Who Controls the Decision to Buy?

Institutions have a wide range of purchasing processes. Some library workers have sole discretionary power over acquisition of vendor electronic resources or software. In this case, you can choose your standards regarding privacy and refuse to purchase products that don’t meet your standards. For library workers with full control over purchasing, this guide can provide ideas of what to look for regarding privacy, and how to see if the vendor or the product meets those standards.

More commonly, a single library worker does not have complete control over purchasing. In some cases, library workers select some software and electronic resources, while other software is selected by a different part of the institution. In addition, libraries may have control of the product selection, but the purchase process may require the product being approved by another department, such as Information Technology Services (ITS), legal, or overall organizational administration or governing body. In that case, the vendor product may be held to those departments’ privacy policies and standards, which might not be as extensive as the library’s privacy policy.


Don’t know a person in the process? Wondering how to figure out who you need to convince to become a library privacy ally?

Check out the “How to Talk About Privacy” Field Guide!



Investigate the vendor selection process at your library by listing the answers below.

  1. Write the name of each library staff member involved in the vendor selection process.
  2. What is their role in the selection process?
  3. Do they consider privacy in evaluating resources?
  4. Are there opportunities to discuss with them how privacy should be part of the evaluation?

Download Exercise


If you purchase, or have access to vendor products through a consortium, ask the consortium what their privacy policy is and what standards they hold vendors to during the acquisition process.


Privacy Protections When Vendors Don’t Align

The final decision to acquire vendor products may technically be made by the library; however, the political cost of not getting a database or product may simply be too high. When a product is so popular with users, or when a powerful person in your organization (professor, administrator, board member) pushes for a product, your library may need to acquire the product despite your concerns over user privacy.

Even when you can’t control the selection of a product you feel doesn’t protect user privacy, you can still take short-term actions to protect user privacy: 

  • Educate users through website notices before they leave the library website to navigate to a vendor resource. 
  • Use library instruction sessions and library e-resource product promotions 
    as opportunities to educate users about the privacy risks of using 
    vendor products and ways they can protect their personally identifiable information (PII).
  • Advocate for adoption of aggregated metrics for internal use, particularly with software that identifies individual users. 
  • Do not retain personally identifiable information from vendor usage reports. Use aggregated totals when possible.