"

29 Patron Data Privacy

Katie Zimmerman

Desired Result

The privacy of patrons’ reading habits has a long history as a library value.  Privacy was added to the Library Bill of Rights in 2019,[1] and privacy of library circulation records is provided for in nearly all states’ laws.[2] With eresources, however, privacy legislation has largely not kept up with technology.  Unlike traditional print circulation records, eresources are typically hosted on the vendor’s platform, and the vendor has the ability to track patrons’ use directly.  It is up to the license agreement to ensure that data collection is within the bounds that library patrons expect for their library use, is compliant with all relevant law, and consistent with library values. This should mean that individual users are not directly identifiable by the vendor, and that the vendor is prohibited from re-identifying patrons or selling or misusing usage data.[3]

Essentials of the Law

The US does not have comprehensive federal privacy legislation.  Instead, state level laws and subject-specific federal legislation provide a patchwork of requirements and protections applicable to libraries and library patrons.  State and federal US regulations that may apply to library data are described below, however it is frequently more helpful to refer to EU privacy law since much of the law that influences privacy terms originates in the EU.

The European General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (GDPR) is a European Union privacy regulation that has had a far-reaching impact on online privacy, and is relevant to even US-based library eresource negotiations.  GDPR applies to vendors located or doing business in the EU and to companies providing services to an individual located in the EU, or monitoring the behavior of an individual present in the EU.[4] If you have remote users accessing eresources from European locations, therefore, or are working with an EU-based vendor, GDPR will apply.  Because most eresource vendors do at least some business in the EU, and because excluding EU access is generally not desirable, most eresource vendors are familiar with and capable of complying with GDPR requirements, which also makes it a good standard to ask for, even for institutions with few ties to the EU.

The GDPR provides a broad set of privacy protections for user data: data must be collected for a legitimate purpose that is disclosed to the end user, it must be stored securely, it can only be kept as long as necessary for the specified purpose, and the end user has rights to access, correct, delete, and restrict data about themselves.[5]  The US and the EU have also negotiated a Data Privacy Framework (EU-US DPF)[6] that organizations can self-certify into, which provides a set of standards for US businesses that are consistent with EU legal requirements.  Vendors that have certified into the EU-US DPF can be looked up in a central database,[7] and their compliance with the EU-US DPF terms is enforceable under US law.  The European Commission has also adopted Standard Contractual Clauses (SCCs) that companies can use that provide standardized terms that have been certified to comply with EU requirements.[8]

The GDPR covers identifiable data relating to an individual (called the “data subject”), including name, ID numbers, location data, or physical, physiological, genetic, mental, economic, cultural or social traits of that individual.[9]  Data subjects hold a number of rights with respect to their data, including the rights to be informed about data collection, to access data about themselves, correct or erase their personal data or restrict its processing, and to receive interoperable copies of their data.[10]  Companies complying with GDPR must justify their data collection under one of six specific rationales, which include consent of the data subject, data collection necessary to performance of a contract with the data subject, and the legitimate business interests of the company, and must document those rationales for the data subject, usually in the form of a posted privacy policy.[11]  Personal data must be handled with appropriate technical and organizational security measures,[12] data breaches must be disclosed,[13] and GDPR violations are subject to significant penalties for the company.[14]

The GDPR also defines the roles involved in processing of regulated personal data: where multiple parties are contracting around the handling of personal data, one party is the “data controller” and the other is the “data processor.” The data controller is ultimately responsible for GDPR compliance, and also determines what data is collected, what the lawful basis for the collection is, and what is done with the data.[15]  The data processor is bound to only handle the personal data according to the instructions of the controller and cannot use it for any other purpose.[16]  Understanding the roles of data controller and processor is important for eresource licensing because these terms will frequently come up in GDPR-based privacy clauses and they have significant implications for the handling of library patron data.  Vendors who are seeking to use patron data for their own purposes are likely to assert that they will be the data controller for any patron data anticipated under the contract, whereas a library seeking to minimize the privacy risk to their patrons may prefer that the vendor be a data processor only.

