Assessing the status of the law in each state is beyond the scope of this chapter, but it might be helpful to organize any reading of a state’s library privacy statute into several elements that may facilitate your understand- ing of that particular library privacy statute’s strengths and weaknesses.

Take special notice of the following elements, all of which are dis- cussed in greater depth throughout this chapter:

• Institution

• Target record or information

• Action

• Exceptions

Q10 What is the general nature of the state laws protecting patron privacy in libraries?

First, obtain and read a complete copy of your state’s statute and review it carefully, since there is great variation from state to state. A library’s policy should be drafted or revised in keeping with the state law, and when possible, should expand the privacy rights of patrons.

Understanding the Statutory Context

Most if not all privacy statutes prohibit the release of library patron infor- mation to third parties. A number of states prohibit the release of patron

information outright, but there may be several exceptions. Understanding the nuances of coverage is critical, e.g., how the protected patron infor- mation is defined. A second approach is taken by states that present library confidentiality as an exception to a state’s open records laws. These statutes more accurately operate to merely remove the public library patron record from the general definition of public records and thus limit the reach of the “public” or “open” records law. However, these records may still be subject to disclosure through a subpoena.

Defining the Four Elements

The “institution” indicates which libraries in the state the law covers. The

“target record or information” is also an important element, since differ- ent states protect different aspects of patron privacy. Most of the discus- sion of coverage centers around what type of record is protected, i.e., what sort of information must be in a record before it will be considered a

“record” for purposes of the statute and thus its contents protected. The state statutes generally define a “circulation or registration” record, with different states giving different definitions. Patron privacy is often limited to certain types of acts (“action”). In general, a “release” of patron infor- mation to a third party is prohibited, but sometimes a parent is not con- sidered to be a third party, thus release of the patron record to a parent may not be an “action” proscribed by the statute. Most significant are the

“exceptions,” including the release of patron records subject to a valid search warrant, subpoena, or court order.

Institution

Q11 Is my library covered by my state’s library privacy laws?

To analyze this, look at the “institution” clause in your state statute.

Different states include different types of library institutions in their statutes. Most statutes contain language that protects patrons in all libraries in a given state that are “funded in whole or in part” by public funds. A number of states make an exception to general open or public records laws for library patron information, and this exception would also apply to all types of “public” libraries, those that generate public records.

In addition, a few states offer expanded coverage by protecting patron privacy in all libraries that are “open to the public.” And finally, several state statutes specifically apply to private libraries, often in certain restric- tive categories such as schools and colleges.

Most states define “public” libraries as those funded with public resources²⁶or operated by an arm of the state.²⁷

A second approach is taken by several states that include a list of the specific types of “public” libraries covered by statute.²⁸This may include, as in Arkansas, extending protection to “the patrons of public, school, academic, and special libraries and library systems supported in whole or in part by public funds.”²⁹

A third approach ties confidentiality to the public nature of library clientele, i.e., libraries open to or serving the public. For example, the Ohio law includes any library that “is open to the public,” including a

“library that is created and maintained by a public or private school, college, university or other educational institution.”³⁰ Similarly, Michi- gan, Missouri, and Tennessee define “library” to potentially include those operated by private entities, as long as the library is “open to the public.”³¹ Incorporating the “open to the public” approach, North Carolina makes this clear by adding to the definition of covered libraries

“or any private library open to the public.”³²The New Hampshire statute makes it clear that protection extends to users “of public or other than public libraries.”³³ South Carolina includes “private” within its list of covered libraries (but the “private” library must still be “supported in whole or in part by public funds” in order to be covered by the statute).³⁴ Nevada uses the following language: “of a public library or other library which contain the identity of.”³⁵This also suggests application to libraries

“other” than those merely funded in whole or in part with public monies.

However, the Nevada law, section 239.013, is part of chapter 239, dealing with the public records portion of the Nevada statutes. This suggests that the record would initially be generated by a public entity and so by oper- ation may apply only to libraries funded by public monies.

