Libraries Protecting Privacy on Social Media Sharing Without " Oversharing ”

Libraries have increasingly adopted social media as an integral means of connecting with their users. However, social media presents many potential concerns regarding library patron privacy. This article presents the findings from a study of how librarians and library staff perceive and handle issues of patron privacy related to social media marketing in libraries. The study reports the results from a mixed-methods online survey, which used a nonprobability self-selection sampling method to collect responses from individuals employed by libraries, without restrictions on position or library type. Nearly three-quarters of respondents reported working in libraries that have either an official or unofficial social media policy. Approximately 53% of those policies mention patron privacy. The findings suggest that many respondents’ views and practices are influenced by the perception of the library’s physical space and social media presence as public places. The findings also suggest a lack of consensus regarding the extent of the library’s obligation to protect patron privacy on library social media sites and what would constitute a violation of privacy.


Introduction
Social media has become an essential means of connecting with others, which makes it particularly useful to libraries as a tool for user outreach and engagement.However, social media also challenges the library profession's principles and practices related to privacy by encouraging users to make their private lives public and by blurring the boundaries of acceptable information-sharing.As libraries adopt social media for marketing and outreach, the Pennsylvania Libraries: Research & Practice Libraries Protecting Privacy on Social Media palrap.orgused to describe library services that incorporate social technologies, discussed privacy beyond a brief mention and even fewer actually proposed solutions for addressing privacy issues (p.35).
Still, a dialogue has begun to emerge over how libraries should view and protect privacy in the age of the social web.A number of scholars have articulated concerns about incorporating elements of social media into library websites and systems that may necessitate collecting personal information (Anderson, 2008;Cvetkovic, 2009;Fernandez, 2010;Stuart, 2012).These concerns typically stem from the clear disparities between a library's mission and that of third-party partners.Fernandez (2010) warned that social media companies "are not simply neutral spaces for libraries to place outreach materials in, but websites controlled by companies who seek to maximize the amount of personal information contained in them" (p. 6).Others have raised concerns about libraries or librarians "friending" users, which provides access to their personal information (Ahmed, Edwards-Johnson, Antell, & Strothmann, 2013;Connell, 2009;Dickson & Holley, 2010;Sachs, Eckel, & Langan, 2011).Similarly, Ponelis (2013) discusses the potential for social media users to unintentionally share information about themselves that a library could see.Carson (2010) warns of possibly violating the right of publicity and recommends that libraries avoid using photos in which an individual can be easily identified unless they receive consent.Generally, views expressed about privacy and social media in library literature seem to reflect the value placed on the relationship between the library and its users.As Gorman wrote, the bond of trust between libraries and library users is a precious thing and one that we should do our best to preserve.In the face of the onslaught of technology, it is more than ever important to preserve human values and human trust so that we can demonstrate that we are, above all, on the side of the library user and that user's right to live a private life.(2000, p. 157).

Social Media Marketing Challenges to Protecting Patron Privacy
Social media complicates patron privacy protection by providing a communication channel that emphasizes public, widespread broadcast of information.Messages communicated via social media have no analog to traditional forms of communication in terms of privacy, due to their vast accessibility and the de facto permanence of the content shared.In other words, libraries have no other platform by which messages can be spread so widely and so persistently.
For example, there is a critical difference between publishing a patron's photo in a library newsletter distributed in print at the circulation desk and publishing a patron's photo via a library social media account.An online newsletter distributed through social media provides more potential for downstream re-use and distribution of photos in unintended and unauthorized ways, yet use of photos in social media marketing may not be included in existing policies.
Social media, and the Internet in general, has facilitated the exponential growth of personal information readily available to the general public.As a result, seemingly vague or harmless details about a patron shared by a library can be combined with other available anonymized data to re-identify the individual (Narayanan & Shmatikov, 2008, 2009;Wondracek, Holz, Kirda, & Kruegel, 2010).Re-identification algorithms facilitate the identification of individuals using otherwise innocuous data (Narayanan & Shmatikov, 2009).Thus, anyone with the proper skills and knowledge-individuals, government agencies, companies, and other entities-can gather detailed information about a person by linking data available online.In the past, government requests for information have shaped ALA's stance on patron privacy.However, with so much sharing on social media, government agencies may already have access to the library patron data they seek without needing to request it, and libraries could inadvertently supply some of that data.
Further complicating matters, social media users often relinquish privacy by willingly and publicly sharing highly personal, even sensitive, information.While a library cannot control what its patrons share online, it is possible Pennsylvania Libraries: Research & Practice Libraries Protecting Privacy on Social Media palrap.org to further erode a patron's privacy by re-sharing personal information the patron has posted on social media.Thus, even though it may be the patron's responsibility to know and understand the potential consequences of sharing private information publicly, re-sharing patron content on social media may still result in negative repercussions on patron privacy.

