Guidance Attached to OMB Memorandum M-99-18, Guidance and Model Language for Federal Web Site Privacy Policies (June 2, 1999) (full-text).
Concerning information that is collected and stored automatically, OMB’s guidance notes that in the course of operating a Web site, certain information may be collected automatically. The OMB guidance advises agencies to make clear to individuals whether they are collecting information automatically and whether they plan to collect more information. The OMB guidance provides language from the White House Web site, which informs visitors that its policy is to collect the Internet domain name, the type of browser and operating system visitors use to access the site, the date and time the site was accessed, and the pages visited. The White House Web site also informs visitors that although it uses the information to make its site more useful to visitors, its policy is not to track or record information about individuals and their visits.
The OMB guidance states that agencies can use automatic means to collect information in logs or cookies. Concerning information collected from e-mails and Web pages, the guidance notes that many websites receive identifiable information from e-mails or Web forms and advises agencies to state how they treat the identifiable information. The OMB guidance states “if true, the agency should inform visitors it uses the information included in an e-mail for the purposes for which it was provided and that the information will be destroyed after this purpose has been fulfilled.”
Concerning significant actions where information enters a system of records, the OMB guidance states “to date, a large fraction of federal Web pages have not collected significant amounts of identifiable information in ways that are entered directly into systems of records covered by the Privacy Act.” The OMB guidance informs agencies that in systems of records where traditional paper collections of information are supplemented or replaced by electronic forms offered through a website, the rules of the Privacy Act continue to apply. The guidance also states that for those situations where a Privacy Act notice would be required in the paper-based world, it would be appropriate to post a relevant Privacy Act notice on the Web page, or through a well-marked hyperlink.