Managing cookies to protect patron privacy


An Educational Service of the American Library Association

Office for Information Technology Policy


Prepared by Leslie Harris & Associates in conjunction with OITP staff


Active management of cookies and other possible means of third party online data collection is critical to protecting patron privacy in the library.  As discussed in prior tutorials, many web sites, especially commercial sites, use cookies to analyze traffic and purchase patterns, and to customize users' online experiences.  Some use only "session" or "transient" cookies that track a user for a single session while other sites use "persistent cookies" that may track a user's Internet habits over an extended period of time. 


Cookies of both types may be set to capture personally identifiable information. Whether personal information is successfully obtained may depend both on the design of the web site using the cookies and on the set up of library's computer facilities.  Web sites that request personally identifiable information, such as an e-mail address, may include some of that information in a cookie.  The cookies may also include details about the user's indicated preferences for that web site. 


Libraries may unintentionally provide additional personally identifiable information that can be captured by cookies.  It often depends on how the computer login system is designed.  If the library requires users to login using library card information or their name, some cookies may capture that information.  On the other hand, anonymous login systems may thwart privacy breaches.  For example, it is not as harmful for a cookie to capture the fact that visited a particular web site than the fact that did so. 


Librarians may wish to develop cookie management policies to help ensure both the privacy and confidentiality of library users, and to protect the security of their networks.  Cookie management generally includes frequent removal of cookies from the cookie file and temporary Internet files at least once per day, and if possible, setting up computer systems so that cookies and temporary Internet files are completely erased when a user logs off the network.  Additionally, if a library uses a personal identifier for Internet users, it may want to consider avoiding the use of actual names or a library card number that can be linked to a particular person.  Libraries should also ensure that their own use of cookies (if any) is consistent with their policy for managing other cookies.


Further information:


Webopedia Definition & Links:


NYT Article "Fighting to Make a City's Cookie Files Public" on a legal battle over whether "cookie" files are public records. (Site requires registration, and cookie acceptance)


Cookie Central - Frequently Asked Questions About Cookies:


Microsoft/Internet Explorer Information on Cookies:


Netscape Tech Support, "Cookies: What They Are and How They



"A recipe for cookie management: Integrate an easy-to-use library for client-side cookie handling" (highly technical article on using java for cookie management)


Two products that advertise themselves as cookie management software are listed below. Neither LHA nor the ALA endorses them over other possible technology solutions. They are listed as examples and for informational purposes only.


Cookie Pal - cookie management software:


Cookie Crusher - cookie management software:


Copyright 2002, American Library Association, Office for

Information Technology Policy




This Online Privacy Tutorial is a service of the American Library Association. The content of this tutorial is primarily the work of Leslie Harris & Associates in Washington, DC. The views expressed in these messages are not necessarily the views of ALA or Leslie Harris & Associates. This tutorial is for information only and will not necessarily provide answers to concerns that arise in any particular situation. This service is not legal advice and does not include many of the technical details arising under certain laws. If you are seeking legal advice to

address specific privacy issues, you should consult an attorney licensed to practice in your state.