This lesson was developed by Ellen Dubinsky, University of Arizona; Michele Gibney, University of the Pacific; Molly Rainard, Auraria Library; and Scott Schmucker, Florida State University.

Approximate time to complete: 8-10 hours

Learning Objectives

• Articulate issues and concerns about user privacy and surveillance in licensing agreements
• Apply user privacy protections within contracts

Even though the American Library Association identifies intellectual freedom and privacy as core values of librarianship, there is growing concern that libraries are losing the ability to uphold those values as an increasing volume of library materials is licensed rather than purchased. Patron privacy is at risk from major library vendors – both from those that are divisions of corporations that also engage in data brokering, such as Elsevier (part of RELX) and Thomson Reuters, and from vendors that work with third parties that access and capture user data. This raises ethical concerns particularly about confidentiality and privacy since data about our library users are at risk of being shared or sold to third parties. The ability of libraries’ to protect user data and limit exploitation of that data has diminished.

This lesson provides information, tools, and strategies to use as you prepare to negotiate for strong privacy protection language in your library vendor licensing agreements. 

Table of Contents

• DO: Pre-test Assessment
• WATCH, LISTEN, READ
  • Videos
  • Podcasts
  • Readings
  • Concerns About Data Brokers
  • Impact on and Responses from Library User Communities
  • Supporting Value-based Negotiations
• DO: Review and Practice Activities
  • #1 Privacy Language Primer
  • #2 Negotiation Examples
  • #3 Measuring Library Vendor Cyber Security
  • #4 Assessing Data Privacy on a Vendor Website 
  • #5 Audit Vendor Policies for Privacy and Security
  • #6 Writing a Library Data Privacy Policy 
  • #7 Group Activities & Discussion
• DO: Post-test Assessment and Answers
• Helpful Tools & Readings

DO: Pre-test Assessment

Download Pre-Test Assessment (download .docx file) (download .pdf file) so that you may save your answers and compare to the answer key linked at the bottom of this lesson. 

WATCH, LISTEN, READ

The following resources provide background information about the potential harm of data brokering (the sale of personal data to third parties). They also provide more general details about library privacy, vendor privacy practices, and how our affected communities and libraries are reacting to these vendor practices.

We suggest that you spend at least 3 or 4 hours engaging with some of the readings, websites, podcasts, and videos below.

Videos 

• NYC Digital Safety
  • What Should I Know About Library Privacy: Library Principles (6 min.)
  • What Should I Know About Library Privacy: Third Party Service + Data Privacy (9 min.)
• Library Privacy: Past, Present, Future (1/18/2022, 76 min.). Conversation with library privacy experts Alison Macrina (Library Freedom Project), Sarah Lamdan (CUNY School of Law and author of Data Cartels from Stanford University Press), and George Christian (former Executive Director of Library Connection and one of the Connecticut Four)
• IOI Community Discussion with McKenzie Funk and Sarah Lamdan (9/7/2022, 63 min.)
• Data Cartels & Commercial Obstacles to Open Access (October 24, 2024, 88 minutes). Sarah Lamdan presentation (44 min.) and Q&A (44 min.).
• The Privacy Landscape: Policy & Practice in the Library and University Contexts (3/28/2022, 80 min.). Opening plenary session from Spring 2022 CNI Membership Meeting. Featuring Lisa Janicke Hinchliffe (University of Illinois at Urbana-Champaign); Kent Wada (UCLA); Cheryl Washington (University of California at Davis); Clifford Lynch (CNI), moderator.

Podcasts

• Balancing Patron Privacy and Library Performance: Highlight Episode (2018, 23 min.)
  • Features excerpts from earlier interviews with Bobbi Newman and Bonnie Tijerina, authors of Protecting Patron Privacy: A LITA Guide (2017). Includes transcript.
• Data Cartels and Surveillance Publishing (2022, 44 min.)
  • Interview with Sarah Lamdan by the Knowledge Equity Lab’s Unsettling Knowledge Inequalities Podcast. Includes transcript.

