Is it legal to print student photos with their names on their school library cards for circulation use?
I didn't realize it in first grade, but a school library is one of the first places a person experiences "the right to privacy" unmediated by a parent or guardian.
Think about it. You go to the library and get to pick out whatever you want. You check out books, and no one can tell you what to pick. And aside from the person checking you out, no one has to see your selection; your records are private.
In the present day, this means that kids whose faces might be all over Facebook, who are attending school via computer, and who "turn off their screen," when they don't want people peeking into their home life during remote learning, still have a right to confidentiality when it comes to the library in their school. And one of the biggest symbols of that student-library relationship is their library card.
So, with all that hanging in the balance, what are the legal considerations of putting student pictures on school library cards?
As often happens in the highly regulated worlds of education, privacy, and information, the answer is: "It depends."
In this case, the factors "it depends" on are numerous; rather than itemize them, I'll summarize them with a few pointed questions:
Factor 1: What else is "on" the library card?
Depending what other information is on the library card, combining a student’s picture with it could increase the likelihood of a violation of FERPA, Ed 2-d, or school policy. For instance, if the card is used for not only swipe access, but access to grades, disciplinary records, and library records, also including a picture ID on it makes it sensitive, indeed.
Factor 2: Who "owns" the library card?
Some schools, by policy, give out student identification cards, but use a school or district-wide policy to confirm that the card is simply "on loan" to the student (and must be returned at certain events, like suspension or expulsion). Other institutions issue a card, and it becomes the student's property; this means that the card is more under that student’s control.
While there is no requirement to do one way over the other, the school and library should confirm the ownership of the card in a policy, as this can impact the decision to mark the card with picture ID, as well as who has control over the card in the future.
Factor 3: Why does the picture need to be on the library card?
Is the school so large that in order to ensure it provides library services to the right student, the card must have a photo ID? Is it a security measure, perhaps to deter theft (of library cards, and therefore collection assets)? Do students need to "swipe" into the library, with the library positioned to monitor that they are letting in a student who isn't supposed to be in class? Or is the library card doing double duty as the student's general student ID? Whatever the reason, it should be understood and clearly based in policy. And if the reason has to do more with security at that school than the operations of the library, it is better that the function be performed by the student ID, not the library card.
Factor 4: Who will have the right or ability to view the library card?
If the library card is only required to be viewed by library staff, the inclusion of the photo is consistent with FERPA's and CPLR 4509's different but equally applicable privacy requirements. But if a security guard, teacher(s), bus driver, or others all have to see the library card for different reasons (this relates to question number 3), or could use the card to access the student's library records, that raises the possibility of concerns.
Factor 5: Is there a "stealth" reason for the use of the photo and name?
For some students, if they do not have documentation such as a birth certificate or social security card, a library card with a picture ID might be the most official "documentation" they have. If a library or school is intending that their cards perform this ancillary function, this should be done with the awareness that third parties relying on the identification function still need permission for the school or library to comment on the content of the card (for students under 18, this means a waiver by parents or guardians). However, that same student (or their parents/guardians) can choose to share their confidential education records or library records however they wish.
Okay, that's a lot of "factors," but what is the answer?
Having dragged you through all that, I will answer the member's very simple question: Is it legal to print student photos with their names on their school library cards for circulation use?
The answer is "Yes."
But! If the library card will be used for anything more than "circulation use" within the library, it is wise to assess precisely what the card will be used for, root that purpose in well-developed policy that considers the above factors, and evaluate if the picture—which in this case, will be a FERPA-protected education record—is needed at all. The more the card is used for functions beyond the needs of the library, the more those functions should be achieved by a separate student ID, or in the alternative, schools should make sure that library information is separate and isolated from other education records accessed by or listed on the card.
Thank you for an important question.
 It is important to note that a "public school library" is different than a public library, or an association library, or a college library.... but ALL are subject to CPLR 4509, the law making library records private. And while they are different, a public school library, like the college library, is subject to FERPA.
 I used to be such a stickler about not posting any pictures of my kids on FB. But the loving posts of other family members eventually wore me down. Sorry, kids, I really tried.
 Photos of students maintained by their institutions, like an ID photo, are confidential education records under FERPA. https://studentprivacy.ed.gov/faq/faqs-photos-and-videos-under-ferpa
 For instance, if the library card is also an all-purpose student ID that also functions as a key card or has lunch money on it, a policy should clearly separate those functions and there must be a clear protocol for voiding access when the card is reported lost.
 Just because the school owns the physical object doesn't mean they own the rights to the student's image.
 This is because, as written more thoroughly in Ask a Lawyer https://www.wnylrc.org/ask-the-lawyer/raqs/100, school library records are subject to both FERPA and 4509 rules of privacy. Combining education record with library records can make it difficult to tease out the different ways the materials may need to be handled.
 See footnote 3. Yes, this is a footnote to send you to a footnote.
 Either in hard copy, on the card, or via digital access.
COVID has made online library card registration essential in many areas. What do we need to consider when dispensing online (temporary cards that allow access to e-resources) and physical library cards to children? At what age, and under what circumstances do we need to get a guardian's signature? Can we require some form of ID for children?
I remember getting my first library card at the Utica Public Library with my Dad, circa 1985. It was a right of passage: something "official" before I could drive, or work, or vote; a stepping-stone to adult life.
Of course, back then, we didn't have the Child Online Privacy Protection Act, the SHIELD Act, or the GDPR. We did have CPLR 4509, but if that was part of the application, I probably assumed it was what the library would use to revive me if I had a heart attack in the stacks.
