A Publication of the Public Library Association Public Libraries Online

GDPR and American Public Libraries

by Erin Berman, Innovations Manager, San Jose (CA) Public Library, erin.berman@sjlibrary.org on June 7, 2018

Is your library GDPR compliant? Read on to find out more about these new regulations and how they may impact your library.

Why is everyone updating their terms of use and privacy policies?

Have you and your patrons been wondering why your inboxes are being flooded with emails announcing updates to Terms of Use and Privacy Policies? While we have heard a lot more about privacy concerns in the news lately, these updates are being driven by one thing in particular, GDPR or the General Data Protection Regulation.

What is GDPR?

In 2016, the European Parliament passed sweeping legislation to provide citizens with a greater level of control over their personal data and require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. Companies and organizations were given two-years to get in compliance with the new regulations or face heavy fines. May 25, 2018 is the date that GDPR goes into effect.

What are the new regulations?

There are several main changes that companies must now follow. If they are not in compliance they will be fined 4% of annual global turnover or €20 Million (whichever is greater).

  • Breach Notification: Companies must notify users within 72 hours of a data breach.
  • Right to Access: Everyone has a right to their own information. If requested, personal data must be turned over, free of charge, in an electronic format.
  • Right to be Forgotten: If there is information about you online that is harming you then you can request to have it removed. Companies will have to take into account the public interest in the information.
  • Data Portability: Companies need to provide your personal information to you in a commonly used and machine readable format that can be transferred to another service.
  • Privacy by Design: When designing services (e.g., websites, apps), businesses must consider how to keep user information protected. It should be built into the design, not an afterthought.
  • Data Protection Officers: All companies must assign someone to be responsible for overseeing their data protection strategy and compliance with GDPR requirements.

Who does this effect?

You may be asking yourself, “What in the world does this have to do with me, isn’t this just a EU regulation?” Well, yes and no. GDPR effects any business that handles the personal data of someone living in the EU. As we all know, the internet is worldwide. Many businesses have customers living not only in Europe, but the United States, Australia, Brazil, etc. GDPR requires companies to change how they collect, store, and share customers’ information. Instead of restricting that to just those living in Europe, many are choosing to bring the new requirements to all their customers. This is why all of us in the United States are seeing the updates to Terms of Use and Privacy Policies.

Due to the Right to Access provision in GDPR you can now request a copy of all the data a company has collected about you. Sometimes this has to be done in writing, while others are starting to roll out instant downloads.

What privacy regulations do we have?

The United States has yet to adopt any broad privacy regulations like GDPR. However, some states do have their own privacy laws. For example, California implemented their own Online Privacy Protection Act (CalOPPA) in 2014. This law that requires commercial websites and online services to post a privacy policy. CalOPPA applies to any person or company in the United States (and conceivably the world) whose website collects personally identifiable information from California consumers.

Why does this matter to public libraries in the United States?

Don’t go and hit the panic button at your library if you are not in compliance. Those of us who only serve patrons living in the United States do not have to follow these regulations. However, GDPR effects many of our library vendors who have customers in the EU. That is why you’ve seen many of them updating their policies and procedures to be in compliance with the new regulations.

Most major internet companies have customers in the EU meaning they have to be GDPR compliant or face large fines. Anyone who goes online will now have more control over their personal information and hopefully have better safeguards in place to protect their data. Although we do not have to be in compliance with GDPR for our data, many of your patrons will likely have questions about it. Understanding the basics will help staff build patrons’ privacy literacy and feel comfortable with the changes they’re seeing online.

Libraries also have an ethical responsibility to act as privacy havens for our patrons. We can learn from GDPR by conducting our own internal privacy audits to ensure we, and our vendors, are protecting patron data. Get started today by checking out all the fantastic resources on ALA’s Choose Privacy Week website.