13 Association of Research Libraries Research Library Issues 297 — 2019 Libraries are going to need to think very carefully about what data they want to collect and what risks it represents. Then they will need to consider how to inform their users about what is being collected, how it is being used, and where the data collection is going to happen. They may need to share some additional information (role, school, or departmental affiliation, for example) about users with external platforms if they want the platform to return usage data faceted by those attributes. Emerging techniques and technologies, such as differential privacy, may ultimately prove very helpful here. The Most Important Steps to Take Now This brief paper suggests many issues that library leadership needs to consider with regard to reader privacy, but three stand out to me as most urgent: 1. If you are using Shibboleth for authentication to external content platforms at your institution, be sure that you understand your institution’s attribute release policy and the governance around the development and maintenance of that policy. 2. As new licenses for content and services are established, or as existing ones are renewed, add language dealing with reader privacy as a routine matter. 3. Develop a strategy and a program for informing and educating the university community about reader privacy issues broadly. In my view, this is ideally done by the library in partnership with other organizations (such as information technology, general counsel, registrar, instructional technology, etc.) in a coordinated and holistic way. In any event, it’s essential that this communication be put in place sooner rather than later, even if the library must act alone for a time while an effort is being made to develop a more strategic institution-wide conversation about the issues.