Data Privacy Is Not Optional

Libraries have a privacy problem, and it isn't the one most people think about.

The obvious concern is law enforcement showing up with a warrant. That gets the headlines. But the everyday privacy problem is quieter. Your library is collecting patron data through a dozen different systems. Your vendors are collecting even more. And most library staff have no idea what\'s being captured, how long it\'s retained, or who has access to it.

This isn\'t a theoretical ethics discussion. 48 states plus DC have laws about library record confidentiality. The FTC finalized major COPPA amendments in 2025 affecting children\'s data. Twenty US states now have comprehensive consumer privacy laws. And in 2026, Pierce County Library in Washington had a data breach that exposed the personal information of 340,000 patrons and employees, including Social Security numbers and financial account data.

Privacy isn\'t a value statement you put on a poster. It\'s a set of practices you either follow or you don't. This article covers what you need to know and what you need to do.

Part 1: What Your Library Actually Collects

Before you can protect patron data, you need to know what you have. The answer is probably more than you'd expect.

The ILS

Your ILS holds the most sensitive patron data: name, address, phone, email, date of birth, and sometimes government-issued ID numbers collected at registration. It also stores checkout history, current holds, items on loan, overdue items, fines, and fees. Most ILS platforms retain full circulation history by default unless the library actively configures purging. OPAC search queries are often logged and sometimes tied to patron accounts.

WiFi and Public Computers

WiFi access points log MAC addresses, connection timestamps, and session duration. Depending on your content filter, browsing activity may also be captured. Computer reservation systems (EnvisionWare, CASSIE, SAM) log session times and patron IDs. Some can record URLs visited or applications used. Print management systems may log document names and sometimes content.

Digital Content Platforms

Every digital content vendor collects data on patron usage:

• Libby/OverDrive: Borrowing history, holds, wishlist, reading progress, device info, search queries
• Hoopla: Borrowing history, streaming activity, device info, IP addresses
• Kanopy: Viewing history, partial views, search queries, device data, IP addresses

This data lives on vendor servers, not yours. Your library\'s confidentiality policy may not cover it. Your vendor\'s privacy policy does, and those are two very different documents.

Everything Else

• Security cameras: Footage typically retained 30 to 90 days
• Meeting room reservations: Name, contact info, organization, purpose
• Program registrations: Name, age, contact info, sometimes dietary restrictions
• Hotspot lending: Device serial numbers linked to patron accounts. Cellular carriers collect usage data including sites visited and location via cell tower pings.
• Website analytics: IP addresses, pages visited, search queries, referral sources, browser fingerprinting
• 3D printing/MakerSpace: Some libraries retain submitted files

Add it up. A single patron who uses WiFi, checks out books, borrows a hotspot, attends a program, and uses the library website is generating data in at least six different systems, each with its own retention policy and access controls.

Part 2: What the Law Actually Requires

48 states plus DC have some form of library records confidentiality law. Hawaii and Kentucky lack specific statutes but have Attorney General opinions addressing the issue. The protections vary wildly.

Strong Protection States

• California: Requires a court order (not just a subpoena) for disclosure, and the California Reader Privacy Act of 2011 extends protection to digital reading records
• New York: Library records confidential, disclosure only by consent or court order
• Illinois: Library Records Confidentiality Act, requires court order
• Colorado: Confidential, disclosure only by court order or written consent. Also specifically protects minors' records from parental access.
• Montana: State constitution includes an explicit right to privacy applied to library records

Weaker States

Some states protect only "circulation records" narrowly defined, potentially excluding WiFi logs, computer use, and digital service data. Several allow disclosure with a subpoena (issued by attorneys, no judge required) rather than a court order. Some exempt law enforcement requests entirely.

ALA Guidelines vs. Actual Law

ALA Library Privacy Guidelines recommend data minimization, purging PII after its purpose is fulfilled, requiring court orders for all disclosures, notifying patrons, and conducting regular privacy audits. These are professional best practices. They have no enforcement mechanism.

The gaps matter. ALA recommends court orders for all disclosures, but many states allow subpoenas. ALA recommends purging records, but few states require it. ALA recommends patron notification, but most states don\'t mandate it. And ALA recommends digital records get the same protection as physical records, but many state statutes predate digital services and don\'t explicitly cover them.

Know your state law. The ALA maintains a state-by-state guide. Read the actual statute for your state, not just the summary.

Part 3: What Your Vendors Are Doing With Patron Data

When a patron uses Libby, Hoopla, or Kanopy, their usage data lives on vendor servers governed by vendor privacy policies. Your library\'s confidentiality policy may not apply to data you don\'t control.

What Vendors Say

OverDrive\'s privacy policy (updated November 2025) states they don\'t sell PII or non-PII and that lending history is treated as confidential and not shared with third parties except authorized library staff. Cookies for advertising and remarketing aren't used in the Libby, Sora, or Kanopy apps.