Methods
Using a mixed-methods approach, this study sought to gather data regarding library employees' perceptions of privacy issues regarding social media marketing and the expectations for their library to protect patron privacy online.A nonprobability self-selection sampling method was used to collect responses from individuals employed by libraries, without restrictions on position or library type.The Duquesne University Institutional Review Board approved the survey, which ran from July 2014 to October 2014.The survey instrument was administered online via SurveyMonkey and disseminated through multiple library LISTSERVs and selected social media groups on Facebook and LinkedIn.SPSS was used to generate descriptive statistics regarding reported social media practices, policies, and guidelines.

Survey Design
Respondents were required to confirm consent to the terms of the 46-question survey in order to proceed to the first question, but there were no other required questions.Respondents could choose to skip questions or close the survey at any point.Due to the use of skip logic, respondents only saw a portion of the questions, depending on their answers to trigger questions.The survey was composed of three sections: demographics, social media policies/guidelines, and individual perceptions of ethical issues.Privacy issues comprised a subset of ethical concerns investigated in the survey.This study reports findings from 13 questions on the survey, covering privacy perceptions, social media policies/guidelines, as well as respondent demographics.The demographics and policies/guidelines sections used nominal questions; the perceptions section used five-point ordinal scales.Additionally, 10 of the 13 questions examined in this study provided the opportunity for respondents to comment.These 10 questions generated 368 comments with an average of 37 comments per question.

Respondent Profile
There were 258 completed surveys with 57.6% of the respondents employed by academic libraries and 35.4% employed by public libraries (Figure 1).Over 66% of respondents identified as librarians (Figure 2).The overwhelming majority of respondents used social media daily (Figure 3).

Limitations
Because the study used self-selective sampling, the population of respondents may not be statistically generalizable to the entire field of library professionals.All survey questions referenced either the respondent or the library, except one that asked whether content posted to social media by "library staff" required approval.Review of the corresponding comments suggested that respondents' differing interpretation of the meaning of "library staff" influenced their answers to this question.For example, some distinguished between "staff," librarians, and administrators.
The fact that the majority of respondents indicated that they are active social media users likely affected their personal and professional opinions regarding expectations for privacy on social media.Additionally, concerns about the length of the survey led the authors to limit the number of survey questions that presented privacy scenarios.Thus, the included privacy questions depicted generalized scenarios.The lack of specificity of these questions elicited a variety of comments, indicating that respondents' answers would vary depending on their interpretation of the scenarios presented.

Results
A key goal of the study was to determine whether respondents' libraries had any form of social media policy or guidelines and whether existing policies addressed patron privacy.The survey included questions about other ethical issues regarding social media marketing in libraries besides patron privacy; however this study reports the findings related to patron privacy only.

Social Media Policies and Practices
The survey first asked whether the respondent's library had an official social media policy.Respondents answering no to this question were asked whether their library had an unofficial policy or guidelines.Neither of these

Pennsylvania Libraries: Research & Practice
Libraries Protecting Privacy on Social Media palrap.orgquestions was shown to respondents who indicated that their library did not use social media for marketing.A total of 170 respondents indicated that their library had either an official (N=89) or unofficial (N=81) policy.

Required Approval for Posting to Social Media
Approximately two-thirds of the 230 respondents indicated that content posted by library staff to library social media pages did not require approval; however, in the comments, they noted strategies that their library employed to ensure the appropriateness of social media postings as well as the practice of monitoring the content of replies to posts.
Themes identified within the 67 comments included: (a) using common sense, (b) formal and informal consultation, and (c) filtering.Many respondents indicated that a limited number of trusted individuals are authorized to post, while some stated that, though only one person can actually post, others can submit posts to that individual (filtering).The most frequently reported strategies for developing consensus and best practices were: • working in teams and committees, • training individuals designated to post, • following institutional umbrella policies, • developing informal guidelines, • using collaborative decision making, and • seeking input or approval on a case-by-case basis.