Under these or similar statutes, a library would still need to secure public funding or be open to the public, i.e., have some public nexus, in order to trigger application of the statute. Thus a parochial grade school library would not in all likelihood qualify, but a parochial school receiv- ing state or local support through a voucher or textbook support, e-rate, or similar Internet assistance program might qualify.

New Jersey lists categories of libraries such as “a library maintained by a state or local governmental agency, school, college, or industrial, commercial or other special group, association or agency,” and then adds

“whether public or private,”³⁶offering protection to patrons at libraries beyond the public setting. Similar to the “open to the public” language,

Illinois indicates that libraries which offer some public benefit should be covered: “any public library or library of an educational, historical, or elee- mosynary institution.”³⁷South Carolina merely states,³⁸as do a number of states,³⁹that any library funded in whole or in part by public funds or one “receiving public funds”⁴⁰is subject to the provisions of the statute.

Q12 What if it’s unclear which library institutions my state’s statute covers?

Either courts or administrators sometimes give further interpretations of which institutions are covered. For example, the Wisconsin statute⁴¹does not apply to school libraries per se, since the statute fails to list the “types”

of public libraries covered by the statute. If there is no specific mention of the statute’s application to public K–12 environments, either toward inclu- sion or exclusion, it is recommended that the state department of instruc- tion or appropriate agency be contacted to determine if the agency has made an administrative interpretation of the statute. For example, there is an indication from the Wisconsin Department of Public Instruction that the state statute would in fact protect the privacy of K–12 students in public school settings against parental and administration inquiries.⁴² Note: School library records may also be protected under the federal Family Educational Right to Privacy Act (FERPA).⁴³

Another option is to seek a formal interpretation of the statute from the office of the state attorney general. This request for a formal opinion is generally made by the director of state education or instruction, the head of state library services, or by the appropriate agency head in other cases, such as the administrator of state courts for a court library.

Target Record or Information

Q13 What information about patrons, exactly, is protected by law?

A review of various states’ privacy statutes reveals two approaches. The first focuses on patron records. The second focuses on protecting patron information.

Records

In the first approach, the statute indicates the type of record protected.

“Registration and circulation” records are most common,⁴⁴though some states limit protection to “circulation” records.⁴⁵ The heading of the

Maryland statute identifies the section as relating to “circulation records,”

then the text uses the language “circulation record or other item, collec- tion, or grouping of information about an individual.”⁴⁶ Both Georgia and West Virginia protect “circulation and similar records,”⁴⁷ without explicitly naming registration records. Statutes that use a particular term like “registration” or “circulation” or simply “record” but then define the contents of the record more specifically offer additional guidance, but gen- erally result in a more limited coverage. The definition of the term

“record” can be narrow, as in Pennsylvania: “[r]ecords related to the cir- culation of library materials which contain the names or other personally identifying details regarding the users.”⁴⁸ It can be broad, as in South Dakota: “[a]ll public library records containing personally identifiable information are confidential . . . personally identifiable means any infor- mation a library maintains that would identify a patron.”⁴⁹ A middle approach is taken by South Carolina: “[r]ecords related to registration and circulation of library materials which contain names or other person- ally identifying details regarding the users of.”⁵⁰

Some states make it clear that the term “record” is to be read broadly, protecting a wide variety of information that might be created regarding a patron. For example, both Arkansas and New York take this approach.

The Arkansas statute states: “including, but not limited to, circulation of library books, materials, computer database searches, interlibrary loan transactions, reference queries, patent searches, requests for photocopies of library materials, title reserve requests, or the use of audiovisual mate- rials, films, or records.”⁵¹The New York statute states: “including but not limited to records related to the circulation of library materials, computer database searches, interlibrary loan transactions, reference queries, requests for photocopies of library materials, title reserve requests, or the use of audio-visual materials, films or records.”⁵²

A single word can make quite a difference. California takes the middle approach of protecting “registration and circulation” records. California defines “registration records” to include “any information which a library requires a patron to provide in order to become eligible to borrow books and other materials.” California defines “circulation records” to include