Readings

• Overviews/Quick Reads:

• • • Licensing Privacy Project
    • Privacy field guides for libraries: Vendors and privacy (American Library Association)
    • Privacy Briefings Modular Slides (PPTX) (Lisa Levesque and Sara Klein, Toronto Metropolitan University Libraries)
    • Privacy and security questions to ask vendors (Library Freedom Project)

• Deeper Dives:

• • SPARC Vendor Privacy Reports
    • Navigating Risk in Vendor Data Privacy Practices: An Analysis of Springer Nature’s SpringerLink (2024)
    • Navigating Risk in Vendor Data Privacy Practices: An Analysis of Elsevier’s ScienceDirect (2023)
  • McKinnon, D., & Turp, C. (2022). Are library vendors doing enough to protect users? A content analysis of major ILS privacy policies. The Journal of Academic Librarianship, 48(2). (paywalled – no green OA version)
  • Salo, D. (2021). Physical-equivalent privacy. The Serials Librarian. 81(1), 20–34. 
  • Ayre, Lori Bowen (2017) Protecting Patron Privacy: Vendors, Libraries, and Patrons Each Have a Role to Play. Collaborative Librarianship, 9(1), Article 2. 

Concerns about Data Brokers

While there are certainly legitimate and desired outcomes resulting from user data shared between vendors (e.g., sharing anonymized customer data to improve targeted advertising across platforms or using location data with transportation apps to optimize route planning), there are many more dangerous and detrimental possibilities:

• Corporate Surveillance in Everyday Life (6/2017) by Wolfie Christl
• Librarianship at the Crossroads of ICE Surveillance (11/13/2019) by Sarah Lamdan
• “Louisville Cop Used Law Enforcement Database To Seek Female Targets To Hack For Sexually Explicit Content” (10/19/2022)
• “Privacy bill triggers lobbying surge by data brokers” (8/28/2022)
• FTC Sues Kochava for Selling Data that Tracks People at Reproductive Health Clinics, Places of Worship, and Other Sensitive Locations (8/2022)
• “Woman Got Cremation Ads in the Mail After Getting Chemotherapy” (2/7/2024)

Impact on and Responses from Library User Communities

When library user communities become aware of the invasive practices and demonstrated risks resulting from the collection, selling, and sharing of user data, the reaction is often swift and determined. (The documents below are all brief.)

• Students

• • • Resolution 16: GPSA R16: Demanding Cornell fight for fair terms for the remote services its community is required to use by Cornell Graduate and Professional Assembly. (4/2020)
    • Data privacy in higher education: Yes, students care by Jasmine Park and Amelia Vance. (2/11/2021)
    • Law students demand Seattle University cut ties with data companies working with ICE by Bunthay Cheam. (10/22/2021)
    • Why students should be involved in data privacy conversations by Pegah Parsi. (1/26/2022)
    • A data collection effort at GW leads to privacy questions by Suzanne Smalley. (2/21/2022)
    • BOD 2022-23 – 1R Resolution in support of the removal of webcam proctoring by Cal State East Bay Associated Students, Inc. (11/2/2022)
    • S.R. 59.2-8, Resolution to discourage the use of Respondus Lockdown Browser and other proctoring programs requiring the use of audio/visual recording by University of North Carolina at Charlotte Student Senate. (2/2/2023)

• Faculty

• • Resolution affirming the privacy of learning data and principles for working with third-party vendors by the University Faculty Senate of The City University of New York. (5/12/2020)
  • Library faculty position statement on vendor surveillance by Jill Emery and Portland State University. (6/2021)
  • UW Faculty Senate votes to support the UW Libraries’ principles in licensing scholarly resources by University Libraries, University of Washington. (4/14/2022)
  • Resolution in Support of Libraries Licensing Priorities by the Boulder Faculty Assembly of the University of Colorado Boulder. (10/5/2023)
  • UC Denver Resolution (5/30/2024)

Supporting Value-based Negotiations

When negotiating with vendors, it’s helpful to have existing university or library policies or state statutes that justify your negotiation position. Non-disclosure agreements facilitate transparency and fairness among libraries negotiating for information resources. If you have a policy which prohibits agreeing to a Non-disclosure or confidentiality clauses (NDAs), you can rightfully insist such clauses be deleted from a vendor agreement.   

• Preferred practice guidance from library support organizations:

• • • Association of Research Libraries, “ARL Encourages Members to Refrain from Signing Nondisclosure or Confidentiality Clauses.” (6/2009)
    • International Coalition of Library Consortia (ICOLC), “Statement of Current Perspective and Preferred Practices for Selection and Purchase of Electronic Information” (10/2004)

• Examples of university library NDA policies:

• • Cornell University
  • University of North Carolina 
  • University of Virginia 
  • University of Alberta 

DO: Review and Practice Activities

The Privacy Language Primer and Negotiation Examples (#1 and #2 below) are adapted from actual vendor contracts and negotiation exchanges between vendors and libraries. They provide learners with realistic expectations for privacy term negotiations and as such, each activity includes follow-up questions designed to probe the nuances of the negotiation outcome and to facilitate understanding of how to make progress in privacy contract language negotiations. 