US Privacy Law

In the US, the Federal Trade Commission (FTC) is empowered to bring enforcement actions against for-profit companies that do not comply with their own privacy policies, making companies accountable to their own posted standards.[17]  An increasing number of states have also enacted comprehensive consumer privacy laws, which impose security requirements and provide consumers in that state with various data rights, along similar lines to those described above for the GDPR.[18]  These laws will be highly relevant to libraries located in those states, and may also apply to institutions that have ties to or patrons located in those states.[19]

All fifty states also have protections in place for the confidentiality of library records.[20]  Most such laws provide confidentiality in relation to state public records laws, and provide that library circulation records maintained by a public library are exempt from public records requests.[21]  In states that narrowly limit the scope of such laws, they can be of limited relevance to eresources, such as when they are limited to records maintained by the library (rather than a third party, such as a vendor), to print circulation records, or limit public disclosure but not disclosure to third parties or misuse.  In some states and for some institutions, however, they may provide a basis for limiting the patron information that the library shares with the vendor.

Finally, while the US does not have a comprehensive federal privacy law, the US does have federal-level privacy legislation in specific subject areas.  The most likely to be relevant to libraries is the Family Educational Rights and Privacy Act (FERPA).[22]  FERPA applies to educational institutions that receive funding from the US Department of Education, and will therefore apply to most school and university libraries. FERPA covers records that are directly related to a student and are maintained by the institution or a party acting for the institution.[23] This is a broad definition and interpretations vary of whether it applies to library records, or records of eresource use.[24] Libraries at educational institutions should be aware of their institution’s interpretation of FERPA.  An eresource that requires identifying information to authenticate authorized users and also collects usage information could be regulated under FERPA and trigger FERPA requirements, for example.  Those requirements include prior consent from the student or their parent for external disclosure of the information, and the ability of the student or parent to inspect the records, both of which can be difficult to manage for eresources.

Other legislation that may apply in some situations includes the Children’s Online Privacy Protection Act (COPPA), which applies to the collection of information about children 13 years of age or younger.[25]  Libraries with younger patrons should be aware of COPPA and its effect in eresource negotiations.  Among other requirements, COPPA requires website operators to obtain parental consent prior to collecting information from children’s online activity.[26]

Desired Language

The broad patchwork of legal regulation of privacy can be daunting, but it also provides for a lot of potential guidance, and fortunately many of the sources of law follow the same general pattern.  The following model language can be used to provide a clearer understanding of the privacy practices in effect for a given eresource.

The parties hereby agree to the following terms for the protection of Personally Identifiable Information:

  • For purposes of this clause, “Personally Identifiable Information,” shall mean any information relating to any identifiable faculty member, student, employee, or other affiliated person of the Licensee (an “Authorized User”), whether directly or indirectly.  In particular Personally Identifiable Information includes: names, identification numbers including student or employee IDs, social security numbers, driver’s license numbers, credit card numbers, bank account numbers, passport numbers, any other identification number, email addresses, contact information including address and telephone number, location data, IP addresses, dates of birth, accessibility status, an online identifier, financial information, transaction logs, one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, students’ education records as that term is defined by The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99), and any other information that could potentially be linked back to an identifiable individual.

  • The Licensee’s privacy policy is available at [link], and shall apply to the parties and Authorized Users under this Agreement.

  • Licensor shall not use, and not allow the use of, Personally Identifiable Information for any purpose other than the  performance of services for Licensee and Authorized Users, and shall limit access to Personally Identifiable Information to Licensor’s employees and contractors who have a specific need for such access in order to perform services under the Agreement.

  • Licensor shall provide clear notice to Authorized Users prior to data collection.

  • Licensor shall cause all Personally Identifiable Information to be encrypted when in storage and when transmitted, and shall ensure that all systems in which such information is stored are maintained according to reasonable, current security standards.

  • Licensor shall ensure that Personally Identifiable Information is deleted from Licensor’s systems on a reasonable, regular basis, or as communicated by the Licensee from time to time, and that all such data shall be deleted upon termination of the Agreement.