What Actually Happened

In May 2024, a San Francisco Public Library patron reported seeing targeted ads that appeared to be based on library borrowing history. The library denied that personalized advertising was displayed in Libby or that data was collected by third parties.

An investigation by The Markup found that SFPL.org had 11 ad trackers, 19 third-party cookies, and included both a Facebook pixel and Google Analytics. The BiblioCommons-powered catalog subdomain had only a single Google Analytics tracker.

The ads may not have come from Libby. They may have come from the library\'s own website. The point is the same: patron browsing behavior was being tracked, and the library didn\'t fully understand how.

Common Vendor Privacy Policy Problems

• Allowing data sharing with undefined "third parties"
• No specified retention periods
• No guarantee of data deletion when the contract ends
• Reserved right to change policies without notice
• No explicit library ownership of patron data

The University of Illinois Licensing Privacy Project has developed a vendor contract rubric with model language to address these gaps. If your vendor contract doesn't explicitly address data ownership, retention, and deletion, assume the vendor keeps everything indefinitely.

Part 4: Your Website Is Tracking Patrons (And You May Not Know It)

Your library website almost certainly contains third-party tracking that staff aren't aware of.

What Is on Your Site Right Now

• Google Analytics: Collects IP addresses, pages visited, time on page, referral sources, device type, browser, geographic location, and search queries. This data is sent to Google's servers.
• Social media buttons: Facebook Like buttons, Twitter/X share buttons, and Instagram embeds load tracking scripts that can follow patron visits and link them to social media profiles, even without any patron interaction.
• Embedded video: YouTube embeds set Google tracking cookies. YouTube\'s "privacy-enhanced mode" reduces but doesn\'t eliminate tracking.
• External fonts and scripts: Google Fonts, JavaScript CDNs, and CSS frameworks loaded from external servers send patron IP addresses and referrer URLs to third-party providers with every page load.
• Third-party widgets: Chat widgets, event calendars (LibCal, Eventbrite), and Springshare products all collect usage data under their own privacy policies.

How to Find Out

The Markup built a free tool called Blacklight that scans any website URL and reports all tracking technologies found. Since 2020, over 18 million scans have been run. At least 87% of the world's most popular web domains engage in some form of digital tracking. In October 2024, The Markup released Blacklight Query, an open-source command-line tool for batch scanning.

Run your library's website through Blacklight right now. Visit themarkup.org/blacklight and enter your URL. The results will show you ad trackers, third-party cookies, session recording services, canvas fingerprinting, and Facebook and Google tracking.

Privacy-Respecting Alternatives

• Analytics: Matomo (self-hosted, no data sent to third parties), Plausible, or Fathom instead of Google Analytics
• Fonts: Self-host Google Fonts instead of loading them from Google's CDN
• Video: Use YouTube's privacy-enhanced mode (youtube-nocookie.com) or self-host videos
• Social media: Use simple share links instead of embedded tracking buttons

Part 5: When Law Enforcement Shows Up

Every library staff member needs to know the basics of handling law enforcement requests. The time to learn this isn't when an officer is standing at the desk.

Types of Legal Process

• Informal request: No legal authority. The library should decline and require formal process.
• Subpoena: Issued by an attorney, no judge required. Can be challenged ("quashed"). Some states require court orders rather than subpoenas for library records.
• Court order: Issued by a judge based on relevance. Stronger than a subpoena.
• Search warrant: Issued by a judge based on probable cause. You must generally comply.
• National Security Letter (NSL): Issued by the FBI without a judge. Includes a gag order prohibiting disclosure.

What Staff Should Do

1. Never volunteer information. Don't answer questions about patron activities, habits, or records without legal process.
2. Don't consent to searches. Consent waives legal protections.
3. Get officer identification and the legal document.
4. Read the document carefully. A subpoena isn't a warrant. Know the difference under your state law.
5. Contact your director and legal counsel immediately before providing any records.
6. Document everything: who, what, when, what was requested, what was provided.
7. Work with counsel to narrow the scope of disclosure to only what is legally required.

In 2005, four librarians in Connecticut (the "Connecticut Four") challenged an NSL and its gag order. After lengthy legal proceedings, the gag was lifted in 2006. This remains one of the most significant library privacy cases in US history.

An ALA survey found that law enforcement visited at least 545 libraries seeking patron information in the year following 9/11.

Part 6: Children's Data (The Stakes Are Higher)

Children's privacy has additional legal protections that libraries need to understand.

COPPA Updates (2025)

The FTC finalized major amendments to the COPPA Rule in April 2025, effective June 23, 2025, with a compliance deadline of April 22, 2026. Key changes:

• Opt-in consent required for targeted advertising directed at children under 13
• New limits on data retention (only as long as "reasonably necessary")
• Safe Harbor programs must publicly disclose membership lists

From January 2023 to January 2025, the FTC published six COPPA enforcement actions.

