Privacy Tool Kit


|  ALA Privacy and Confidentiality Policies and Procedures   |  Statements of Other Library and Professional Associations   |  Privacy Policy Guidelines and Model Policy   |  Conducting a Privacy Audit  |  Federal and State Privacy Laws and Policies; Freedom of Information Act; Court Orders   |  Identify Types of Requests (Court Orders, etc.)   |  Confidentiality and Coping with Law Enforcement Inquiries: Guidelines for the Library and its Staff  |


American Library Association Privacy Policies and Statements

The American Library Association has developed policies, guidelines, and resources to assist librarians in preserving privacy and confidentiality for library users.

Basic Statements

Library Bill of Rights (1948, amended 1961, 1980, reaffirmed 1996)

Freedom to Read Statement (1953; rev. 1972, 1991, 2000)

Code of Ethics (rev. 1995)

Freedom to View Statement (1990)

Library Principles for a Networked World (2003) PDF

Privacy and Confidentiality Policies and Procedures

Privacy Resources for Librarians, Library Users, and Families (last updated 2002)

Guidelines for Developing a Library Privacy Policy (August 2003; rev. March 2005)

ALA Issues New Guidelines for Developing Library Privacy Policy (September19, 2003)

AASL Position Statement on the Confidentiality of Library Records (Rev. July 1999).

ALA Task Force on Privacy and Confidentiality in the Electronic Environment Final Report (July 2000).

Appendix addressing new technologies related to: Confidentiality of Library Records. Usage Tracking. Security Issues. Institutional Concerns and Developments. Library Practices. Commercial Applications

The Children's Online Privacy Protection Act

Policies and Statements about the Infringement of Users' Privacy Rights

USA Patriot Act

The USA Patriot Act in the Library

FBI in Your Library

Guidelines for Librarians on the USA PATRIOT Act: What to do before, during and after a "knock at the door?" (January 19, 2002)


Statements of Other Library and Professional Associations

IFLA, "The Glasgow Declaration on Libraries, Information Services and Intellectual Freedom," (The Hague, Netherlands: IFLA, August 19, 2002).

IFLA, "The IFLA Internet Manifesto," (The Hague, Netherlands: IFLA, August 23, 2002).

Canadian Library Association,  Citizenship Access to Information Data Banks - Right to Privacy, Approved by Executive Council ~ June, 1987.

ACM Code of Ethics and Professional Conduct, Adopted by ACM Council 10/16/92.

Software Engineering Code of Ethics and Professional Practice (IEEE)

Other Codes of Ethics for Computing and Information Sciences


Privacy Policy Guidelines and Model Policy

Guidelines for Developing a Library Privacy Policy, HTML Version (links to WORD and PDF versions)

Model Privacy Policy (August 2003; rev. March 2005)


Conducting a Privacy Audit

Conducting a Privacy Audit (August 2003)


Federal Privacy Laws and Policies

Privacy Act of 1974

The Privacy Act of 1974, 5 U.S.C. § 552a (2000), was the first official Congressional statement about the importance of privacy, generally characterized as an omnibus "code of fair information practices" that attempts to regulate the collection, maintenance, use, and dissemination of personal information by federal executive branch agencies. The Act provides safeguards against an invasion of privacy through the misuse of records by Federal agencies and allows a citizen to learn how records are collected, maintained, used, and disseminated by the Federal Government. The act also permits an individual to gain access to most personal information maintained by Federal agencies and to seek amendment of any inaccurate, incomplete, untimely, or irrelevant information.

Federal Educational Rights and Privacy Act (FERPA ): The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. (15 U.S.C. § 1232g; 34 CFR Part 99) protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. The main focus of FERPA is to define who can access student records. FERPA grants parents the rights until the child turns 18 years old or attends a school beyond the high school level. The Act spells out the conditions that allow schools to release records without consent to certain designated parties. Title V, section 507 of the USA PATRIOT Act amended FERPA by creating a new exception to the privacy protections.

Children's Online Privacy Protection Act (COPPA): The Children's Online Privacy Protection Act of 1998 (COPPA) (15 U.S.C. § 6501; 16 CFR 312) requires commercial online content providers who either have actual knowledge that they are dealing with a child 12 or under or who aim their content at children to obtain verifiable parental consent before they can collect, archive, use, or resell any personal information pertaining to that child. In addition, the Act requires commercial Web sites and online services covered by COPPA to place their information collection, use and disclosure practices prominently on their Web site. The law also mandates that site operators allow parents to review and delete information about their children collected by the site.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA) of 1996, Public Law 104-191, requires the adoption of national standards for electronic health care transactions and mandates the adoption of Federal privacy protections for individually identifiable health information. The new standards went into effect on April 14, 2003, outlining the responsibilities of health care providers and the rights of patients in providing access to individual health care information.