  • With respect to any Personally Identifiable Information which constitutes students’ education records as that term is defined by The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99), Licensor acknowledges that Licensee has a statutory duty to maintain the privacy of such records, that Licensor is performing an institutional service for which Licensee would otherwise use Licensee employees, and that Licensor will comply with all applicable FERPA requirements governing the use and redisclosure of Personally Identifiable Information from education records, including without limitation the requirements of 34 CFR §99.33(a).

  • Licensor shall reasonably assist Licensee as necessary in complying with requests from an Authorized User to retrieve, delete, or amend any Personally Identifiable Information relating to that Authorized User within Licensor’s systems.

  • Licensor shall promptly notify Licensee of any event that creates a substantial risk of unauthorized acquisition or use of Personally Identifiable Information or of other harm to any person whose Personally Identifiable Information is involved in the event, and reasonably cooperate with Licensee in the remediation of such event.

  • Licensor shall enforce and be responsible for compliance by all its employees and contractors with the requirements of this Amendment and all confidentiality obligations to Licensee and Authorized Users.

  • The provisions of this clause shall survive the termination of the Agreement.[27]

Tricks and Traps

Your institution’s needs and obligations around user privacy will vary.  All libraries share a commitment to reader privacy, but specific obligations may additionally apply based on jurisdiction, and governmental status or funding.  You should familiarize yourself with the privacy law in your jurisdiction and your institution’s policies.

Privacy concerns will also vary between different products and access methods.  For an eresource with an access method based on IP filtering, for example, the amount of identifying data available for the vendor to collect can be minimal: an IP address and timestamp.  That information doesn’t directly identify an individual but can become identifying when combined with other log information.[28]  In this example, it may make more sense to focus privacy language on prohibiting re-identification of individuals, combination of use data with other data sets, and external data use.  Increasingly, however, vendors are requesting more personal information in order to provide access to eresources.  This can include requiring users to register with their name and email address, or providing an optional registration in order to access additional features.[29]  Many forms of two-factor authentication also share more personal information with the vendor than you might expect.  The InCommon Research & Scholarship Category, which provides standards for federated access to eresources for most libraries, for example, requires that participants release ID attributes including name and email address for eresource authentication.[30]  The attributes used to identify a patron as an authorized user can be an anonymous unique ID number, but many vendors configure access to require identifying information.  This requires the library to release directly identifying patron information to a third-party, in a way which is not transparent or visible to the patron.  Worse, the identifying information when combined with reading history and usage logs could reveal unpublished research directions or constitute a student educational record under FERPA.[31]  Additional caution should be taken when personal information will be directly released to the vendor, and should be reflected in the contract terms between the parties.

Negotiating within the larger privacy context

Because user privacy is, at least in some jurisdictions, a heavily regulated space, many eresource vendors will have already spent considerable time and resources developing their own privacy practices and policies.  In general this is a good thing, and will mean that the vendor will have the technical and organizational infrastructure in place to protect user privacy, at least to the extent to which they are legally required.  It also, however, results in a very common tendency in vendor-provided eresource contracts, to try to rely on privacy terms outside of the four corners of the contract.  Frequently this takes the form of a link to the vendor’s privacy policy.  This should be resisted for a couple of reasons.  First, it’s generally undesirable to have important provisions controlled through outside documents.  The content of the vendor’s privacy policy can be changed unilaterally by the vendor, frequently without notice or input, which does not provide a clear or stable understanding of the terms for the library.  Second, and more importantly, however, the vendor’s privacy policy may not do what you need it to do.  Privacy policies serve multiple functions including compliance with mandatory disclosures and may address multiple products, services and platforms, and can be resultantly vague, disclosing many (possibly alarming) types of personal information that “may” be collected without providing any specificity about what will apply in the specific circumstances of the eresource contract.[32]  The goal of an eresource privacy clause should be to establish a clear baseline of privacy protections that will apply to Authorized Users of the licensed content, which is frequently not possible to determine just from reviewing the vendor’s privacy policy.

