Cookies Letter, 09-05-00.html


Office of Information
and Regulatory Affairs

September 5, 2000

Roger Baker
Chief Information Officer
U.S. Department of Commerce
Room 5033
14th & Constitution Avenue, NW
Washington, DC 20230

Dear Roger:

Thank you for your letter of July 28, 2000, regarding OMB Memorandum 00-13 on "Privacy Policies and Data Collection on Federal Web Sites." We appreciate the CIO Council's strong support for protecting the personal information of citizens who visit federal web sites. We also stand ready to assist agencies as needed in implementing this guidance.

The President and the Vice President are strongly committed to the protection of privacy rights. They believe that the federal government should serve as a model of good privacy practices. Agencies need to be particularly careful before launching any effort to gather information on the activities of citizens who visit federal web sites. As we work to promote customer service, we must keep privacy concerns in mind.

In this spirit, OMB issued Memorandum 00-13, which aims specifically at the tracking of "the activities of users over time and across different web sites." As you correctly point out, a principal example of such is the use of persistent cookies. In accord with the Memorandum, federal web sites should not use persistent cookies unless four conditions are met:

  • The site gives clear and conspicuous notice;

  • There is a compelling need to gather the data on the site;

  • Appropriate and publicly disclosed privacy safeguards exist for handling any information derived from the cookies; and

  • The agency head gives personal approval for the use.

We are concerned about persistent cookies even if they do not themselves contain personally identifiable information. Such cookies can often be linked to a person after the fact, even where that was not the original intent of the web site operator. For instance, a person using the computer later may give his or her name or e-mail address to the agency. It may then be technically easy for the agency to learn the complete history of the browsing previously done by users of that computer, raising privacy concerns even when the agency did not originally know the names of the users.

We recognize that agency web sites can also seek information from visitors in ways that do not raise privacy concerns. Specifically, they may retain the information only during the session or for the purpose of completing a particular online transaction, without any capacity to track users over time and across different web sites. When used only for a single session or transaction, such information can assist web users in their electronic interactions with government, without threatening their privacy. One example of such an approach that supports electronic government would be the use of a shopping cart to purchase a number of items online from the U.S. Mint. Another example would be the current technology that assists users in filling out applications that require accessing multiple web pages on the Department of Education's Direct Consolidation Loan site. We do not regard such activities as falling within the scope of Memorandum 00-13.

In your letter, you also inquired whether we should extend the policy guidance in Memorandum 00-13 to agency intranet sites as well as agency external internet web sites. The guidance, of course, focuses on internet traffic between the government and citizens. You raise an important issue, however, and we look forward to working with the CIO Council to review our policies regarding agency intranets.

Thank you again for sharing your insights and those of our CIO Council colleagues. Your creativity and support are indispensable to our electronic government efforts.


John T. Spotila