Decision Making Authority and Practice
Respondents who confirmed their library had either official or unofficial social media policies/guidelines were asked a series of follow-up questions.The data revealed three decision-making practices: (a) administrative authority, (b) delegated authority, and (c) collaborative decision-making by committee or group.Collaborative decision-making accounted for over 40% of the responses (Figure 4).Many respondents reported using guidelines promulgated by an authority: public libraries referred to a local administration or an umbrella organization, such as city or county; while academic libraries cited institutional guidelines.Some respondents referenced internal task forces or committees having created their library's guidelines.Just three comments referenced solo decision-making, only one of which referred specifically to the social media manager as the decision-maker.

Addressing Patron Privacy in Social Media Policies
Respondents who indicated that their library had either an official or unofficial social media policy were asked whether that policy addressed patron privacy.Of the 165 respondents who answered this question, over 53% (N=88) answered affirmatively.77 respondents said their policies did not address patron privacy, including one who commented that this omission was of no consequence, because "we don't ever get close to impacting patron privacy." Strategies for addressing privacy mentioned in comments include policing commenting on social media sites and having a takedown policy.Of 26 comments, nine mentioned practices related to using photographs in which patrons "can be recognized or identified."Several respondents commented that their library requires patron permission before posting photographs, one mentioned a "separate photography policy related to patrons," and another stated that the library never shows children's faces in posts.Interestingly, in five comments, respondents said they did not know whether their library's guidelines addressed patron privacy at all.

Privacy Perceptions
Following questions related to policy, the survey shifted focus to individuals' perceptions of privacy issues.
Skip logic was not used for the questions in this section; thus, all respondents were shown these questions.Descriptive statistics were again used to report library professionals' opinions regarding whether patron privacy could be considered compromised in specific scenarios.

Patron Personally Identifiable Information
Respondents were asked to indicate their level of agreement with the statement: "A library compromises patron privacy if it includes a patron's personally identifiable information (full name, email address, username, etc.) in a social media post."Roughly three-quarters of respondents said they "agree" or "strongly agree" that patron privacy would be compromised in the scenario, while 7.8% disagreed and 16.7% selected "neither agree nor disagree" (Figure 5).Respondents cited many qualifications to their responses via comments.They noted consent, the type of personally identifiable information disclosed, who initially disclosed the information, and the nature of a social media post as factors in determining whether a patron's privacy would be compromised.
In 32 of the 61 comments, respondents said that they would only reveal personally identifiable information about patrons if they first received permission from the patron.Some described using waivers, others used informal measures like requesting permission via email.Only one respondent said as long as the patron was aware of his/her name being shared via social media, that patron's privacy would not be compromised.
Some respondents also drew a distinction between including a patron's name in a library social media post versus including a patron's social media username or email address.Fourteen respondents commented that including a patron's social media "handle" simply fits with the culture of social media.Several respondents indicated that replies to patron tweets or patron comments on a library's social media page, which would necessarily include the patron's username and sometimes real name, would be acceptable.
Similarly, 15 respondents pointed out that it made a difference who posted personally identifiable information first.For example, if a patron's name appeared on a library's Facebook page, because the patron posted messages there, the library would have no control over or responsibility for the dissemination of this personally identifiable information.Respondents who made this distinction stated it was the patron's responsibility to safeguard his/her own privacy: "If the customer actively engages on said social media with the library then their 'privacy' is subject to the ToS [terms of service] of which ever [sic] social media the interaction is occurring."On the other hand, as one respondent pointed out, libraries could avoid further disclosure of the patron's personally identifiable information by replying via email, direct message, or phone when personal information was involved.
Beyond the distinction between patron self-disclosures and library disclosures, 13 respondents asserted that the nature of the social media post that disclosed personally identifiable information was a key factor in determining whether a patron's privacy would be compromised.Respondents indicated they would need to know the purpose served by including the information in order to make a determination.For example: This would be highly unethical if the post came out of nowhere, but not so much if it were part of an interaction with the patron in question, or if it were an approved announcement congratulating the patron in question, etc.
Seven respondents mentioned contests as examples in which using a patron's name would be acceptable.One respondent noted that disclosure of the patron's name was a condition included in the terms of the library's contests.

