The IT Law Wiki
Register
Advertisement

Citation[]

Guidance Attached to OMB Memorandum M-99-18, Guidance and Model Language for Federal Web Site Privacy Policies (June 2, 1999) (full-text).

Overview[]

This Guidance states “every federal Web site must include a privacy policy statement, even if the site does not collect any information resulting in creating a Privacy Act record.” The guidance also states that “federal agencies’ Web sites are highly diverse, have many different purposes, and that agencies must tailor their statement to the information practices of each individual Web site.” The guidance advises agencies on how to prepare privacy policy statements for five different situations: (1) introductory language; (2) information collected and stored automatically; (3) information collected from e-mails and Web forms; (4) security, intrusion, and detection language; and (5) significant actions where information enters a system of records.[1] Finally, the guidance provides examples of model privacy language to assist agencies in drafting their policies.

Concerning the posting of introductory language on agency Web sites, the guidance describes Web sites as “the front door” for many contacts by individuals, and advises agencies to inform individuals about the agencies’ privacy policies concerning the collection and use of information. As examples, the guidance contains language from the White House and the Social Security Administration Web sites. The privacy policy posted on the White House’s Web site states it will not collect any personal information from individuals visiting the Web site unless they choose to provide that information. The Social Security Administration’s Web site informs visitors that under its privacy policy, it will not collect any personally identifiable information from them such as their names, addresses, or Social Security numbers, when they visit its Web site unless they willingly provide such information.

Concerning information that is collected and stored automatically, OMB’s guidance notes that in the course of operating a Web site, certain information may be collected automatically. The OMB guidance advises agencies to make clear to individuals whether they are collecting information automatically and whether they plan to collect more information. The OMB guidance provides language from the White House Web site, which informs visitors that its policy is to collect the Internet domain name, the type of browser and operating system visitors use to access the site, the date and time the site was accessed, and the pages visited. The White House Web site also informs visitors that although it uses the information to make its site more useful to visitors, its policy is not to track or record information about individuals and their visits.

The OMB guidance states that agencies can use automatic means to collect information in logs or cookies. Concerning information collected from e-mails and Web pages, the guidance notes that many websites receive identifiable information from e-mails or Web forms and advises agencies to state how they treat the identifiable information. The OMB guidance states “if true, the agency should inform visitors it uses the information included in an e-mail for the purposes for which it was provided and that the information will be destroyed after this purpose has been fulfilled.”

The OMB guidance provides sample language to this effect from the FTC privacy policy posted at its website. The FTC privacy policy also informs individuals that the material they submit may be seen by various people in the agency and may also be shared with other government agencies enforcing protection, competition, and other laws. The FTC policy informs individuals that in other limited circumstances, such as requests from Congress or private individuals, the FTC may be required by law to disclose information submitted by e-mail.

Concerning security, intrusion, and detection language, the OMB guidance notes that many Webmasters use information collected on a site to detect potentially harmful intrusion and to take action once an intrusion is detected. The OMB guidance further notes that in the event of authorized law enforcement investigations, and pursuant to any required legal process, information from those logs and other sources may be used to help identify an individual. The OMB guidance contains language from the Department of Defense’s (DOD) privacy policy posted on its website that states “for site security purposes, and to ensure that this service remains available to all users, this government computer system employs software programs to monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage.” The DOD privacy policy further states “except for authorized law enforcement investigations, no other attempts are made to identify individual users or their usage habits.”

Concerning significant actions where information enters a system of records, the OMB guidance states “to date, a large fraction of federal Web pages have not collected significant amounts of identifiable information in ways that are entered directly into systems of records covered by the Privacy Act.” The OMB guidance informs agencies that in systems of records where traditional paper collections of information are supplemented or replaced by electronic forms offered through a website, the rules of the Privacy Act continue to apply. The guidance also states that for those situations where a Privacy Act notice would be required in the paper-based world, it would be appropriate to post a relevant Privacy Act notice on the Web page, or through a well-marked hyperlink.

References[]

  1. The OMB privacy policy guidance uses two headings to describe situation 5 — “significant actions where information may be subject to the Privacy Act” and “significant actions where information enters a system of records.”
Advertisement