The model language above provides concrete baseline terms for the handling of patron data.  A good way to approach it is to start from something like this model language, and ask the vendor to review it as compared to their current practices.  It can be a hard sell to ask a vendor to change an aspect of their data security, however if they can adjust your language to match their practices (and their practices meet your requirements), that can become a mutually agreeable part of the contract.  The model language above also includes a link to the library’s privacy policy.  If you have a robust privacy policy that describes your standard practices with regard to licensed eresources, this can be another way to reinforce your desired baseline.  It can also be a useful negotiating chip – both parties want the privacy terms to be controlled by their own privacy policy, so perhaps the reasonable thing to do is to remove references to either.

External privacy policies can also raise difficulties when the library is either subject to different legal requirements than the vendor, or is not subject to strong legal requirements but wants to provide strong user protections anyway.  If you are in the latter situation, be cautious of language that limits obligations “to the extent required by law,” which may be under-inclusive of your goals.  Many privacy policies that are designed for GDPR compliance, for example, will disclose to users a list of user privacy rights, but will not guarantee that they are available to all users, saying something like “Under the legislation applicable to you, you may be entitled to exercise some or all of the following rights.”[33]  Companies can be held accountable to the promises they make in their privacy policies[34] so they generally do not want to promise anything in them beyond the minimum legal requirements that they can be held to.  If the library wants to be able to provide a uniform set of privacy rights for their patrons, regardless of whether they are EU or California data citizens, for example, that needs to be done in the contract rather than relying on an external privacy policy.

Some vendors will also have more extensive privacy contract language available, such as a standard Data Processing Agreement (DPA),[35] or a template incorporating the EU Standard Contractual Clauses (SCCs),[36] which you may be able to use or adapt for your contract.  You should review any such language to ensure that it meets the needs and obligations of your institution.  Keep in mind that SCCs will generally not be negotiable, but additional contract language could be added to fill any gaps between GDPR compliance and the library’s needs.  An additional point of contention when dealing with GDPR-based privacy terms is who, between the parties, is the data controller, and who is the data processor.  In general, a vendor who wants to be the data controller wants to be able to use the data for purposes outside of the uses contemplated in the contract.

An additional issue that may come up occasionally is the responsibility between the parties for compliance with the Children’s Online Privacy Protection Act (COPPA).[37]  COPPA will generally not be referenced directly by name, however if you see a reference to “children 13 years of age or younger” in a contract with a US-based company, that is a strong tell that COPPA compliance is at issue.  Many companies do not maintain COPPA-compliant infrastructure, and instead use terms of use to prohibit use of their services by the population covered by COPPA (children under 14) without parental consent.[38]  In an eresource contract, that may translate into passing the buck by attempting to require the library to warrant that parental consent has been obtained.  Since this is likely to be impossible for the library to accomplish, this language should be resisted.

Informing your users about the privacy terms

Online privacy is complicated, and communicating to your end users about their rights, negotiated protections, and exceptions to those negotiated protections can also be complicated.  Standardized privacy language is beneficial in this regard because it allows you to provide a standard set of expectations for end users when using library resources.  It’s generally advisable to explain your standard terms in a library privacy policy.  Equally, if not more important, if you agree to privacy terms that do not match your standard terms, those should be disclosed to patrons in the library’s own privacy policy.

Importance and Risk

Privacy is a long-held value of libraries, as well as an area with regulatory oversight which may or may not affect your library.  Prior to negotiating privacy terms, you should familiarize yourself with the laws that directly apply to your institution,[39] and incorporate any specific requirements into your desired contract language.  Libraries generally have a lot of public trust in their privacy standards, which should translate into corresponding care taken around patron privacy.

There are several threat models to consider when assessing the risk associated with user privacy terms.  The first is compliance risk, where the library may be held accountable by a regulatory agency or an individual for compliance with applicable laws. Libraries are, perhaps, an unlikely target for enforcement of privacy laws, but the consequences of an enforcement action can be large[40] and should be taken seriously.  With respect to eresources, this is largely covered by ensuring that vendors are held to the same standards legally applicable to the library.

