ABSTRACT: The right of having privacy is related to the safety of everybody in a society. Therefore, it is a topic that should concern everyone. In the library field, it focuses on the protection of library users' personal registration and circulation records, and establishing a safe atmosphere for intellectual freedom. The library not only provides resources and references for its users, but also has the responsibility to let users know their rights in using libraries, resources and protecting their rights. This paper summarizes the basic contents of state laws in the United States about the right of privacy, introduces the concepts of public records and personal records which includes library user records, and the exceptions and penalties related to the issue, in order to give readers a first look at U.S. laws on protecting the privacy of library users.

Having privacy is a basic right and freedom everyone in society should have and enjoy. A society will establish a steady and harmonious social environment only when personal privacy is respected and protected. Creativity and diversity only bloom when people in society have this basic right and freedom. Protecting personal information cannot be done only through ethical restrictions. It needs legislation.

Nowadays, people often use the development of economy and technology as the gauge of modernization but ignore other issues, such as establishing laws to protect themselves, the environment and the community. Society will eventually pay high cost for this oversight. For example, in the digital age, people do not realize that they have put themselves in a "transparent" environment when they use advanced technology sending and receiving information. Without protection, their privacy can be invaded and they may be harmed.

In the U.S.A., there are federal and state laws, and local laws established in accord with laws at the former two levels. The Constitution is the summit of the law in this country. Any other laws cannot be in conflict with the spirit of the Constitution. No one should be above or beyond the law. Everyone is equal before the law. The U.S. Constitution aims to "secure the blessings of liberty to ourselves and our posterity." Furthermore, the 4th Amendment explicitly states "the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures."[1] The first 10 Amendments are called the "Bill of Rights", which empower citizens with protected rights in every social aspect. It has been well known since its enactment in December 1791 and become the golden shield for people to protect themselves.

Twenty years ago, only 32 states in the U.S. had the specific laws that protected the confidentiality of library users' records.[2] Today, all 50 states, except Hawaii and Kentucky, have a confidentiality statute of some kind.[3] Even in Hawaii and Kentucky, state attorney general opinions recognize the confidentiality of library records.

The individual's privacy and protecting privacy are two sides of one topic. The former concept stresses the individual's right. Individuals have the right to keep secrecy about their personal property, which includes their personal information without being inspected or under surveillance by other people or institutions. The latter concept focuses on the responsibility of society and institutions to protect people's right. Privacy involves many aspects. Protecting privacy is a complex topic. Although this article will only focus on analyzing the basic concepts of U.S. state laws related to protecting library users' personal information, it is less than a drop in the bucket of the U.S. state laws about this topic. Viewing the sections in various states' statutes about protecting library users' privacy and records reveals five basic aspects that are central to the discussion that follows:

1. How the issue of confidentiality is listed in the law;
2. Definitions of library records and private information;
3. Exceptions: under what circumstances library records can be released;
4. The right of the library in exceptions;
5. Penalty for violating confidentiality provisions of the law.

I. The confidentiality of library records in the law

Every state in the U.S. nowadays has its official web site that publicizes the state government's organization, legislation and laws, activities, services, contact information, etc. On these sites, with almost no exceptions, the state statutes or codes are essential sources for the public to find legal information to protect their own rights. In different state laws, the issues regarding the library and library records are categorized in various ways that, in general, can be summarized as:

• listed as a separate section that includes issues like planning a new library, library finance and personnel, the library board structure as well as the definition of library patron records and protection of the confidentiality of library users' personal information;
• libraries and related issues listed with other educational, cultural and historical research institutions;
• public libraries listed with other public services, and the library patron records listed as an exception in the section of the public record definition;
• listed under the Freedom of Information Act of the state and specifying the library patron's record as one type of private information that is exempt from public inspection and copying.

II. Definitions

To be enforceable, laws must define clearly and strictly what is being regulated. The content in this section will only explain some definitions related to the confidentiality of library patron records.