Activities #3-7 offer a mix of assessment and policy development tools to enhance your library’s privacy framework. You’ll find guidance on evaluating vendor cybersecurity and website data privacy, auditing vendor policies using the Library Freedom Project’s toolkit, and crafting a robust data privacy policy tailored to your library’s needs. For example, using the tools in Measuring Library Vendor Cyber Security (#3)  and Assessing Data Privacy on a Vendor Website (#4), it’s possible to assess vendor compliance with the terms of the license agreement. The vendor can then be shown any tangible evidence that they may be in violation of the agreement. Finally, Group Activities and Discussion (#7) prompts facilitate collaborative learning and knowledge sharing.

• #1 Privacy Language Primer  
  • Exercises (download .docx file, download .pdf file) 
  • Answers
• #2 Negotiation Examples
  • Case Study #1: No Privacy Language
  • Case Study #2: Linked Privacy Policy
  • Case Study #3: Bad Privacy Clause
• #3 Measuring Library Vendor Cyber Security
• #4 Assessing Data Privacy on a Vendor Website
• #5 Audit Vendor Policies for Privacy and Security by the Library Freedom Project
• #6 Writing a Library Data Privacy Policy (download .docx file, download .pdf file)
• #7 Group Activities & Discussion

Due to the nature of negotiations, vendors may not always accept a library’s preferred terms, necessitating further negotiation until agreement is reached. Circumstances specific to your library at the time of negotiation will affect whether you continue to negotiate or reach agreement on the terms. However, there are likely an array of terms under negotiation for any given license, and there may be additional factors like pricing, time, faculty need, and budgeting to consider.  More pressing priorities can lead a library to concede points in negotiation, including privacy terms. However, it’s important to remember that the right to privacy, the right to seek information without it being monitored or capitalized, is a core principle of librarianship and efforts to protect the privacy of library users are important. The risks are real and the sustained attempt to improve licensing agreement privacy terms is the responsibility of the entire library community. Over time and with repeated attempts, vendors have been led to change their license language to recognize this important principle. The ultimate goal is for our library vendors to recognize and understand the value of the right to privacy, and to conduct our business partnerships accordingly.                                                     

DO: Post-test Assessment and Answers                                      

Revisit the document you downloaded from the Pre-test Assessment section, or download the document again (download .docx file) (download .pdf file), and read the questions and your answers over based on the knowledge you have gained during this module. Have any of your answers changed? When ready, you can download the answer sheet and check your responses. 

Helpful Tools & Readings

• NISO Consensus Principles on Users’ Digital Privacy in Library, Publisher, and Software-Provider Systems (2015) (NISO Privacy Principles)
• Caro, A. and Markman, C. (2016, April 25). Measuring Library Vendor Cyber Security: Seven Easy Questions Every Librarian Can Ask. Code4Lib Journal, 59.
• Lamdan, S. (2019, Nov. 13). Librarianship at the Crossroads of ICE Surveillance. In the Library with the Lead Pipe, 13. 
• Knowledge Equity Lab / SPARC podcast featuring Chris Gilliard. Digital Redlining, Friction-Free Racism and Luxury Surveillance in the Academy (2022) (43 minutes, includes transcript)
• Lamdan, S. (2022). Data Cartels: The Companies that Control and Monopolize Our Information. Stanford CA: Stanford University Press.
• Bettinger, E. C., Bursic, M., & Chandler, A. (2023, June). Disrupting the Digital Status Quo: Why and How to Staff for Privacy in Academic Libraries. Licensing Privacy Project. 
• Funk, M. (2023). The Hank Show: How a House-Painting, Drug-Running, Drug-Running DEA Informant Built the Machine That Rules Our Lives. New York, NY: St. Martin’s Press.
• Heller, M. (2023). Building a Culture of Privacy through Collaborative Policy Development, in S. Hartman-Caverly and A. Chisholm (Eds.) Practicing Privacy Literacy in Academic Libraries: Theories, Methods, and Cases (pp.265-281). Chicago: Association of College and Research Libraries. (See also: Loyola University Chicago Libraries Privacy Policy and Activity #6 Writing a Library Data Privacy Policy)
• Zimmerman, K. (2024). Patron Data Privacy, in Rachael Samberg; Katie Zimmerman; Samantha Teremi; Erik Limpitlaw; and Sandra Enimil, Eds., E-Resource Licensing Explained. Association of Research Libraries: Washington, D.C.