The second, and most prominent, threat model for privacy risk for eresource contracts is the risk that the eresource vendor themselves will misuse the personal information of library patrons.  Some eresource vendors increasingly position themselves as “data analytics” providers,[41] and have an interest in aggregating data about users for their own purposes.[42]  For most of the 20th century, the legal threat model of most concern to librarians was use of library records for government surveillance.[43]  In more recent years, corporate and commercial surveillance have increasingly been the subject of concern,[44] with the added note that corporate surveillance records can then be obtained by the government for government surveillance.[45]  The most prominent recent example of this is the boycotts and protests surrounding LexisNexis.[46]  LexisNexis provides both highly used legal databases which are a standard product in many libraries and data brokering services selling packages of personal data to government agencies and law enforcement.[47]  LexisNexis has a contract supplying a database of personal information to the U.S. Immigration and Customs Enforcement (“ICE”), which has led to protests and calls for universities to cancel their LexisNexis contracts.[48] That the same companies that handle patron data are also aggregating dossiers of personal information to sell to law enforcement should give us pause, and a good reason to negotiate strong protections around the use of patron data via our contracts.

A third threat model that privacy language should consider is threats from third-party bad actors.  While it may also seem like libraries are an unlikely target for cybersecurity threats, the 2023 British Library cyberattack, in which British Library services were disrupted and personal data held for ransom before being publicly sold,[49] demonstrates that threats exist and can be extensive.  Risks can be minimized by limiting the amount of personal information shared with eresource vendors, and negotiating privacy terms that require vendors to maintain sufficient security measures.