1. Public Records

Almost all states' statutes or codes have clearly defined "public records." So called public records are all kinds of materials, regardless of their physical form or characteristics, such as books, documents, maps, photographs, tape recordings, financial reports, statistics, and other materials or data on public issues; produced or acquired in the course of business by public agencies like states, counties, cities, townships, villages, and schools or park districts, or other subordinate organizations.

Individual salaries and benefits of the salary schedules relating to elected or appointed officials and employees of public agencies are categorized under public records as well.

Public records are open for public inspection and copying.

2. Personal information

Personal information is generally defined as the information that any organization collected from their clients, customers or users for various purposes. Although such information is saved in the organization, it is exempted from the aforementioned "public records." Some states list the personal information as a public record but it is exempt from being used by the public. Other states separate "personal records" from "public records." No matter how it is categorized, the intent is the same, that is, the personal information is confidential and should be protected.

Many states give detailed definition to personal information. For example, Massachusetts in its General Laws[4] listed 16 types of information as exemptions from the public records; under "Documents, Reports and Records" in its Revised Code,[5] Ohio defined 25 types of information that are not public records and should be protected; Vermont in its Statutes[6] specified 37 types of information that are exempt from public inspection and copying. Of the 37 exemptions, the 19th refers to "records relating to the identity of library patrons or the identity of library patrons in regard to the circulation of library materials." Different from these states that explicitly give details, some other states do not give the specific definition of exemptions which leaves room for both prosecutor and defendant to argue the issue in court and let the jury decide.

To sum up, the content of personal information includes but is not limited to: the information people give when they apply for a job; personnel information such as any files maintained to hire, evaluate, promote or discipline any employee; medical records; student records; personal financial documents, such as bank accounts, trade secrets, or tax returns; records dealing with the detection and investigation of crime; adoption contracts; any voluntary information provided by an individual, corporation, organization, or any other entity; any data, records or information developed, discovered, collected, or received by the state universities or colleges in the conduct of study, research or creative efforts on medical, scientific, technical, scholarly, or artistic matters; password codes or access codes; and any record which may only be disclosed to specifically designated persons or is designated confidential.

The confidentiality of personal information is protected by laws and not allowed to be published. The following actions are among those considered infringements of personal information:

• Sharing users' information with a third party without informing users;
• Releasing or selling users' information without informing users;
• Collecting personal information more than actually needed;
• Not explaining the policy of protecting users' information when collecting and using it;
• Installing cookies or other software to inspect users' internet activities without indicating it to users.

3. Libraries

What is a library seems very clear to people in daily life. However, before regulating the library, laws regulating library activities must clarify what institutions fall under the law's purview. In many state laws, libraries are those financed fully or partially by public money. Even a private library, if it has any project funded by public grants, belongs to this range.

For example, in the chapter 75 of its Compiled Statues[7], the State of Illinois defines the library as "any public library or library of an educational, historical or eleemosynary institution, organization or society."

Louisiana, in its Revised Statues[8], defined the library as "any library which is in whole or in part supported by public funds, including the records of public, academic, school, and special libraries, and the State Library of Louisiana".

In Missouri Revised Statutes[9], the library is "any library established by the state or any political subdivision of the state, or combination thereof, by any community college district, or by any college or university, and any private library open to the public".

Montana Code 2005[10] defines a library as one which "is established by the state, a county, city, town, school district, or a combination of those units of government, a college or university, or any private library open to the public".

The definition of the library in New Jersey Statutes[11] includes both public or private sectors: "a library maintained by any State or local governmental agency, school, college, or industrial, commercial or other special group, association or agency, whether public or private".