“any information which identifies the patrons borrowing particular books and other materials.”⁵³ Some may see the term “borrowing” as more limited than the word “using.” A patron’s interaction with the Internet in a library is less like a “borrowing” of library material, and more of a

“use” of library material. This “use” is akin to merely browsing a partic- ular area of the library stacks, or flipping through a few magazines. The browsing or flipping is not “borrowing” in the common sense of the term;

neither is it “borrowing” in librarians’ view, nor in many statutes, yet browsing and flipping would surely be using a library’s services or mate- rials. Therefore, a record of patron names on sign-up lists would be neither a registration nor a circulation record in California, since a library user normally is not said to “borrow” Internet or network access.

Similarly, Florida prohibits the release “in any manner [of] any informa- tion contained in such records [“registration and circulation records of every public library”].”⁵⁴ Yet the statute giveth and the statute taketh away, as the Florida statute proceeds to define registration and circulation records with the more narrow focus of “borrow” instead of “use.”

Furthermore, if “borrowing” can be said to be synonymous with “circula- tion,” then it is even more limiting, since a record of a patron’s request to use material from closed stacks would not be “borrowing” in a narrow sense.

Others will argue that the term “borrowing” has a broader reach, including “using.” For example, if a patron takes a book off the shelf, reads it and leaves it behind, the patron has appropriated the material for his or her own use during that time.⁵⁵

Information

The second approach focuses on protecting information in records,as opposed to the records themselves. This is a much broader approach, prohibiting the release of the underlying information contained in the records. Florida links the registration and circulation record to the patron “borrow[ing]

books or other materials” but states that a “person may not make known in any manner any information contained in such records.” Thus, if network password information is also contained in a patron’s registration or circulation record or both, then the registration or circulation record as well as the password list would be protected, regardless of whether the password information itself can identify a particular individual. This might in fact occur, since a registration record might contain a patron’s network password as well as his or her library card or registration number, etc. Under a reading of the Florida statute, the master password list would be protected because the passwords also appear in the registra- tion records of patrons and the statute forbids release of “any information contained in such records.”

The Maryland statute protects “any circulation record or other item, collection, or grouping of information about an individual that . . . identi- fies the use a patron makes of that library’s materials, services, or facili- ties” (emphasis supplied).⁵⁶It is likely that a master list of sign-ups qual- ifies for protection in Maryland at least as far as the “borrowing” versus

“use” issue is concerned, as would other “documentation” that might indicate what stacks patrons visited or what magazines they browsed, for example, a security camera tape that records patrons’ use of materials.

Confidentiality may be targeted at so-called identity information such as “name, addresses or other personal identifying information of people who have used material made available to the public by a library.”⁵⁷For example, the South Dakota statute (“All public library records containing personally identifiable information are confidential”) defines “personally identifiable” as “any information a library maintains that would identify a patron.”⁵⁸ Some states that use the “personally identifiable informa- tion” phrase condition protection upon the existence of the information in certain types of records such as “circulation or registration.” The “record”

is what is protected, but the record qualifies for protection only if it con- tains “any information that would identify a patron.” Maryland protects a “record or other item, collection, or grouping of information about an individual that . . . contains an individual’s name or identifying number, symbol, or other identifying particular assigned to the individual.”⁵⁹Thus a password, registration number, or symbol identifying that a particular patron is a senior citizen and subject to additional library services would all be protected information in Maryland.

Louisiana expands the concept of protection beyond a single person to include material “loaned to or used by an identifiable individual or group of individuals.”⁶⁰Oklahoma also provides for the protection of “records indicating which of its documents or other materials, regardless of format, have been loaned to or used by an identifiable individual or group.”⁶¹ Again, whether such an approach is broader may depend upon what trig- gers the underlying prohibition.

