights your patrons have and how they can exercise those rights with those vendors.

LDH in The News

LDH is proud to announce that our founder, Becky Yoose, will give the Keynote Address at the Evergreen International Online Conference on May 25th, 2021! This annual conference draws Evergreen users, developers, advocates, vendors, and others interested in the Evergreen ILS or open-source software community from around the library world and beyond. This year’s conference is online and registration is now open! If you want to join in on the presentation fun, the call for proposals is open until March. We look forward to seeing you at the conference!

News and Resource Roundup – Michigan Privacy Law Update, Privacy Literacy Toolkit, and Testing Your Infosec+Digital Literacy Knowledge

Welcome to this week’s Tip of the Hat! This week we bring you an important state legislative update, a resource guide, and three quizzes to start your week.

Michigan library patron data law amendment update

Last December LDH reported on SB 0611, an amendment that would considerably weaken Michigan’s library data privacy laws. The bill allows for libraries to release patron data to law enforcement without a court order:

A library may disclose library records without a court order or the written consent described in subsection (2) under any of the following circumstances:

(a) Upon the request of a law enforcement officer who is investigating criminal activity alleged to have occurred at the library or if the library requests the assistance of a law enforcement officer regarding criminal activity alleged to have occurred at the library, the library may disclose to the law enforcement officer any library record pertinent to the alleged criminal activity. The library director and any other person designated by the library board or commission is authorized to determine whether to disclose library records subject to this subdivision. The library is not required to release library records under this subdivision and may require the law enforcement officer to obtain written consent or an order of the court as required in subsection (2)

After almost a year of inactivity, the bill is now progressing through the state legislature. If you are a Michigan library and concerned about this bill, please contact your state representative and senator about your concerns.

Privacy literacy clearinghouse

If you are searching for resources or examples of privacy literacy instruction after reading our last post, you’re in luck! Digital Shred is a collection of teaching resources and case studies for anyone wanting to incorporate privacy literacy into their instruction work, from information literacy sessions to dedicated privacy workshops. Created and curated by Sarah Hartman-Caverly and Alexandria Chisholm, the authors of the article featured in the last TotH post, Digital Shred also provides another way to keep current on ongoing privacy and surveillance news and issues. Explore the site, and don’t forget to check out the teaching resources and materials for the privacy workshop series created by the authors!

Quiz time

The school year is in full swing, and students are now facing their first round of quizzes and tests. We want to share the pain joy of test-taking by highlighting three quizzes to test your information security – as well as literacy! – knowledge and skills:

  • Spot the Phish – This quiz tests how well you can spot a phishing email in the Gmail email service. While the focus is only on one email platform, the lessons here can apply to any email service!
  • Spot the Deepfake – Deepfakes are images or videos that have been altered to create a realistic image or recording of someone’s likeness doing or saying things that, in reality, did not happen. AI, machine learning, and other developments in technology have made it so that some deepfakes are almost indistinguishable from unaltered media. This quiz will test your observational skills along with your critical thinking by asking you which videos are deepfakes and which ones are the real thing.
  • Spot the Troll – our last quiz focuses on identifying which social media accounts are real, and which ones are fake. It’s not as easy as you’d think…