Oklahoma Statutes[12] identifies the library as "Any library which is in whole or in part supported by public funds including but not limited to public, academic, school or special libraries." It specifies further that the "Public Library" as "a library or library system that is freely open to all persons under identical conditions, and which is supported in whole or in part by public funds." And "Special Library" is "any library, whether open to the general public or not, that is supported in whole or in part by public funds and which comes within one or more of the following categories: (1) All libraries which are operated within or as an integral part of a publicly supported institution. (2) All libraries that cater to a special clientele. (3) All libraries that are concerned primarily with materials on a special subject."

4. Library patron's record

What library users read, search and check-out from the library falls under personal privacy. Every citizen should have such freedom and right. Libraries and librarians have the responsibility to protect their users. "Library records" are defined, for example, in the Arkansas Code,[13] as "documents or information in any format retained in a library that identify a patron as having requested, used, or obtained specific materials, including, but not limited to, circulation of library books, materials, computer database searches, interlibrary loan transactions, reference queries, patent searches, requests for photocopies of library materials, title reserve requests, or the use of audiovisual materials, films, or records," and the "library patron" as "any individual who requests, uses, or receives services, books, or other materials from a library."

In all state statutes or codes, "Library Records" are specified in the following aspects:

• Information the library requires the patron to provide in order to become eligible to borrow materials from the library which includes but is not limited to the patron's name, address, home phone number (except the home number also for business use), social security number, and other information that can identify an individual;
• Information regarding what patrons used in the library which includes any information that could identify what patrons have searched, read and checked out, copied or asked for from the reference services. Library materials are any books, journals, audiovisual materials, films, art works, records, and any collections of the library for public use;
• Information regarding what services the patron requested and used;
• Any information that can identity the aforementioned information.

The law requires that none of a patron's records collected, recorded, stored and used by the library may be released to any other institutions or person.

Clarifying what information can identify an individual is the core of protecting confidentiality of personal information. The American Library Association (ALA) Office for Intellectual Freedom has described what is personal identifiable information (PII). "It covers a greater range than ‘personal identification,' such as a driver's license." "PII connects you to what you bought with your credit card, what you checked out with your library card, and what Web sites you visited where you picked up cookies. More than simple identification, PII can build up a picture of your tastes and interests -- a dossier of sorts, though crude and often inaccurate." [14]

III. Exceptions

Although all laws state clearly that library patrons' records should be protected and should not be released to any person or institution, they also point out exceptions. In these specified circumstances, libraries can or should release their patron's records:

1. When there is a need to use patron records to examine the library operation, such as how many new people applied for a library card and used the library, and the flow of circulations. In such cases, the personal identifiable information must be deleted first before using the data;
2. To the extent that is necessary for tracking overdue or stolen materials and for collecting fines;
3. If the library has the written permission from the patron;
4. In response to an order issued by a court of competent jurisdiction upon a finding that the disclosure of such record is necessary to protect the public safety or to prosecute a crime. Under these circumstances, the following aspects should be considered:
   • if the order abides by the legal procedure for inspecting individual information;
   • if the required information is reasonably related to the case;
   • if not having such information will endanger some people or a witness's safety, disrupt official investigation, or lead to a suspect escaping from the investigation, or destroying evidence, etc.

IV. Rights of the library under the exceptions

Before the law, everyone, including both investigating and investigated sides, has equal rights. In the aforementioned situation of exceptions, the library is on the investigated side when it needs to present its patron's information to the investigator. However, the library still has certain rights in protecting its users' privacy. Many states, for example, Michigan,[15] Missouri,[16] Montana,[17] New Mexico,[18] and Nevada,[19] have listed explicitly the library's rights under such exceptions that can be summarized as:

1. Court should inform the library before sending the subpoena or other legal order to the library;
2. Library may petition the appropriate court for additional time to respond to a request for records after receiving the subpoena or other legal order;
3. Library should judge the amount of patron information that can be disclosed and release only the information that meets the request when it responds to a written order;
4. Library may appeal and be represented by counsel at a hearing at the court.

