MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES
Jacob J. Lew Director
Privacy Policies and Data Collection on Federal Web Sites
The purpose of this memorandum is to remind you that each agency is
required by law and policy to establish clear privacy policies for its web
activities and to comply with those policies. Agency contractors should also
comply with those policies when operating web sites on behalf of agencies.
As described in my memorandum of June 2, 1999, on "Privacy Policies
on Federal Web Sites," agencies are to post clear privacy policies on agency
principal web sites, as well as at any other known, major entry points to
sites, and at any web page where substantial amounts of personal information
are posted. Privacy policies must be clearly labeled and easily accessed when
someone visits a web site.
Agencies must take care to ensure full adherence with stated privacy
policies. For example, if an agency web site states that the information
provided will not be available to any other entities, it is the responsibility
of the agency to assure that no such sharing takes place. To ensure such
adherence, each agency should immediately review its compliance with its stated
web privacy policies.
Particular privacy concerns may be raised when uses of web technology
can track the activities of users over time and across different web sites.
These concerns are especially great where individuals who have come to
government web sites do not have clear and conspicuous notice of any such
tracking activities. "Cookies" -- small bits of software that are placed on a
web user's hard drive -- are a principal example of current web technology that
can be used in this way. The guidance issued on June 2, 1999, provided that
agencies could only use "cookies" or other automatic means of collecting
information if they gave clear notice of those activities.
Because of the unique laws and traditions about government access to
citizens' personal information, the presumption should be that "cookies" will
not be used at Federal web sites. Under this new Federal policy, "cookies"
should not be used at Federal web sites, or by contractors when operating web
sites on behalf of agencies, unless, in addition to clear and conspicuous
notice, the following conditions are met: a compelling need to gather the data
on the site; appropriate and publicly disclosed privacy safeguards for handling
of information derived from "cookies"; and personal approval by the head of the
agency. In addition, it is federal policy that all Federal web sites and
contractors when operating on behalf of agencies shall comply with the
standards set forth in the Children's Online Privacy Protection Act of 1998
with respect to the collection of personal information online at web sites
directed to children.
A description of your privacy practices and the steps taken to ensure
compliance with this memorandum should be included as part of the submission on
information technology that is incorporated into the agency budget submission