Legal & Professional Obligations to Protect Patron Privacy


  • HB18-1128 specifies that “a covered entity that maintains, owns, or licenses personal identifying information of an individual residing in the state shall implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.”

  • HB18-1128 identifies personal information as “a Colorado resident’s first name or first initial and last name in combination with driver’s license numbers.”  There are driver’s license numbers contained in the Sierra patron database.

  • While HB18-1128 states that “personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media” cybersecurity standards state that “name + DOB + Zip code” constitutes sensitive PII.  


  • SB21-190 imposes “an affirmative obligation upon companies to safeguard personal data.”  

  • While this law exempts state institutions of higher education and public authorities, it does apply to “legal entities that conduct business or produce commercial products or services that are intentionally targeted to Colorado residents and that control or process personal data of at least 100,000 consumers per calendar year.” Marmot as a non-profit corporation fits within this definition.



  • The list of protected personal whose personal information may be withheld from the internet if the protected person believe dissemination of such information poses an imminent and serious threat to the protected person or the safety of the protected person’s immediate family.  

  • Protected persons include victims of domestic violence, sexual assualt, and stalking; educators; code enforcement officers, human services workers, public health workers, child representatives, health-care workers, officers or agents of the State Bureau of Animal Protection, animal control officers, judges, peace officers, prosecutors, public defenders, or public safety workers.

  • "Personal information" means the home address, home telephone number, personal mobile telephone number, pager number, personal e-mail address, or a personal photograph of a protected person.

  • When working to prevent dissemination of this information, there is a chance that these individuals may not consider their library account to be a source of such information.  

Professional Obligations

“All people, regardless of origin, age, background, or views, possess a right to privacy and confidentiality in their library use. Libraries should advocate for, educate about, and protect people’s privacy, safeguarding all library use data, including personally identifiable information.”

A more extensive document outlining the application of the principles in the Library Bill of Rights to specific library services.

American Library Association Code of Ethics

“We protect each library user's right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.”

National Information Standards Organization (NISO) Privacy Principles

“As expressed in these principles, the ALA Code of Ethics, and the IFLA Code of Ethics, libraries and librarians have an ethical obligation—and in some cases a legal obligation—to preserve users' privacy and to prevent any unauthorized collection, use, or disclosure of library users' data. … Anyone with access to library data and activity should accept responsibility for safeguarding user privacy and data security and should have training in related standards and best practices.”

Other Resources