A Publication of the Public Library Association Public Libraries Online

Personal Identifiable Information, Parental Consent, and Public Libraries

by on October 3, 2019

The Federal Trade Commission and the New York Attorney General argued that the YouTube video sharing service illegally collected personal information from children without their parents’ consent therefore violating the Children’s Online Privacy Protection Act (COPPA) 1. This argument prevailed and You Tube was ordered to pay the largest fine ever levied against a company for violating COPPA.

So, what does this have to do with public libraries and why should they care? While libraries are guardians of patron information stored in their integrated library systems, how well are public libraries doing when it comes to extending these protections to third-party vendors? And what about ancillary services like the library event registration system and the thousands of eager readers who sign up for the summer reading program?

ALA guides libraries with its Library Bill of Rights which addresses how libraries should protect people’s privacy: “All people, regardless of origin, age, background, or views, possess a right to privacy and confidentiality in their library use. Libraries should advocate for, educate about, and
protect people’s privacy, safeguarding all library use data, including personally identifiable information.”2

While ALA provides a guideline for such practices, laws at the federal and local levels are in place to legislate what libraries can and cannot do. At any given time, one can search for COPPA violations and retrieve a goliath’s share of results. In a nutshell, COPPA gives parents control over what information websites can collect from their children. COPPA puts the parents in the driver’s seat when it comes to any website or online service collecting information from a child under the age of 13. Libraries must take this into consideration when working with any third-party commercial vendor aimed toward children. Under a 2013 revisions, COPPA takes it a step further by broadening coverage to the regulation. The revision states that COPPA also applies to operators when they have “actual knowledge” they are collecting personal information from users directed to kids under 13. It does not require general audience sites to investigate the ages of its users; however, if the site asks for or otherwise collects information that indicates a visitor to that site is under 13 years of age, that triggers
COPPA compliance.3

While COPPA’s coverage is aimed at commercial web sites, it doesn’t mean public libraries are off the hook. For example, all websites and online services operated by the Federal Government and contractors operating on behalf of federal agencies must comply with the standards set forth in
COPPA.4 And in the case of public libraries, a major concern is how library users of any age interact with the services of third-party commercial vendors, what their privacy policy states, and how that vendor complies with COPPA.

In addition to COPPA, public libraries can also look to their state legislature for guidance. According to ALA, forty-eight states have laws protecting the confidentiality of library records.5 The Arizona statute, A.R.S. 41-151.22, for example, states that “a library or library system supported by public monies shall not allow disclosure of any record or other information, including e-books, that identifies a user of library services as requesting or obtaining specific materials or services or as otherwise using the library.”6 Note the phrase, “or any information” and “or services”—which broaden the scope of the law to not only include the users circulation record, but so many other services such as the aforementioned event registration or summer reading signups examples. Violating this law in Arizona constitutes a class 3 misdemeanor.

Libraries must also continue to pay attention to their own internal procedures and practices as well as third-party vendors whenever personal identifiable information is requested from users. Managers should review internal practices occurring in their libraries and may consider conducting
their own privacy audit which can uncover areas which need strengthening. The resources below can guide libraries as they create new privacy policies or update existing ones. As library services
continue to evolve, privacy protections must always be adapted to new technology, new services, and changing procedures and practices


ALA’s Privacy Toolkit

Children’s Online Privacy Protection Act

A Practical Guide to Privacy Audits

Developing or Revising a Library Privacy Policy

State Laws Regarding Library Records

Public Library Privacy Policies Incorporating Third-Party Vendors:

Kalamazoo Public Library

Multnomah County Library

New York Public Library


  1. “Press Releases for September 2019.” Federal Trade Commission. United States Government, September 4, 2019.
  2. Admin. “Library Bill of Rights.” Advocacy, Legislation & Issues. American Library Association, February 11, 2019.
  3. Children’s Online Privacy Protection Rule: Not Just for Kids’ Sites.” Federal Trade Commission. United States Government, July 24, 2017.
  4. M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002.” Memorandum. Executive Office of the President, Office of Management and Budget, September 9, 2003.
  5. Admin. “State Privacy Laws Regarding Library Records.” Advocacy, Legislation & Issues. American Library Association, April 10, 2019.
  6. Privacy of user records; violation; classification; definition. A.R.S. 41-151.22.

Tags: , , , , , , ,