States like Florida,⁶²Minnesota,⁶³and Alaska⁶⁴protect the underlying information regardless of its embodiment, as opposed to the majority of states that protect either a certain type of record or a certain type of record if it contains a certain type (personally identifying) of information. The latter statute is seemingly a compromise of the “underlying information”

and “type of record” approaches, prohibiting disclosure of “any recordor other information which identifies a person” (emphasis supplied).⁶⁵

Neither Records nor Information:

The Power of Librarian Observation

What if a reference librarian or library page shelving books is asked what the person sitting at the table second from the window was reading during the afternoon? The librarian or page, while not compelled to do so, could reveal what he or she observed the individual reading without violating privacy statutes in many states. If the state statute uses the term “record,”

then the information revealed by the librarian’s observation is not pro- tected. If the statute protects “information,” depending on how the statute is written, it may be protected. If in having a librarian or clerk notice that it was in fact Mr. Smith reading ABC book this afternoon, no record has been created. While library privacy statutes do not compel disclosure in such instances, the important fact is that a literal reading of such a statute that protects only “records” may not prohibit the disclosure. The result might be different if the third party asked whether the librarian or clerk could determine whom the person sitting at the second window is. It would depend on whether the prohibited disclosure focuses upon a type of record (arguably the observation of the person is not a record) or upon the release of information whether or not contained in a type of record (like a person’s name). Some may argue, however, that even a librarian’s memory of a record (she remembers what a patron read from a completed transaction) is protected.

The Colorado or a similar statute, for example, could be interpreted to prevent such disclosures: “shall not disclose any record or other information which identifies a person as having requested or obtained specific materi- als or service or as otherwise having used the library.”⁶⁶ A similar result might derive from the Arizona statute, as it does “not allow disclosure of any record or other information which identifies a user of library services as requesting or obtaining specific materials or services or as otherwise using the library.”⁶⁷ The recollection of the reading habit of Mr. Smith earlier in the day (ABC book) would be “other information” and it would

“identif[y]” him as having “obtain[ed] specific materials or services or as otherwise [having] us[ed] the library.”

Suppose a law enforcement officer came into the library, showed the librarian a picture of a man with a beard, and asked if the librarian noticed whether this patron had visited the library in the past few days.

Further, the librarian is asked what the patron was observed reading.

Most state privacy statutes would not prohibit such information from dis- closure; the information is not contained in a record, nor could it in any

sense be considered “personally identifiable.” Obviously this may or may not be the level (or lack thereof) of confidentiality that most libraries would like to offer to their patrons. These problems underscore the value of having an approved (by the appropriate governing authority) confiden- tiality policy that protects the privacy of library and archive patrons to the extent desired (an extent often beyond the coverage provided by statute) and having staff knowledgeable as to its contents, application, and enforcement. Patrons should also be made aware of this policy as well.

Action

Q14 What acts are prohibited?

The third factor, action, considers what the library may not do. In general, this involves the actual disclosure to third parties of the protected

“record” or “information.”

Q15 May a library routinely print circulation receipts that reveal a patron’s name, library registration number, and the title of the circulated items to distribute to patrons as a record of the transaction upon check-out?

To answer this question, look first at the state statute and then at the library’s own policy. Virtually all states and libraries that protect library patron confidentiality are concerned with disclosure to a third party, not the patron. What if the patron leaves the receipt in one of the items he or she returns? When the item is next checked out to another patron, the sub- sequent borrower of the item comes into possession of the previous patron’s receipt with name, registration number, and a list of the items the patron recently borrowed. Has the library violated the statute? The answer is no, because it was the patron who left the receipt in the item upon return. This action by the patron, even if by mistake, could be con- strued as a consensual release of information. (Most state statutes allow for the release of information subject to patron consent; see the discussion in the following section, “Exceptions: Consent, Parents, Administrative, Court Orders, etc.”) While the library arguably did not violate the privacy of the patron, sensitive information may nonetheless have been revealed.

One state legislature had the foresight to anticipate the problem this might cause and requires libraries in its state to “use an automated or Gaylord- type circulation system that does not identify a patron with circulated materials after materials are returned.”⁶⁸ Arguably this statute may still