Patron Library Use and Personally Identifiable Information
Respondents were asked to indicate to which level they would agree that patron privacy would be compromised if a library disclosed information about a patron's library use along with personally identifiable information (full name, email address, username, etc.) in a social media post.About 90% responded they would either "agree" or "strongly agree," while 8.2% selected "neither agree nor disagree" and only 1.6% selected "disagree" (Figure Posting about Library Use In the comments, respondents cited consent, the type of personally identifiable information disclosed, and who initially disclosed the information as factors affecting whether patron privacy would be compromised.However, five respondents also noted the type of library use shared along with personally identifiable information affected whether a post was acceptable.They seemed to view protecting patron privacy as strictly related to circulation records, rather than extending to other activities, such as program attendance or computer use.In this case, they based their view on the idea that a public library is a public space where patrons can only expect a limited degree of privacy.

Photographs of Patrons
Nearly 64% of respondents said they "agree" or "strongly agree" that a library would compromise patron privacy if it posted photos of patrons to social media pages without obtaining permission from the patrons.The remaining respondents split almost equally with 17.7% saying they "disagree" or "strongly disagree" with the statement and 18.4% saying they "neither agree nor disagree" (Figure 7).While one respondent noted "this is a question we struggle with," others asserted it was not always feasible or necessary to explicitly obtain permission to use patron photos in social media marketing and it was acceptable to rely instead on proxy measures, such as posting signs that photographs may be taken in the library. palrap.org

Figure 7
Posting Photographs without Consent In clarifying their responses, five respondents stated that, though they may not seek written consent for obtaining permission for posting photos of patrons, they did make an effort to obtain some form of consent.Six respondents said they posted signs at library events or in the library that informed patrons they may be photographed.
Some of these respondents noted patrons may opt out of this arrangement.A few respondents simply mentioned they typically notified patrons if photos would be taken.Some respondents conceded that obtaining patrons' permission before sharing photos of their likenesses would be ideal but said it was not always feasible to do so.
In total, 14 respondents mentioned unreasonable expectations of privacy in public spaces regarding photography in libraries.For example, one respondent wrote: "if the photos were taken in the library, and that space is public, it is generally understood that there is not an explicit privacy right -or that the patron may be photographed for library promotional use."However, others mentioned that, though a library may be in a public space, they would still ask for permission to share a photo of a patron or they would at least notify patrons that photographs would be taken.
In 15 comments, respondents acknowledged the difference between taking a "crowd shot" and a photo that focuses on one of more individuals so that they could be clearly identified.One also made a distinction between photographing adults versus children: "I would say that, if they are minors, maybe [it would compromise patron privacy].Otherwise, no.It depends on the individual library's photo policy and local laws."Comments on the legality of taking and sharing photos of patrons without permission revealed varying interpretations of the law.This discrepancy may be due in part to the differences in state and/or local law.
Finally, nine respondents specified their parent institutions, mostly universities, provided policies under which their library would be permitted to take and share photos of patrons.These institutions required all students to sign a photo release.

Pennsylvania Libraries: Research & Practice
Libraries Protecting Privacy on Social Media palrap.org

Unsolicited Comments/Replies to Patrons
Approximately 44% said they "agree" or "strongly agree" that a library would compromise patron privacy if it sent unsolicited comments/replies to individual patrons on social media sites.One-third of the respondents indicated they "disagree" or "strongly disagree" that this scenario would violate patron privacy, while 22.7% responded they "neither disagree nor agree" (Figure 8).

