Understanding Commonly Used Phrases and Terms


“Personally identifiable information” vs. “Non-personal information”

  • Personally Identifiable Information (PII) is information that can be used to identify a specific person. Some examples of PII include: name, Social Security number, birthdate, government issued ID number, financial account numbers, or contact information (email, phone number, address).
  • Non-personal information will often include what operating system is being used, user analytics (what pages are visited or time spent on a page), device ID, and IP address.

“Information we collect” vs. “Information you give to us”

  • In order to use a service, including the library, we often have to give over at least one piece of personal information. When someone signs up for a library card the information they give to us may include their name, address, and phone number. They are aware that this information was collected as they were part of the transaction.
  • When an organization uses the phrase “Information We Collect” they are often talking about information that they gather without the user directly giving it to them. This may include a user’s IP address, what operating system they’re using, borrowing history, websites visited, search history, etc. Users are often unaware this information is being collected, and its collection is usually a condition of use. In a privacy policy, this information most often falls under the “non-personal information.”


A piece of data that might be considered non-PII in one state or country could be considered PII in another based on local laws. Also, multiple pieces of data considered non-PII may still be used to identify someone.



Most privacy policies will talk about collecting cookies. These are small text files placed on a user’s computer that collect personal data. This allows the website to recognize the user each time they return. Cookies can capture user settings, email addresses, and other personalization settings. It’s important to know the difference between types of cookies so you can fully understand the privacy policy.

  • Session or temporary cookies are only active while the user is browsing the site and are deleted when the browser is closed. For example, they may be used to retain items in a shopping cart.
  • Permanent or persistent cookies remain active even after a browser has been closed. They may store a username, password, or personalization settings. Persistent cookies can also be used to track a user’s interaction with the website.
  • Third-party cookies are tracked by websites other than the one you are visiting and are most commonly used by advertisers and social media companies. They can track spending habits, online behavior, and demographics. If you’ve ever looked up something on one website and then saw advertisements for it on other sites you visited, it’s because of third-party trackers.


  • This often-vague term is used in most privacy policies. Many companies want to share at least some user data externally. A third-party entity might be used for data analytics, customer relationship management, or even advertising. Since library use data is protected to some degree by laws in most states, it is important to ask vendors what information is shared and with whom the information is shared including third-party entities. You might understand and feel confident in the data security practices of your vendor, but do you have that same confidence in a third party?


Hope you’re hungry for more cookies! The cookies listed in this guide are just a few of the flavors available. To learn more about cookies, check out this guide from HTML.com https://bit.ly/MoreWebCookies


“Affiliated businesses” 

  • Many businesses have direct financial ties to other businesses. Two companies are considered affiliated when one is a minority shareholder of another. Privacy policies may state that user data is shared with “affiliated businesses.” This is not usually considered selling user data, even though your library user’s information may be shared with an outside entity you did not contract with. Ask vendors to disclose what information is being shared and with whom.

“Combine data” or “Data broker”

  • Whenever we go online data is collected about us. This data could be everything from our shopping habits to what sites we frequent to which specific ads we’ve clicked on. Data brokers combine this data to create user profiles. Profiles are sold to other companies that allows them to send targeted marketing. If a vendor uses trackers or certain cookies, it’s important to find out if that information is being compiled and shared with data brokers.

“Opt-in” or “Opt-out”

  • The American Library Association’s “Privacy: An Interpretation of the Library Bill of Rights,” states “...users should have the choice to opt-in to any data collection that is not essential to library operations and the opportunity to opt-out again at any future time.” Ideally, we want library users to have the choice when it comes to what data is collected and how it is used. If you see that a vendor’s privacy policy has the default set to “opt-out,” meaning the user has to manually choose to exclude themselves, ask them if it can be changed to reflect the library’s commitment to privacy by making the default “opt-in.”

“Consent” or “Explicit/informed consent”

  • Consent is a tricky concept online. Many websites say that they get a user’s explicit or informed consent. However, that often just means ticking a box when registering for an account. A user is generally considered to have given their “regular” consent just by using the website. Most often, users have given their consent to a wide range of tracking just by opening up a website.