  1. https://www.infodocket.com/2019/02/08/ala-new-library-bill-of-rights-provision-recognizes-and-defends-library-users-privacy/
  2. See https://www.ala.org/advocacy/privacy/statelaws
  3. See also, NISO Consensus Principles on Users’ Digital Privacy in Library, Publisher, and Software-Provider Systems (NISO Privacy Principles), 2015, https://www.niso.org/publications/privacy-principles.
  4. Regulation (EU) 2016/679, Art. 3
  5. This is a very general overview, as a full discussion would be a book in itself.  For more information on GDPR, see GDPR.eu.
  6. See https://www.dataprivacyframework.gov/Program-Overview
  7. https://www.dataprivacyframework.gov/list
  8. https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
  9. Regulation (EU) 2016/679, Art. 4(1).
  10. See Regulation (EU) 2016/679, Art. 12-21.
  11. See Regulation (EU) 2016/679, Art. 6(1), 13.  See also, GDPR template privacy policy, https://gdpr.eu/wp-content/uploads/2019/01/Our-Company-Privacy-Policy.pdf.
  12. Regulation (EU) 2016/679, Art. 32.
  13. Regulation (EU) 2016/679, Art. 33, 34.
  14. Regulation (EU) 2016/679, Art. 77-84.
  15. Regulation (EU) 2016/679, Art. 24-25.
  16. Regulation (EU) 2016/679, Art. 28.
  17. See generally https://www.ftc.gov/news-events/topics/protecting-consumer-privacy-security/privacy-security-enforcement; 15 U.S.C. § 45, https://www.ftc.gov/system/files/documents/public_statements/410531/831014deceptionstmt.pdf.
  18. For a list of state consumer privacy laws, see https://www.foley.com/wp-content/uploads/2024/09/U.S.-State-Comprehensive-Consumer-Data-Privacy-Law-Comparison.pdf; https://www.foley.com/insights/publications/2024/09/us-state-consumer-data-privacy-laws/.
  19. For example, the California Consumer Privacy Act (CCPA) applies to “California residents,” the definition of which includes individuals who are “outside of the state for a temporary or transitory purpose.” Cal. Code Regs. Tit. 18, § 17014.  Students who are temporarily out of state for college may qualify, as would California residents who are remotely accessing eresources from California.
  20. See https://www.ala.org/advocacy/privacy/statelaws.
  21. See, for example, Massachusetts General Laws Ch. 78, §7 (“That part of the records of a public library which reveals the identity and intellectual pursuits of a person using such library shall not be a public record.”).
  22. 20 U.S.C. § 1232g; 34 CFR Part 99.
  23. 34 CFR 99.3.
  24. See, e.g., https://blog.librarylaw.com/librarylaw/2005/07/are_student_lib.html; https://www.slj.com/story/the-privacy-problem.
  25. 15 U.S.C. 6501, et seq.
  26. 16 CFR Part 312.3.
  27. Adapted from MIT Privacy Amendment for Content Vendors, available at https://docs.google.com/document/d/1fSM329qcjWaJxlxv5-SSQjDD-b_dsRsXixNJ6NSIaug/edit?tab=t.0.
  28. See, e.g., Hanson, C. (2019), User Tracking on Academic Publisher Platforms, https://www.codyh.com/writing/tracking.html.
  29. Many eresources that do not require registration provide it as an option that provides access to additional functionality, such as saving search results between sessions. Frequently, this registration will require personal information from the patron, and will require them to agree to the vendor’s privacy policy, effectively “datawalling” the additional functionality. See https://scholarlykitchen.sspnet.org/2018/10/11/from-paywall-to-datawall/. Optional registrations have the dubious benefit of being clear to the end user that the vendor will have their information, and possibly of forming a direct contract between the end user and the vendor with regard to the shared personal information, but users should not be required to give up user protections in order to access the full functionality of a product.
  30. See https://incommon.org/federation/attributes/; https://spaces.at.internet2.edu/display/federation/Identity+provider+-+support+Research+and+Scholarship.
  31. For example, consent of a parent or eligible student is required before an educational institution releases personally identifiable information about a student. 34 CFR Part 99.30.  There is an exception to this requirement for contractors acting on behalf of the institution, but only if the contractor is subject to the same rules as the educational institution with regard to student privacy. 34 CFR Part 99.31. If this information does constitute FERPA data, then it is important that the contract binds the vendor to FERPA compliance, in order for the institution to be compliant with the FERPA regulations.
  32. See, e.g. Wiley, Privacy Policy, “1. Types of personal information we process,” https://www.wiley.com/en-us/privacy, effective date July 2, 2024 (“The types of personal information that we process are determined by how individuals interact with us and the particular products and services that we provide. The types of personal information that we process include: … name, email address, … Social Security Number,... postal address,... age[,] … gender, … credit or debit card number,... work history, [and] [i]mages, such as closed-circuit television.” In reality, Wiley is (likely) not collecting most of that information from library patrons - they collect work history in the context of author information when an author submits a manuscript, they collect credit card numbers when an individual makes a credit card purchase, etc. - but because the privacy policy is written to cover all of those situations it reserves the right to collect all of it, and doesn’t limit collection to those actual circumstances. Most vendors would agree that it would be wildly inappropriate to collect most of this information simply from library patrons browsing ejournal content, but you can’t rely on the vendor’s privacy policy to say that. Pointing this out can be useful when negotiating privacy terms with a vendor that insists that their privacy policy is all that is needed.)
