Skip to page content.

Menu
Search

OCLC and US State Privacy Laws

New U.S. state privacy laws are coming into effect on a regular basis.  As a non-profit corporation, OCLC is not subject to most U.S. state privacy laws.  Nevertheless, the privacy principles common to all such state laws, such as processing data only for the purposes for which it was collected and honoring consumers’ rights not to have their personal data resold to third party, are already honored in OCLC’s privacy practices.  For more information, please see our Privacy Statement or email [email protected] with questions.

Information about OCLC and Colorado, Maryland, Minnesota, and New Jersey privacy laws is available below.

Additional information on OCLC’s technical and organizational measures relating to privacy can be reviewed at this page.

Global Privacy Program

OCLC’s privacy program is managed by its global legal staff, which has primary responsibility for safeguarding personal information.  In addition, an enterprise data governance body is established, which reports to executive management.  The program maintains certifications under the ISO/IEC 27018 and 27701 standards, which mandate internationally-recognized practices for the protection of personal information.  OCLC has established internal privacy and information security policies, which govern how we store and safeguard personal information, securely dispose of it, handle privacy-related inquiries and requests, manage privacy-related incidents, and comply with legal requirements in various jurisdictions worldwide.

Maintenance and Use of Personal Information at OCLC

For U.S. customers, OCLC stores personal information encrypted at rest in data centers located in the United States.  Its technology infrastructure staff is supported by its global information security team, which monitors for and resolves security incidents.  Incidents which may involve the misuse or disclosure of personal information are referred to the legal team, which is responsible for investigating and resolving privacy incidents.  Role-based access to personal information is required for OCLC staff providing services directly to customers or maintaining software services.  All employees worldwide take annual privacy training on OCLC’s standards and practices, and are required to comply with internal rules for the safe handling and limited use of personal information.

Destruction of Personal Information at OCLC

All personal information held by OCLC is deleted according to our internal destruction schedule when it is no longer necessary to maintain.  Data destruction schedules may vary by system and type of information.  In addition, we comply with customers’ specific data destruction instructions and requirements.

Handling of Privacy Inquiries and Complaints

All privacy-related inquiries and complaints worldwide, whether received by the Data Protection Officer, OCLC’s customer support team, or through this website, are processed by our global legal staff.  This includes requests by persons to exercise their legal privacy rights.  All inquiries and complaints are managed by OCLC within its Privacy Information Management System, and are resolved in compliance with the requester’s local laws.

Specific States

 

California

As a non-profit corporation OCLC is not subject to the California Consumer Privacy Act / California Privacy Rights Act.

Colorado

OCLC is not a controller of personal data under the Colorado Privacy Act, but it meets the obligations and standards of this law for processors of personal data.  This includes adhering to its controller customers’ processing instructions, cooperating with controller customers’ data protection assessments, maintaining confidentiality, and complying with controller customers’ data destruction requirements.  OCLC’s privacy program will also assist its controller customers in carrying out new data subject access requests from consumers.

Maryland

OCLC is not a controller of personal data under the Maryland Online Data Privacy Act of 2024 (MODPA), which will come into full effect on April 1, 2026.  However, it meets the obligations and standards of this law for processors of personal data.  For information about OCLC’s products and how they will meet MODPA’s new data minimization standards applicable to our customers, or to discuss implementing specific MODPA requirements in a processing contract, please email [email protected].

Minnesota

OCLC is not a controller of personal data under the Minnesota Consumer Data Privacy Act, but it meets the obligations and standards of this law for processors of personal data.  This includes providing documentation to controller customers of how it complies with the Act, facilitating independent assessment of its policies and compliance measures, and assisting its controller customers with maintaining applicable data inventories.

New Jersey

OCLC is not a controller of personal data under the New Jersey Data Privacy Act, but it meets the obligations and standards of this law for processors of personal data.  OCLC’s privacy program will assist affected higher education customers in ensuring that its use of OCLC products and services meets the new Act’s obligations for those controllers, including establishing data protection assessments and documenting nondiscrimination obligations.

Last revision: September 5, 2024