V. Penalty for violation

No library or employee or agency of a library shall be required to release or disclose library records or library patron information to any person(s) or institution(s). If this regulation is violated, a penalty will follow. The penalty explained here only applies to actions that are not deliberate disclosure or theft of personal information. They are serious offenses and will not be discussed in this article. Some states have given a clear explanation of penalty and some do not, leaving for the court to determine. The following are common kinds of penalty in state laws:

• Fines. Usually the law gives the maximum amount of fines. It varies in different states, from no more than $100 to $500 or $1,000 or $3,000, plus the cost of an attorney and court fees. For example, in Virginia, whether a writ of mandamus or injunctive relief is awarded or not, there is a civil penalty of not less than $250 nor more than $1,000. For a second or subsequent violation, such civil penalty shall be not less than $1,000 nor more than $2,500;[20]
• Treatment as a petty offense depending on the state. For example, in Colorado, any library official, employee, or volunteer who discloses personal information commits a class 2 petty offense and, upon conviction, shall be punished by a fine of not more than $300.[21] In Nebraska, a violator is subject to removal or impeachment and guilty of a Class III misdemeanor;[22]
• Imprisonment. Rhode Island stipulates that any person, firm, or corporation violating the provisions of confidentiality of personal information shall be punished by imprisonment not exceeding 6 months, or by a fine not exceeding $1,000 per violation, or both.[23] South Carolina expressly provides that the violator may be imprisoned for not more than 30 days or fined not more than $500 for the first offense, may be imprisoned for not more than 60 days or fined not more than $1,000 for the second offense, and may be imprisoned for not more than 90 days or fined not more than $2,000 for the third or subsequent offense.[24]
• Other penalties. Some states leave the penalty to the court based on the victim's situation, such as New Mexico where any violator of the Library Privacy Act shall be subject to civil liability to the victim for damages and costs of the action as determined by the court.[25] Georgia state laws provide that a person disclosing library patron records shall not be liable.[26] In Nebraska, the violator shall be subject to removal or impeachment.[27]

The development of the Internet has added new concerns about how to protect the confidentiality of people's privacy and secure their personal communications. At the beginning of the new millennium, the U.S. Federal government has taken the lead on new legislation regarding protecting the confidentiality of personal records in the web environment. One of them is "Wire and Electronic Communications Interception and Interception of Oral Communications"[28] which has clearly defined protecting personal privacy and the confidentiality of personal information from interception and disclosure in the electronic era. Following the Federal laws, states have established or will amend the local laws to address the same issue.

Protecting library users' records is at the heart of library services. The library earns the public trust through protecting and representing its users' rights and privileges. Like other institutions, the library collects users' information. Therefore, respecting and protecting the users' records is an important issue on the library's agenda. Librarians need to know their library's policy and procedures as well as their state's regulations on the confidentiality of personal information. To effectively protect the security of library user records, the library should consider at least these issues when drafting a policy:

• The information that needs to be collected from the library user (collect only needed information, the less the better);
• The usage of the library users' information;
• The potential institutions/agencies to which the library users' personal information might possibly be released, and the kind of rights the library should have when having to disclose users' personal information;
• The policy and procedures for users to be able to check and correct their own information in the record;
• Users' options in collecting and releasing their personal information;
• Safety and security of the library electronic system;
• Deletion of obsolete users' information on a regular schedule;
• Removal of personal identifiable information when using library records for statistics or inspecting library operations.

A good law cannot protect people's rights by itself. Institutions are needed to enforce the law. And people should be able to seek the necessary information, find the help and detect violations. Otherwise, the law is only a viewable but untouchable "mirage." In the U.S., agencies such as the Federal Office of Information and Regulatory Affairs, offices in states for information security and privacy protection, and courts at different levels, are the channels for people to find the needed information and bring their concerns and cases for justice. In addition, almost every professional and social organization, including libraries and the library associations, has policies specifically addressing the issue in each discipline and profession. On the whole, the laws with the support from society form and enhance a legal environment for protecting people's rights. In such a situation, it is possible to approach a harmonious and livable social atmosphere for people.

