Federal Websites: Cookie Policy

During the Open Government Initiative outreach, Federal employees and the public have asked us questions about the federal government’s policy on cookies. As part of our effort to create a more open and innovative government, we’re working on a new cookie policy that we’ll want your input on. But before we get into that, let’s provide some context.
In June 2000, the OMB Director issued a memorandum (M-00-13, later updated by M-03-22, /omb/memoranda_default/) that prohibited Federal agencies from using certain web-tracking technologies, primarily persistent cookies, due to privacy concerns, unless the agency head approved of these technologies because of a compelling need. That was more than nine years ago. In the ensuing time, cookies have become a staple of most commercial websites with widespread public acceptance of their use. For example, every time you use a "shopping cart" at an online store, or have a website remember customized settings and preferences, cookies are being used.
This past June, we blogged about ways to enhance citizen participation in government through basic policy changes, including revisions to the current policy on web-tracking technologies. We heard a lot of informal comments on that blog, so we decided to pursue the more formal comment route through the Federal Register (pdf). The goal of this review is to develop a new policy that allows the Federal Government to continue to protect the privacy of people who visit Federal websites while, at the same time, making these websites more user-friendly, providing better customer service, and allowing for enhanced web analytics.
Under the framework we’re looking at, any Federal agency using web tracking technologies on a Federal Government website would be subject to basic principles governing the use of such technologies and would be required to:
  • Adhere to all existing laws and policies (including those designed to protect privacy) governing the collection, use, retention, and safeguarding of any data gathered from users;
  • Post clear and conspicuous notice on the website of the use of web tracking technologies;
  • Provide a clear and understandable means for a user to opt-out of being tracked; and
  • Not discriminate against those users who decide to opt-out, in terms of their access to information.
OMB is considering a three-tiered approach to the use of web tracking technologies on Federal Government websites:
  • 1st - Single-session technologies, which track users over a single session and do not maintain tracking data over multiple sessions or visits;
  • 2nd - Multi-session technologies for use in analytics, which track users over multiple sessions purely to gather data to analyze web traffic statistics; and
  • 3rd - Multi-session technologies for use as persistent identifiers, which track users over multiple visits with the intent of remembering data, settings, or preferences unique to that visitor for purposes beyond what is needed for web analytics.
We expect that there would be more stringent restrictions or review of the technologies within the tiers that might have higher privacy risks.
To share your comments on this approach, you can post a comment here, submit comments directly in response to the Federal Register notice mentioned above, or email them to: oira_submission@omb.eop.gov. Comments submitted by August 10, 2009 in one of these three ways, will be taken into consideration though we strongly encourage you to comment here so that others can respond. Comments submitted via email will also be republished here. We’re hoping to hear your thoughts on:
  • The basic principles governing the use of such technologies;
  • The appropriate tiers;
  • The acceptable use and restrictions of each tier;
  • The degree of clear and conspicuous notice on each website that web tracking technologies are being used;
  • The applicability and scope of such a framework on Federal agency use of third-party applications or websites;
  • The choice between an opt-in versus opt-out approach for users;
  • Unintended or non-obvious privacy implications; and
  • Any other general comments with respect to this issue.
We appreciate the feedback that we’ve received already, and we look forward to hearing more over at the OSTP blog.
Michael Fitzpatrick is Associate Administrator, OMB Office of Information and Regulatory Affairs;
Vivek Kundra is Federal CIO
 

Your Federal Tax Receipt