June 22, 2000
MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES
The purpose of this memorandum is to remind you that each agency is
required by law and policy to establish clear privacy policies for its web
activities and to comply with those policies. Agency contractors should also
comply with those policies when operating web sites on behalf of agencies.
As described in my memorandum of June 2, 1999, on "Privacy Policies on
Federal Web Sites," agencies are to post clear privacy policies on agency
principal web sites, as well as at any other known, major entry points to
sites, and at any web page where substantial amounts of personal information
are posted. Privacy policies must be clearly labeled and easily accessed
when someone visits a web site.
Agencies must take care to ensure full adherence with stated privacy
policies. For example, if an agency web site states that the information
provided will not be available to any other entities, it is the responsibility
of the agency to assure that no such sharing takes place. To ensure such
adherence, each agency should immediately review its compliance with its
stated web privacy policies.
Particular privacy concerns may be raised when uses of web technology
can track the activities of users over time and across different web sites.
These concerns are especially great where individuals who have come to
government web sites do not have clear and conspicuous notice of any such
tracking activities. "Cookies" -- small bits of software that are placed on
a web user's hard drive -- are a principal example of current web technology
that can be used in this way. The guidance issued on June 2, 1999, provided
that agencies could only use "cookies" or other automatic means of
collecting information if they gave clear notice of those activities.
Because of the unique laws and traditions about government access to
citizens' personal information, the presumption should be that "cookies"
will not be used at Federal web sites. Under this new Federal policy, "cookies" should not be used at Federal web sites, or by contractors when operating web sites on behalf of agencies, unless, in addition to clear and conspicuous notice, the following conditions are met: a compelling need to gather the data on the site; appropriate and publicly disclosed privacy safeguards for handling of information derived from "cookies"; and personal approval by the head of the agency. In addition, it is federal policy that all Federal web sites and contractors when operating on behalf of agencies shall comply with the standards set forth in the Children's Online Privacy Protection Act of 1998 with respect to the collection of personal information online at web sites directed to children.
A description of your privacy practices and the steps taken to ensure
compliance with this memorandum should be included as part of the submission
on information technology that is incorporated into the agency budget
submission this fall.
||Jacob J. Lew
| || |
||Privacy Policies and Data Collection on Federal Web Sites
| OMB Home Page
| Budget Information
| Legislative Information
| Management Reform/GPRA
| Grants Management
| Financial Management
| Procurement Policy
| Information & Regulatory Policy
| Special Topics |