  33. Nature, Privacy Policy, XIV. Your Rights, https://www.nature.com/info/privacy, last updated December 18, 2024.
  34. See generally https://www.ftc.gov/news-events/topics/protecting-consumer-privacy-security/privacy-security-enforcement; 15 U.S.C. § 45, https://www.ftc.gov/system/files/documents/public_statements/410531/831014deceptionstmt.pdf.
  35. See generally, https://gdpr.eu/data-processing-agreement/.
  36. https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
  37. 15 U.S.C. 6501, et seq.
  38. See, e.g., https://www.ftc.gov/business-guidance/resources/complying-coppa-frequently-asked-questions#H.%20General%20Audience%20and%20Teen%20SItes.  For an example of this in general terms of use, see, New York Times, Terms of Service, clause 6.3, last updated May 10, 2024, https://help.nytimes.com/hc/en-us/articles/115014893428-Terms-of-Service (“You must be 13 years or older to use any part of the Services in the USA and the UK, and 16 years or older anywhere else. If you are less than 18 years of age and would like to use, subscribe or register to any part of the Services, please ask your parent or legal guardian to review and agree to these Terms of Service before you use any part of the Services or ask them to complete the purchase and/or registration on your behalf.”).
  39. For example, a public university library may be directly regulated by a state privacy law, a state library records law, FERPA, and GDPR only for some patrons.
  40. GDPR fines can range as high as €20 million, Regulation (EU) 2016/679, Art. 83, FERPA violations can result in loss of federal funding for educational institutions, 34 CFR Part 99.67, and many privacy laws also provide a private right of action, which allows private citizens to sue the institution for harm resulting from data breaches, see, e.g., Cal. Civ. Code 1798.150.
  41. Elsevier, “Who We Are,” https://www.elsevier.com/about, accessed January 2, 2025 (“We are the world’s leading scientific publisher and data analytics company.”). See also, Yoose, B. & Shockey N., Navigating Risk in Vendor Data Privacy Practices: An Analysis of Elsevier's ScienceDirect, SPARC, November 2023, https://digitalcommons.unl.edu/scholcom/265/.
  42. See Lamdan, S. Data Cartels: The Companies That Control and Monopolize Our Information. 50-71, Stanford University Press (2022).
  43. See, e.g., American Library Association, Resolution on the USA PATRIOT Act and related measures that infringe on the rights of library users, 2003, https://www.ala.org/sites/default/files/advocacy/content/intfreedom/statementspols/ifresolutions/usapatriotactresolution.pdf; Reid, M. (2009). The USA PATRIOT Act and academic libraries: An overview. College & Research Libraries News, 70(11), 646-650. doi:https://doi.org/10.5860/crln.70.11.8288.
  44. See, e.g., Fried, E. & Kok, R., (May 9, 2022),  Welcome to Hotel Elsevier: you can check-out any time you like … not, eiko-fried.com, https://eiko-fried.com/welcome-to-hotel-elsevier-you-can-check-out-any-time-you-like-not/.  For a non-library example see Duhigg, C. (Feb. 16, 2012), How Companies Learn Your Secrets, New York Times, https://www.nytimes.com/2012/02/19/magazine/shopping-habits.html.
  45. Gellman, R. & Dixon, P. (October 30, 2013), Data Brokers and the Federal Government: A New Front in the Battle for Privacy Opens, World Privacy Forum, https://www.worldprivacyforum.org/wp-content/uploads/2013/10/WPF_DataBrokersPart3_fs.pdf.
  46. See Sarah Lamdan, When Westlaw Fuels ICE Surveillance: Legal Ethics in the Era of Big Data Policing, 43 NYU Review of Law & Social Change 255, 277 (2019), https://socialchangenyu.com/review/when-westlaw-fuels-ice-surveillance-legal-ethics-in-the-era-of-big-data-policing/; Moody, J. (December 5, 2021), Law Students Protest Research Database Contracts With ICE, Inside Higher Ed, https://www.insidehighered.com/news/2021/12/06/law-students-protest-lexisnexis-westlaw-contracts-ice; Peet, L. (August 10, 2022), #NoTechforICE Campaign Protests Data Vendor Contracts with ICE, Library Journal, https://www.libraryjournal.com/story/notechforice-campaign-protests-data-vendor-contracts-with-ice.
  47. Id.
  48. Id. In April 2024, LexisNexis won a case in Illinois district court defending their sales of personal information to ICE.  See Maria Fernanda Castellanos Ramirez, et al., Plaintiffs, v. LexisNexis Risk Solutions, Defendant. (2024) Case No. 22 C 5384, N.D. Illinois, Eastern Division, available at https://caselaw.findlaw.com/court/us-dis-crt-n-d-ill-eas-div/116035032.html.
  49. See, e.g., Sherwood, H., The Guardian, “Personal data stolen in British Library cyber-attack appears for sale online,” November 22, 2023, https://www.theguardian.com/technology/2023/nov/22/personal-data-stolen-in-british-library-cyber-attack-appears-for-sale-online; Learning Lessons from the Cyber-Attack: British Library cyber incident review, British Library, March 8, 2024, https://www.bl.uk/home/british-library-cyber-incident-review-8-march-2024.pdf/.

License

Icon for the Creative Commons Attribution-NonCommercial 4.0 International License

E-Resource Licensing Explained Copyright © 2024 by Sandra Enimil, Rachael Samberg, Samantha Teremi, Katie Zimmerman, Erik Limpitlaw is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License, except where otherwise noted.

Share This Book