The Privacy Tool Kits created by the Office of Intellectual Freedom of the American Libraries Association for libraries has declared that "Confidentiality of library records is a core value of librarianship."[29] It is one of the ethical values of the library profession. The Office's guidelines[30] provide policies and procedures in every aspect for the library to protect its patron's privacy. Protecting library patron's personal information is the library profession's responsibility as well as special contribution to society and to the public we serve.

[1] Cornell University Law School. United States Constitution: Bill of Rights. http://www.law.cornell.edu/constitution/constitution.billofrights.html#amendmenti

[2] Million, A.C. & Fisher, K.N. (1992). Library Records: a Review of Confidentiality Laws and Policies, The Journal of Academic Librarianship, 11(6), 346-349.

[3] American Library Association. (2006). Questions and Answers on Privacy and Confidentiality. URL: . (Accessed on 10 October 2008).

[4] Commonwealth of Massachusetts. Title I: Chapter 4: Section 7: Clause 26: Public records, General Laws of Massachusetts. URL: http://www.mass.gov/legis/laws/mgl/4/4-7.htm. (Accessed on 10 October 2008).

[5] Lawriter LLC. (2008). Releasing library record or patron information, Ohio State Revised Code. URL: http://codes.ohio.gov/orc/149.432. (3/16/2007)

[6] The State of Vermont Legislature. (2008). Title 01: Chapter 5: Section 317: Definitions; public agency; public records and documents, Vermont Statutes Online. URL: http://www.leg.state.vt.us/statutes/fullsection.cfm?Title=01&Chapter=005&Section=00317. (Accessed 10 October 2008).

[7] The Illinois General Assembly. Library Records Confidentiality Act, Illinois Compiled Statues, 75 ILCS 70. URL: http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=1004&ChapAct=75%26nbsp%3BILCS%26nbsp%3B70%2F&ChapterID=16&ChapterName=LIBRARIES&ActName=Library+Records+Confidentiality+Act%2E. (Accessed 10 October 2008).

[8] The Louisiana State Legislature. Registration records and other records of use maintained by libraries, Louisiana Revised Statues, 44-13. URL: http://www.legis.state.la.us/lss/lss.asp?doc=99640. (Accessed 10 October 2008).

[9] Missouri General Assembly. Disclosure of library records, definitions, Missouri Revised Statutes, Title.11: 182-815. URL: http://www.moga.mo.gov/statutes/C100-199/1820000815.HTM. (Accessed 10 October 2008).

[10] The State of Montana. (2007). Title 22: Chapter 1: Part 11: Library Records Confidentiality Act, Montana Code Annotated - 2007. URL: http://data.opi.state.mt.us/bills/mca_toc/22_1_11.htm. (Accessed 10 October 2008).

[11] New Jersey Legislature. (2001). Definitions of "Library record". NEW JERSEY STATUTES ANNOTATED, 18A:73-43.1. URL: http://www.njstatelib.org/LDB/Library_Law/lwstlibr.php. (Accessed 10 Oceober 2008).

[12] Okahoma Legislature. Disclosure of records. Oklahoma Statutes 65-1-105. URL: http://webserver1.lsb.state.ok.us/OK_Statutes/CompleteTitles/os65.rtf. (Accessed 10 October 2008).

[13] The Arkansas General Assembly. Confidential library records, Arkansas Code: Title 13-2-701. URL: http://www.arkleg.state.ar.us/NXT/gateway.dll/ARCode/title11887.htm/subtitle11889.htm/chapter11949.htm/section11950.htm. (Accessed 10 October 2008).

[14] ALA Office for Intellectual Freedom. Privacy: an interpretation of the Library Bill of Rights. URL: http://www.ala.org/ala/aboutala/offices/oif/statementspols/statementsif/interpretations/privacy.cfm. (Accessed 10 October 2008).