The Financial Modernization Act of 1999 (Gramm-Leach-Bliley Act): The Financial Modernization Act of 1999, Public Law 106-102, also known as the "Gramm-Leach-Bliley Act" or GLB Act, includes provisions to protect consumers' personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and pretexting provisions. The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions—such as credit reporting agencies—that receive customer information from other financial institutions.

Student and Exchange Visitors Information System (SEVIS): The Student and Exchange Visitors Information System (SEVIS), administered by the Department of Homeland Security in partnership with the Department of State and the Department of Education, maintains updated information on approximately one million non-immigrant foreign students and exchange visitors during the course of their stay in the United States each year. Schools are now required to report a foreign student's failure to enroll or if students drop out of their programs. Certain requirements imposed by the Family Educational Rights and Privacy Act (FERPA) are waived and conditions for employment specified.

The Electronic Communications Privacy Act of 1986 (ECPA): Analysis - The Electronic Communications Privacy Act (ECPA), Public Law 99-508, sets out the provisions for access, use, disclosure, interception and privacy protections of electronic communications. The law, which covers various forms of wire and electronic communications, prohibits unlawful access and certain disclosures of communication contents and prevents government entities from requiring disclosure of electronic communications from a provider without proper procedure. ECPA was amended by Sections 209-212 and 216 of the USA PATRIOT Act.

Federal Trade Commission's Consumer Protection, Privacy Oversight: The Federal Trade Commission Consumer Protection Division, under Section 5 of the FTC Act, administers a privacy program in order to make sure that companies keep the promises they make to consumers about privacy and take precautions to secure consumers' personal information. The Commission has brought a number of cases to enforce the promises in privacy statements, including promises about the security of consumers' personal information.

Other Federal Privacy Legislation

Cable Communications Policy Act of 1984

Communications Assistance to Law Enforcement Act (CALEA) of 1994

Critical Infrastructure Information Protection (H.R. 5005-passed November 22, 2002; Public Law 107-296)

Digital Millennium Copyright Act of 1998

Do-Not-Call Implementation Act of 2003

Driver's Privacy Protection Act of 1994

The Fair Credit Reporting Act (1970)

Foreign Intelligence Surveillance Act (FISA) (1978)

Illegal Immigration Reform and Immigrant Responsibility Act (IIRIRA) of 1996 [Requires that educational institutions collect data for the Student and Exchange Visitors Information System (SEVIS)]

Privacy Protection Act of 1980

Right to Financial Privacy Act (1978)

Telecommunications Act of 1996

Telephone Consumer Protection Act of 1991

Video Privacy Protection Act of 1988

For information on privacy-related legislation, see:

EPIC Bill Track: Tracking Privacy, Speech, and Cyber-Liberties Bills

State Privacy Laws and Policies

Forty-eight states and the District of Columbia have library privacy and confidentiality laws. The language varies from state to state. These laws take two forms: affirmative protection of privacy for individuals who use libraries, and exemptions of libraries from open records or freedom of information laws. Libraries are advised to rely on existing laws to control behavior that involves public safety or criminal behavior.

Privacy Laws by State

FOIA and Libraries

Open Records Requests Seeking Information Concerning Complaints About Patrons Accessing "Inappropriate" Material on Public Library Internet Terminals (May 12, 1999)


Identify Types of Requests (Court Orders, etc.)

Sample National Security Letters (PDF)
Sample FISA (Section 215) Order for Business Records (PDF)
Sample Federal Search Warrants and Subpoenas (PDF)


Confidentiality and Coping with Law Enforcement Inquiries: Guidelines for the Library and its Staff

Increased visits to libraries by law enforcement agents, including FBI agents and officers of state, county, and municipal police departments, are raising considerable concern among the public and the library community. These visits are not only a result of the increased  surveillance and investigation prompted by the events of September 11, 2001 and the subsequent passage of the Patriot Act, but also as a result of law enforcement officers investigating computer crimes, including e-mail threats and possible violations of the laws addressing online obscenity and child pornography. These guidelines, developed to assist libraries and library staff in dealing with law enforcement inquiries, rely upon the ALA's Policy on Confidentiality of Library Records, its Policy Concerning Confidentiality of Personally Identifiable Information about Library Users, and the Code of Ethics.