Example: “Google uses the data collected to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualise and personalise the ads of its own advertising network. You can opt-out of having made your activity on the Service available to Google Analytics by installing the Google Analytics opt-out browser add-on.”
Storing/tracking location data
- Libraries and vendors should always strive to collect the least amount of data required to offer a service. Using GPS coordinates to target the exact location of a user can mean that person may be easily identified.
Example: “When you access or use the Service, we may access, collect, monitor and/or remotely store ‘location data’, which may include GPS coordinates (e.g. latitude and/or longitude) or similar information regarding the location of your device. Location data may convey to us information about how you browse and use the Service. Some features of the site, particularly location-based services, may not function properly if use or availability of location data is impaired or disabled.”
How trackers work
Third-party integrations for user authentication
- Many people like the convenience of using their Facebook, Google, or Microsoft account to log in to various services across the web. Sometimes these user authentication portals have embedded third-party trackers that give the platform access to a wide range of PII.
Example: “We may receive information about you from third parties. For example, the Service may use Facebook or Google for user authentication. You should always review and, if necessary, adjust your privacy settings on third-party services before linking or connecting them to the Service.”
Clear gifs/web beacons/tracking pixels
- These are transparent images embedded on websites and in emails. They are mostly used in conjunction with cookies and track user behavior across the web. They can be used in emails to notify the sender when a recipient has opened a message. Web Beacons cannot be denied or blocked like cookies. The most pervasive of them can even give over specific location data.
Example: “We use pixels to learn more about your interactions with email content or web content, such as whether you interacted with ads or posts. Pixels can also enable us and third parties to place cookies on your browser.”
Email communication (signing people up for marketing emails)
- The ideal setup for a user to access a vendor’s product through the library would be where they do not need to share their email to create an account. Their library card number and PIN should be sufficient. When this is unavoidable, it is important that the vendor use the email address sparingly and not push advertising messages to the user.
Example: “We will contact you through email, mobile phone, notices posted on our websites or apps, and other ways through our Services, including text messages and push notifications.”
Disclosure of information
Ownership of data
Example: “In the event that a division, a product or all of Company is bought, sold or otherwise transferred, or is in the process of a potential transaction, personal information will likely be shared for evaluation purposes and included among the transferred business assets, subject to client contractual requirements and applicable law.”
Example: “The security of your data is important to us but remember that no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.”
Exercise | Scavenger Hunt!
- What vendor policy did you look at?
- What red flags did you find?
- What other red flags not listed did you discover?
- What else did you find that you didn’t understand?
- Take these red flags to your vendor (or library worker that is responsible for vendor products) and ask for clarity.