But enough of Memory Lane: this question is rooted in 2020, a time of pandemic, of online ecosystems, and of growing awareness about personal privacy and data security. During this time, a library putting in place direct access to services for children in the ways listed by the member is a critical service, and as the member points out, introduces a lot of legal factors to think about.
To answer the member's questions, let's dive into them.
Contracts and Kids
Since the relationship of a library to a patron is (among other things) contractual, and in New York a person (generally) cannot be held to a contract until they are 18, any terms a library wants to be able to enforce on a minor must require legal consent of a parent or guardian...and in some cases, the contract really is just with the parent or guardian (who I will call "P/G" for the sake of efficiency going forward).
This, by the way, doesn't mean a library can't let minors have a card and borrow books (or have online access, or be in the library) without the signature of a parent or guardian—it just means if you want to enforce any contractual terms against those minors (like the requirement to return borrowed books), it's best to have a P/G's consent along for the ride.
Contracts and the Internet
Most contracts—including those signed by P/Gs binding minors—can be entered into electronically, and a contract signified by a library card is no exception. So yes, a patron, including a child, can get a library card or access to services through an electronic signature.
(Just in case you want the nation-wide definition, an "electronic signature" is "an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.")
What about COPPA?
When a website specifically provides services to children, we often have to consider the Children's Online Privacy Protection Act, or "COPPA." But not today, since COPPA expressly states that the law applies to "commercial" websites and online services and generally not to nonprofit entities like a library.
Although nonprofit entities are generally not subject to COPPA, the FTC "encourages such entities to post privacy policies online and to provide COPPA’s protections to their child visitors." Since libraries are sticklers for privacy, this makes sense, but if your library does this when setting up online resources for minors, don't call it "compliance with COPPA," call it "doing it the right thing because we want to."
Should we require a parent?
COPPA, by the way, is one of the laws that uses the age of thirteen as the cut-off age for children being able to sign up for things (commercial or otherwise) on their own. In my experience, 13 is also the age when insurance carriers decide children transition from "vulnerable" to simply "minors." For this reason, many content providers and services (including libraries) bar access without a parent to those under 13.
All of which is to say: while there might not be a legal requirement to involve a P/G, in general, I'd say this is a good practice. Good—but not required. Remember, to legally enforce any conditions (collect fines), you need a P/G's signature, but if you just want to let a kid borrow a book without consequences enforceable in court, you don't.
Let's see some ID?
Okay: you're set with electronic signatures. You know you need to get P/G into the mix for patrons under 18. You're "Doing The Right Thing Because You Want To" when it comes to soliciting information from minors under 13. Do you need to see identification to make things official?
If the privileges the library card or access grants come with conditions you will need to enforce in a court of law (fines, damages), it is ALWAYS better to get some form of identification or proof of address. I say this, because when lawyers sue, proper ID and proof of address is how they know they are suing the right person.
Similarly, if there is an age or residency requirement, or a financial element (for instance, loading money onto an account), or if a person is to have access to another's account, you might need to require ID.
Because the need for it will vary, when to require ID is a good question for your local attorney. From my perspective, if a person is allowed to take out more than $10,000.00 worth of library assets at a time, or a library wants to be able to collect fines, I'd want to know how to enforce a return of those items. Similarly, if patrons are allowed to access services from third-party vendors through their library card (software programs, audio books, anything governed by a third-party license), and there are consequences for a violation, it is good to have solid information about who your patron really is.
The problem is, if you are going to require ID, you must have a solid policies and procedures that address:
Basically: the reason a library would require ID—aside from verifying that a person lives in the relevant area of service, or is who they say they are—is to collect damages or to legally enforce conditions the patron has agreed to as a condition of a card. Since that is an unpleasant business, its best to avoid it whenever you can...but when it's important, it's important to do it right.
I enjoyed writing this answer, because as part of it, I got to poke around and see how different libraries are solving this issue. I saw some great stuff, including a temporary e-access system that let the technology do all the work (requesting verification of age via click-thru, using location services to confirm location in NY, imposing conditions on digital content via function without the need for legal enforcement mechanisms).
It is good to see when the law inspires, rather than quashes, creativity and information access. I hope your library and library system finds this helpful as you imagine new ways to connect people to vital services!
 Requiring libraries to not release an individual's library records to a third party.
 There ARE some exceptions, but unless your library is hiring a minor to act in their movie, or selling a married couple of 17-year-olds a house, they shouldn't apply here (see General Obligations Law § 3-101).
 (15 USCS § 7001) states: "a signature, contract, or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because it is in electronic form."
 This definition's use of "electronic sound" created a rabbit hole where I envisioned a series of "auditory" contract signature proceedings where a person uses their Spotify Playlist to accept contracts.
 15 USCS § 7006
 Entities that otherwise would be exempt from coverage under Section 5 of the Fair Trade Commission Act, which most if not all libraries are.
 You can find this "encouragement" at https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions-0
 A great guide for "doing the right thing" is here: https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions-0#A.%20General%20Questions
 By "enforce conditions," I mean contractually, in a court of law. A library can always ask a 12-year-old to pipe down, and enforce its Code of Conduct if they do not. But to collect fees, get a P/G signature!
 This question is critical to a library's mission. While there is no "right" answer, I can say that even facially neutral things such as asking for utility bills, pay stubs, or non-driver ID can alienate people within a library's area of service. I advise maintaining a list of ID types that includes "the usual" types of ID (driver's license, ss card, birth certificate, non-driver ID), and some other types, as well (report card, lease, or any correspondence from a government agency (with private information redacted)). The list maintained by NYPL, who clearly gets this issue, made me smile: https://www.nypl.org/help/library-card/terms-conditions.