Sending Unsolicited Comments to Patrons
Eight respondents explained their responses by stating the inherently social nature of social media entails interaction.They asserted sending an unsolicited comment or reply to a patron on social media did not compromise the patron's privacy.For example, The purpose of social media is to be social.If people are commenting about the library services on another website (not maintained by the library) then it is the responsibility of the organization to respond to the needs of the customers at the point of interaction.
Nine respondents said social media was essentially a public space and patrons could not assume what they said on social media would not be seen.One respondent said sending unsolicited comments/replies to patrons could be a teaching moment: "We've seen it as a good learning experience for patrons.If they have a public account, they should know that anyone can read and reply to their tweets, including the library."Another respondent justified unsolicited comments/replies by referencing social media sites' terms of service: "they have technically consented to all this by agreeing with the terms of the social network when they created an account." Taking a slightly more cautious approach, 16 respondents found it acceptable to comment on or reply to a patron's post only if the patron had mentioned the library in some way.Multiple respondents indicated that they routinely monitored the social media sites they used for mentions of the library.
Five respondents emphasized the nature or purpose of the library's comment or reply to a patron made a difference in terms of safeguarding patron privacy.One respondent differentiated between "marketing" and "relationship building."Another wrote: If the library finds a patron complaining about the library via search, I think that there are appropriate and inappropriate ways of responding to those kinds of posts.If possible, the library might try to follow up with that patron privately rather than publicly commenting or replying.
Generally, these respondents alluded to social etiquette and determining which interactions a patron may or may not welcome.

Following Patrons with "Private" Social Media Accounts
Finally, roughly half of respondents (51.6%) said they "agree" or "strongly agree" that a library would compromise patron privacy if it requested to "follow" a patron whose user profile was private on a social media site.
The remaining responses were divided between "disagree" or "strongly disagree" and "neither agree nor disagree" (Figure 9).

Figure 9
Following a Patron Whose User Profile Is Private Respondents' views were mixed on following patrons whose profiles were private.Some found the matter clear cut: "An organization cannot make a request to follow a private profile.It's not an option."Six respondents pointed out how following private profiles seemed "creepy" and may be unwelcomed by patrons.One respondent wrote it would not necessarily violate patron privacy, but it could result in privacy violations down the line if the library "shares content a user deems private or engages in a public conversation that the patron would prefer to be private."Five respondents noted their library did not follow patrons at all.
Still, 12 respondents argued a patron could always decline the library's request to follow their private profile.
In this case, respondents reasoned, it should not be considered a violation of the patron's privacy.Six respondents stipulated they may follow a patron with a private profile if the patron followed the library first.

Pennsylvania Libraries: Research & Practice
Libraries Protecting Privacy on Social Media palrap.org

Discussion
In a broad sense, libraries protect the confidentiality of patron information not only to avoid lawsuits, but because The library profession has a long-standing commitment to an ethic of facilitating, not monitoring, access to information…Everyone (paid or unpaid) who provides governance, administration or service in libraries has a responsibility to maintain an environment respectful and protective of the privacy of all users.(American Library Association, 2014b, Responsibilities in Libraries section, para.

