Information privacy is a broad and evolving concept. It is often understood as the ability of individuals or groups to control what personal information they share with others. Privacy concerns arise whenever personally identifiable or sensitive information is collected, stored, or used.

Beyond data collection, privacy issues also emerge when surveillance discourages individuals from freely exploring, reading, searching, or learning due to the fear of being monitored. The American Library Association upholds the right to privacy in libraries, both physical and digital, defining it as “the right to open inquiry without having the subject of one’s interest examined or scrutinized by others.”

Terms like data privacy and data protection refer to the handling of personal information stored in digital systems or collected, often without a user’s knowledge, through various technologies. Even seemingly harmless information like library book checkouts can, when combined with other datasets, reveal personal behaviors, locations, or identities.

Data privacy also represents the complex relationship between the collection of personal data, the evolving technologies that process or expose this information, public attitudes toward privacy, and the legal and policy frameworks that govern data use.

• Collecting and Storing Patron Data
  One of the biggest privacy challenges in the digital era is how personal data is gathered and stored (Newman 2017). When patrons register for library cards, use digital collections, or attend virtual programs, they often provide details like their name, address, email, and phone number. Many online platforms also track reading habits, search histories, and borrowing patterns. Libraries must critically evaluate how this data is handled: who can access it, how long it’s kept, and what security measures are in place to prevent breaches. Without strong safeguards, this information could be misused, putting patrons at risk of identity theft, profiling, or government surveillance.

• Privacy Risks with Vendors
  Libraries frequently partner with third-party vendors to provide digital resources such as eBooks, streaming services, and research databases. While these tools expand access to information, they also introduce privacy concerns. Many vendors collect and store user data outside the library’s direct oversight. It’s essential for libraries to carefully review vendor privacy policies, verify that data is encrypted, and ensure that patron information isn’t being sold or shared without consent. In some cases, libraries should negotiate contracts that explicitly include privacy protections.

• Surveillance and Data Sharing
  With the rise of digital services, patrons are increasingly exposed to various forms of surveillance, from targeted advertising to government monitoring. Libraries have long been champions of privacy, yet digital platforms can unintentionally make user data more accessible to outside entities. For example, lending platform data or library account information could be shared with law enforcement without the user’s knowledge. To combat this, libraries must minimize data collection, encrypt sensitive information, and resist external data requests unless legally required. Transparency is also crucial! Patrons should be aware of their rights and the steps their library takes to protect them.

• User Tracking and Behavior Monitoring
  Many digital services track user activity to personalize recommendations and improve functionality. While this can enhance the library experience, it also raises ethical concerns. Tracking can reveal sensitive details about a patron’s reading preferences, research interests, or even political views. Libraries must balance personalization with privacy and consider offering opt-out options for tracking. In cases where data is collected, anonymization and strict internal use policies should be prioritized to prevent misuse (Corrado 2020).

• The Threat of Data Breaches
  Even with the best security in place, no system is completely immune to cyberattacks. A data breach could expose sensitive patron information, damaging trust in the library and putting users at risk. To prevent this, libraries should implement strong cybersecurity measures such as encryption, routine security audits, and staff training on data protection. Additionally, a clear response plan should be in place. When a breach occurs, affected patrons should be promptly informed and offered support.

• Legislation such as the USA PATRIOT Act has granted law enforcement agencies broad powers to access patron records without their knowledge. Libraries have received National Security Letters, compelling them to provide user data while being legally prohibited from informing the public. 

• In 2005, a group of Connecticut librarians known as the "Connecticut Four" challenged an National Security Letter that demanded patron records. Bound by a gag order, they could not speak publicly about the request. After a lengthy legal battle, the case was dropped, but this highlighted the need for stronger legal protections for library confidentiality.

Context: https://americanlibrariesmagazine.org/2021/09/01/defenders-of-patron-privacy

• Most libraries now rely on third-party vendors for digital books, databases, and search tools. These companies often collect and store patron data, which may be used for advertising, sold to third parties, or accessed by government agencies. Without strong privacy policies, libraries risk exposing users to tracking mechanisms beyond their control.

• Several digital library platforms, such as OverDrive and Amazon Kindle, have faced criticism for inadequate data protection. These platforms track reading habits, store purchase history, and may share information with law enforcement upon request. Such practices undermine user anonymity and erode trust in library services.

Context: https://www.theregister.com/2024/05/18/mystery_of_the_targeted_mobile_ads

• Adobe has faced criticism on multiple occasions for harvesting and storing more user data than it claimed to via Adobe Digital Editions. This program is used by many libraries to manage the DRM services that are required by publishers for some eBooks.

Context: https://www.eff.org/deeplinks/2014/10/adobe-spyware-reveals-again-price-drm-your-privacy-and-security

Managing data privacy in libraries can be particularly difficult due to the variety of authentication methods used. Different authentication approaches may expose varying degrees of personal information, depending on the vendors and their framework. Library vendors catering to academic institutions frequently support IP-based authentication, whereas those targeting corporate clients tend to prefer username-password authentication (Corrado 2020). This diversity forces libraries to adopt multiple authentication methods rather than a single standard approach. IP-based authentication involves sharing personal IP addresses, while username-password authentication may expose a unique email address. Single sign-on (SSO) methods might share additional personal details like name, email, and employment status. Certain SSO configurations permit libraries to regulate the level of personal data shared with different vendors. While this selective sharing can be advantageous, it also complicates the overall data-sharing framework. 

Universities are increasingly employing website tracking tools to monitor student activity, a practice commonly framed as "learning analytics". Most digital actions are recorded and analyzed to predict academic struggles and potential dropout risks.

Proponents argue that tracking website interactions can personalize learning experiences and help reduce dropout rates by identifying early indicators of academic difficulties. Critics, however, caution against the privacy risks, including potential security breaches and misuse of student data. There is a growing consensus that institutions need to be more transparent about the types of data collected and the conclusions drawn from this information (Maceli 2019).

When library users question why tracking codes, such as those from Google, are embedded in university web pages, librarians often have limited authority over these decisions. Website management and analytics tools are typically controlled by university IT departments. To advocate for better privacy practices, librarians need to cultivate relationships with IT staff and stay informed about website tracking technologies.