Protecting Personal Information of Library Users

Illustration of cyber security lock/

The Colorado General Assembly passed HB 18-1128 during the 2018 legislative session. This new law strengthens protections for consumers with regards to protection of their personal data collected by government and commercial entities. This law applies to all types of libraries in Colorado, and took effect on September 1, 2018.

For governmental entities, the bill adds a new section to the Colorado Revised Statutes (see C.R.S. 24-73-101 et seq.). For commercial entities, which includes nonprofit organizations, the bill amends a section of the law (see C.R.S. 6-1-713 et seq.). The Colorado State Library assembled a task force to study the implications of the law for public libraries, and has published a fact sheet, Protection of Personal Information of Library Users. This fact sheet provides a non-legal summary of what public libraries should consider with regards to protecting patron data and notification of security breaches of personal information. Libraries should seek the advice of legal counsel as needed.

The new law (HB18-1128) addresses four key areas related to the protection of personal information:

  • It provides legal definitions of personal identifying information and personal information that are addressed by the law.
  • It requires entities to develop and adopt a written policy for the disposal and destruction of personal data.
  • It requires entities to adopt “reasonable security practices” which apply to internal collection, storage, and use of personal data, as well as that of third-party vendors.
  • It requires entities to have procedures in place to investigate a potential security breach of personal information, and to provide notification to consumers and other entities in the event of a security breach.

HB18-1128 addresses the increased level of security risk that exists due to the increase in personal information that is being collected, stored, and used online. This new Colorado law is in alignment with the existing Colorado Library Law requiring Privacy of User Records (C.R.S. 24-90-119). It is also in alignment with guidelines suggested by the American Library Association (ALA) with regards to Patron Privacy. The ALA Privacy Toolkit and Privacy Checklists provide guidance on how to improve your library’s security practices, and can be used by library directors and technology managers to improve operations. Sample policies related to patron privacy and data disposal are included on the Colorado State Library website.

To learn more about what actions your library needs to take to be in compliance with the new law, review the fact sheet Protection of Personal Information of Library Users, and read this post from Spencer Fane LLP.

The content included in this post is for informational purposes, and does not constitute legal or financial advice. Please consult your library’s attorney with any questions about how this law applies to your library.

Crystal Schimpf