I was invited to give testimony in front of this committee about S.71, An act relating to consumer data privacy and online surveillance.
Vermont House Committee on Commerce and Economic Development (Friday, May 1, 2026 – S.71 – Room 35 – 2:40-ish)
Jessamyn West – Library Technologist – Kimball Public Library
Thank you
In addition to my library work, I do public speaking at library conferences and have taught a workshop on Practical Internet Privacy all over the US for the past ten years (file attached). This is based on what I’ve learned in my 20+ year history of helping people with their technology problems and questions in a library setting. I can help anyone to use a computer better.
I’m here today to give you some background on what an average- or low-skills user experiences when they use technology. I am an aggressive supporter of increased privacy protection for all technology users and I think S.71 will help with that. Here is why.
I come from a library background and libraries are also aggressive supporters of patron privacy. We do this through patron education and data minimalization – for example only keeping data as long as we need to in order to do the jobs we need to do… such as keeping the information about a book a patron has borrowed ONLY until that book has been returned. After that, we don’t keep that data. We don’t need it. Patrons can make an affirmative decision to store this information, but the default is privacy.
Legislation has also helped libraries tremendously including Act 150 (S.220), An Act Related to Vermont’s Public Libraries of 2024 which expanded the confidentiality of public library records to minors aged 12 and older. This helped us help our patrons and give more privacy to people who could use it.
I think that S.71 will help Vermont help people to keep their personal data more secure and less able to be lent, sold, or otherwise transferred… or just kept and used to compile dossiers on people who, I assure you, have no idea how much information is being collected about them. Data minimalization also protects users in the event of a data breach. Here I should mention that I was one of the few people who sued Equifax in 2017 after their massive data breach, a big deal at the time and now sadly almost normal. And I won. In an Orange County court.
The great thing about Act 150, the library legislation, is that it’s simple to follow and comply with. It just brings data privacy standards for younger people in line with the way they are handled in medical settings. I don’t know if this is true for data brokers in the same way as librarians, but many of our library workers are themselves somewhat digitally divided and not sure of the privacy implications of, for example, using Instagram for the library’s social media, or having a Gmail account for the library’s email. One thing librarians do understand though, is that if you’re not paying for the product (and sometimes even if you are) then you ARE the product.
My library work is helping computer, tablet and phone users do basic things like setting up an email account, logging on to their health care portal, downloading and signing up for apps, and managing their passwords and cloud storage. I help people sign up for a lot of things and log in to a lot of things.
The level of what I call anti-privacy coercion that I see in my day to day life helping people is shocking. Every app wants access to your Contacts, your Location, your birthday, your phone number and your address. This means ads and other trackers can follow you around the internet and into your home. People do not understand that they can (sometimes) say no to giving businesses information like this. Data collectors would like them to not know this. Deceptive patterns built into software designs means that the way to say “no” to a software’s request (for your personal details) is often smaller and harder to see than the one where you input your personal data. My patrons often don’t have great eyesight. And they shouldn’t have to.
I have a patron (not saying her name because we have privacy laws in the library which say I can’t, or shouldn’t) who often comes in for help with using YouTube, which she uses to listen to music that she learns to play on piano, or which she uses as ambient music for the yoga classes that she teaches. If you go with the “default” settings on YouTube (which is also Google, which is also Nest, which is also Fitbit, which is also Waze, which is also Google Docs) it will keep track of every video you’ve watched, how much of it you watched, where you were when you watched it, what device you watched it on and what you watched next.
If you combine that with, say, your workout paths or your driving directions, or the way you set your thermostat, or the words you process, that will create a fairly complete idea of where you live, where you go, and how you like to spend your time, even how warm you like your living room. People in the library make jokes about how they talked about a thing and then saw an ad for that thing but honestly they have no idea how that all works, I have no idea how that all works…
My patron does not know any of this. She does not change the default settings on her software. She does not know how to. The default settings are all set for maximal data collection for all but the most privacy-forward companies. The privacy settings are often hidden layers deep in menus which, at least on a computer, can be really hard for people to access (if they even know they exist) especially people with poor motor skills which also describes many of the people I help at the library. You shouldn’t need really good eyesight or really steady hands to be able to keep your personal information private.?
We know through research and journalism that even websites and companies which say they are not tracking people are often tracking people and we only find out through lawsuits. They just lie. There is no real penalty for lying.
One role of government can be to protect people who are not necessarily privacy warriors from having their consent violated and their personal information collected, collated, and shared. Businesses should not really have been doing this level of privacy violation in the first place; telling them to “dial it back” should be an acceptable thing which legislators can do, a small but important step.
This is not just about Vermont. In this age of extreme concern that private data is being used by public and private entities in government to do things like put people in private prisons, disenfranchise people of color, or control women’s access to healthcare and their own reproductive rights, this is not only the least we could be doing to keep people’s civil liberties intact but also make a statement that privacy is important and Vermont cares about that. Thank you for your time.