M-00-13, Privacy Policies and Data Collection on Federal Web Sites
June 22, 2000
MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES
The purpose of this memorandum is to remind you that each agency is required by law and policy to establish clear privacy policies for its web activities and to comply with those policies. Agency contractors should also comply with those policies when operating web sites on behalf of agencies.
As described in my memorandum of June 2, 1999, on "Privacy Policies on Federal Web Sites," agencies are to post clear privacy policies on agency principal web sites, as well as at any other known, major entry points to sites, and at any web page where substantial amounts of personal information are posted. Privacy policies must be clearly labeled and easily accessed when someone visits a web site.
Agencies must take care to ensure full adherence with stated privacy policies. For example, if an agency web site states that the information provided will not be available to any other entities, it is the responsibility of the agency to assure that no such sharing takes place. To ensure such adherence, each agency should immediately review its compliance with its stated web privacy policies.
Particular privacy concerns may be raised when uses of web technology can track the activities of users over time and across different web sites. These concerns are especially great where individuals who have come to government web sites do not have clear and conspicuous notice of any such tracking activities. "Cookies" -- small bits of software that are placed on a web user's hard drive -- are a principal example of current web technology that can be used in this way. The guidance issued on June 2, 1999, provided that agencies could only use "cookies" or other automatic means of collecting information if they gave clear notice of those activities.
Because of the unique laws and traditions about government access to citizens' personal information, the presumption should be that "cookies" will not be used at Federal web sites. Under this new Federal policy, "cookies" should not be used at Federal web sites, or by contractors when operating web sites on behalf of agencies, unless, in addition to clear and conspicuous notice, the following conditions are met: a compelling need to gather the data on the site; appropriate and publicly disclosed privacy safeguards for handling of information derived from "cookies"; and personal approval by the head of the agency. In addition, it is federal policy that all Federal web sites and contractors when operating on behalf of agencies shall comply with the standards set forth in the Children's Online Privacy Protection Act of 1998 with respect to the collection of personal information online at web sites directed to children.
A description of your privacy practices and the steps taken to ensure compliance with this memorandum should be included as part of the submission on information technology that is incorporated into the agency budget submission this fall.