1)
Moreover, librarians have long understood both the desirability of presenting a consistent image or "brand" and the obligation to ensure only vetted and appropriate patron information is shared.For example, many libraries have policies that require staff to refer inquiries from the press or legal authorities to a specific individual, either a high level administrator or the person in charge of public relations.Another common practice is only designated library employees may issue press releases or represent the library in conversations with their boards, potential funders, law enforcement agencies, and the community.
However, the survey responses suggest that the value of similar policies, which can document both the responsibilities of a library and its patrons in regard to protecting patron privacy, may seem less obvious relating to social media.Libraries' use of social media for marketing may still be new enough that the need for a policy has not yet become apparent, particularly if administrators do not use social media themselves or delegate the work to others without fully comprehending the potential risks.
There are other possible scenarios that might explain why only 89 of 230 respondents working in libraries that use social media for marketing reported having formal social media policies or guidelines.For example: • Libraries may lack official social media policies or guidelines due to the size and affiliation of the library.In very small libraries, frequent communication and close interaction among staff may lessen the perceived need for a formal policy or guidelines.Academic libraries that are part of a larger institution and public libraries that are part of larger system may be covered by an "umbrella" policy, and thus, have no need or authority to create local policy.
• When a highly trusted person is responsible for social media, particularly an administrator, a policy may seem unnecessary, since decisions are made at a high level.
• Those charged with posting to social media may not be perceived (or see themselves) as performing functions related to cultivating and protecting the library's image or protecting the privacy of patrons.Instead, they may be perceived as requiring a skillset centered primarily on facility with the technology and familiarity with library programs, services, and collections.
Survey responses revealed a lack of consensus regarding perceptions of patron privacy and social media marketing.Part of this inconsistency can be explained by the qualifications that respondents offered in their comments, which demonstrated more nuanced views of the scenarios presented.Respondents frequently reiterated the culture of social media often sanctioned the actions described in the survey's privacy scenarios.This belief may result from a view of social media as a distinct mode of outreach where privacy-related procedures associated with traditional public relations and marketing do not apply.Responses seemed to recognize their obligation to protect patron privacy but also seemed to believe certain circumstances trump traditional privacy concerns.For example, many respondents distinguished between including patrons' names versus usernames or email addresses in library social media posts.
They viewed including a patron username as an ordinary, perhaps necessary, part of using social media.However, only one respondent acknowledged that usernames and email addresses may provide an even greater degree of personal identification than a name.
While many respondents emphasized that securing consent from patrons in the scenarios presented in the survey would prevent violating patron privacy, none mentioned the need to establish guidelines or forewarn patrons through a published privacy policy about how the library would use their personally identifiable information.
On a related note, while some respondents appeared to be certain of potentially violating patron privacy by taking photos without formal consent, others dismissed the idea by pointing to the library as a public place.In reality, photography and right of publicity laws vary state by state (Carson, 2008), and many libraries' practices are governed by the policy of a parent institution.
Respondents frequently downplayed the library's role in protecting patron privacy on social media, emphasizing instead patrons' responsibility in safeguarding their own privacy.This attitude seems to ignore the role libraries could play in educating patrons about effective privacy management and generally modeling privacy-savvy behavior.
This study's findings were based entirely on survey responses, including comments about libraries' policies or lack thereof.A logical next step for future study would be to collect and analyze the content of libraries' privacy policies to determine whether they contain content that is applicable to protecting patron privacy in social media marketing and outreach.Additionally, themes expressed in this study's comments reveal diverse views on libraries' obligation to protect patron privacy beyond circulation records.Further study is needed to establish the prevalence of these views among librarians.

Conclusion
For libraries, the concept of patron privacy most commonly refers to the confidentiality of "information sought or received and resources consulted, borrowed, acquired or transmitted" (American Library Association, 2008, para. 7).However, given the profession's efforts to position libraries as privacy advocates, librarians need to be mindful of privacy issues beyond the traditional definition.As stated in ALA's interpretation of the Library Bill of Rights, "In all areas of librarianship, best practice leaves the user in control of as many choices as possible" (2014b, Rights of Library Users section, para.2).Indeed, if the goal of safeguarding patron privacy is to ensure freedom of information and inquiry, then libraries must earn and maintain their patrons' trust.Beyond open and transparent communication with patrons, a privacy policy is one important tool librarians can use to establish trust.This study suggests, in spite of widespread adoption of social media, many libraries may still lack a social media policy in any form.As ALA recommends, libraries should "review their own privacy policies and the Library Bill of Rights as the basis for a discussion of privacy issues and pitfalls within the context of social media, and how to handle them in individual institutions" (2013, "What ethical standards" section, para 3).Libraries can use the findings of this study to further their internal discussions.However, the authors believe libraries should take the next step and adopt policies that establish basic parameters regarding patron privacy on social media, including what information is collected about patrons and how it may be used as well as patrons' choices to opt in or out of sharing this information and photos.
Patrons should feel that libraries, though often public spaces by definition, guarantee privacy to those who want it.To put it in marketing terms, libraries should "brand" themselves as privacy experts and trustworthy protectors of personal information.Documented social media privacy practices provide a powerful means of establishing a library's commitment to patron privacy in all spaces.Publicly shared patron-centric policies can also help establish a consistent image for individual libraries-and, ultimately, the library profession-that demonstrates paramount concern for patron privacy.This image can be further cultivated by providing educational outreach to patrons to help them protect their own privacy.Libraries can and should serve as responsible role models, particularly Figure 1Types of Libraries Represented in the Study Figure 2 Professional Roles of Study Respondents

Figure 5
Figure 5Posting Personally Identifiable Information

Figure 8
Figure 8 Pennsylvania Libraries: Research & PracticeLibraries Protecting Privacy on Social Media palrap.org in their professional sharing of personally identifiable patron information.Libraries should be mindful of not only what the law requires but also of the library profession's values in establishing practices to protect patron privacy.