[15] Michigan Legislature. (2007). The Library Privacy Act. URL: http://www.legislature.mi.gov/(S(e3ofcf553nniv0uayf3wznil))/mileg.aspx?page=getobject&objectname=mcl-Act-455-of-1982&query=on&highlight=Library%20AND%20Privacy. (Accessed 10 October 2008).

[16] same as 9.

[17] same as 10.

[18] State of New Mexico. (1978). Library Privacy Act: defintions: patron record, New Mexico Statutes Annotated 1978: 18-9-3. URL: http://www.conwaygreene.com/nmsu/lpext.dll?f=FifLink&t=document-frame.htm&l=query&iid=51f9760d.77fc416f.0.0&q=%5BGroup%20%2718-9-3%27%5D.(Accessed 10 October 2008).

[19] Nevada Legislature. Public Records. Nevada Revised Statutes: 239.013. URL: http://www.leg.state.nv.us/nrs/NRS-239.html. (Accessed 10 October 2008).

[20] Virginia General Assembly. Virginia Freedom of Information Act, Code of Virginia: 2.2-3700. URL: http://leg1.state.va.us/cgi-bin/legp504.exe?000+cod+2.2-3700. (Accessed 10 October 2008).

[21] Colorado General Assembly. Privacy of user records, Colorado Revised Statutes: 24-90-119. URL: http://www.michie.com/colorado/lpext.dll?f=FifLink&t=document-frame.htm&l=query&iid=47976a31.2a7b16e4.0.0&q=%5BGroup%20%2724-90-119%27%5D. (Accessed 10 October 2008).

[22] Nebraska Legislature. Records which may be withheld from the public; enumerated, Nebraska Revised Statutes: 84-712.05. URL: http://uniweb.legislature.ne.gov/LegalDocs/view.php?page=s8407012005. (Accessed 10 October 2008).

[23] Rhode Island General Assembly. Video, audio and publication rentals, General Law of Rhode Island: 11-18-32. URL: http://www.rilin.state.ri.us/statutes/title11/11-18/11-18-32.htm. (Accessed 10 October 2008).

[24] South Carolina Legislature. Records identifying library patrons as confidential information; disclosure, South Carolina Code of Laws: 60-4-10. URL: http://www.scstatehouse.net/code/t60c004.htm. (Accessed 10 October 2008).

[25] State of New Mexico. (1978). Library Privacy Act: Violations: civil liability, New Mexico Statutes Annotated 1978: 18-9-6. URL: http://www.conwaygreene.com/nmsu/lpext.dll?f=FifLink&t=document-frame.htm&l=query&iid=51f9760d.77fc416f.0.0&q=%5BGroup%20%2718-9-6%27%5D. (Accessed 10 October 2008).

[26] Georgia General Assembly. Confidential nature of certain library records, Georgia Unannotated Code: 24-9-46. URL: http://www.legis.state.ga.us/legis/2003_04/gacode/24-9-46.html. (Accessed 10 October 2008).

[27] See 22.

[28] United States. Interception and disclosure of wire, oral, or electronic communications prohibited, U.S. Code: 18-I-119. URL: http://www4.law.cornell.edu/uscode/html/uscode18/usc_sup_01_18_10_I_20_119.html. (Accessed 10 October 2008).

[29] ALA Office of Intellectual Freedom. Privacy Tool Kit: Introduction. URL: http://www.ala.org/ala/aboutala/offices/oif/iftoolkits/toolkitsprivacy/introduction/introduction.cfm. (Accessed 10 October 2008).

[30] American Library Association. Confidentiality and Coping with Law Enforcement Inquiries: Guidelines for the Library and its Staff. URL: http://www.ala.org/ala/aboutala/offices/oif/ifissues/confidentiality.cfm. (Accessed 10 October 2008).