Library Implications

Library websites with children\'s sections that collect personal information (summer reading registration with email, for example) may trigger COPPA requirements. Third-party platforms used for children\'s programming must comply. Children's apps and digital reading platforms (TumbleBooks, ABCmouse, Libby juvenile sections) collect usage data on minors.

Verify COPPA compliance for any vendor service that children use through the library. If the vendor can\'t demonstrate compliance, that\'s a problem you need to address before the April 2026 deadline.

Parental Access to Children's Records

State laws vary significantly. Some states grant parents access to their children\'s library records. Some protect minors" records even from parents. Colorado specifically protects minors' library records from parental access. Many states are silent, leaving it to library policy. Know what your state requires and have a clear policy.

Part 7: The Privacy Audit (What to Do This Month)

Step 1: Map Your Data

List every system that collects patron data. For each one, document: what data it collects, how long it\'s retained, who has access, whether it lives on your servers or a vendor\'s, and what the relevant privacy policy says.

Include the ILS, WiFi, public computers, print management, digital content platforms, website analytics, security cameras, meeting room booking, program registration, hotspot devices, and any other system that touches patron information.

Step 2: Minimize What You Collect

• Stop requiring date of birth for adult cards. Collect age range or just verify "over 18."
• Configure your ILS to purge checkout history upon return.
• Stop requiring Social Security numbers or government IDs for registration.
• Stop logging public computer URLs if your filtering software allows it.
• Remove unnecessary fields from program registration forms.
• Disable reading history features unless patrons explicitly opt in.

Step 3: Set Retention Schedules

• Circulation records (returned items): Purge immediately
• Hold records (fulfilled): Purge immediately
• ILL records: Purge after completion
• Computer session logs: 7 to 30 days
• WiFi logs: 7 to 30 days
• Security camera footage: 30 to 90 days
• Website analytics: Anonymize or purge after 13 months
• Program registration: Purge after program ends
• Fine/fee records: Purge when resolved
• Inactive patron accounts: Purge after 2 to 3 years

Step 4: Scan Your Website

Run your library website through The Markup\'s Blacklight tool (themarkup.org/blacklight). Document what tracking it finds. Remove or replace trackers that aren\'t essential.

Step 5: Review Vendor Contracts

Check every vendor contract for these clauses:

• Data ownership (the library owns all patron data)
• Data deletion on contract termination
• Breach notification within 24 to 72 hours
• Prohibition on selling or sharing patron data
• Compliance with state library confidentiality laws
• Right to audit
• Specific retention limits

If any of these are missing, raise them at your next contract renewal. The Library Freedom Project provides a vendor privacy audit worksheet. The University of Illinois Licensing Privacy Project provides model contract language.

Step 6: Train Your Staff

All staff should understand what counts as a library record under your state law. Front desk staff need specific training on law enforcement requests: "Let me get my director." IT staff need data retention configuration training. This isn't a one-time onboarding item. It requires regular refresher training.

Step 7: Update Your Privacy Policy

Your privacy policy should cover: what data you collect (specific categories), how it\'s used, retention periods for each data type, who has access, third-party data sharing with links to vendor policies, patron rights to access/correct/delete data, children\'s data protections, security measures, law enforcement response procedures, review schedule, and contact information.

Common gaps: no mention of vendor data practices, no retention schedules, no coverage of WiFi/computer/website tracking, no children's privacy section, no law enforcement procedures, not updated for digital services, legal jargon inaccessible to patrons.

Review your policy at minimum annually, and whenever you add a new vendor, change core systems, learn of new legal requirements, change retention practices, or experience a data breach.

What This Means for Your Library

Privacy isn\'t something you believe in. It\'s something you do. The value is meaningless without the practice.

That means knowing what data you collect, minimizing what you don\'t need, setting retention schedules and actually enforcing them, understanding what your vendors are doing with patron data, training staff on law enforcement procedures, protecting children\'s data under strengthened COPPA rules, and keeping your privacy policy current and honest.

The Pierce County breach exposed 340,000 records including Social Security numbers. That wasn\'t a failure of values. It was a failure of practice. The San Francisco tracking incident wasn\'t malicious. Nobody at the library put Facebook pixels on the website intending to surveil patrons. But the pixels were there, and they were tracking.

Pick three things to tackle this week:

1. Run your website through Blacklight (themarkup.org/blacklight). See what's tracking your patrons.
2. Check your ILS circulation history settings. Is checkout history being purged on return, or is it piling up indefinitely?
3. Read your state\'s library confidentiality statute. Not the ALA summary. The actual law. Know what it requires and what it doesn\'t.

Your patrons trust you with their reading habits, their browsing history, their children\'s data, and sometimes their Social Security numbers. That trust isn\'t optional. Neither is protecting it.