This Guide requires Federal agencies to take specific steps to protect individual privacy whenever they use third-party websites and applications to engage with the public. The Memorandum builds on the protections and requirements outlined in the Privacy Act of 1974 and the E-Government Act of 2002 and on OMB's existing guidance; it calls for transparent privacy policies, individual notice, and a careful analysis of the privacy implications whenever Federal agencies choose to use third-party technologies to engage with the public.
When using a third-party website or application, agencies are instructed to adhere to the following general requirements:
- External Links. If an agency posts a link that leads to a third-party website or any other location that is not part of an official government domain, the agency should provide an alert to the visitor, such as a statement adjacent to the link or a "pop-up," explaining that visitors are being directed to a non-government website that may have different privacy policies from those of the agency’s official website.
- Agency Branding. In general, when an agency uses a third-party website or application that is not part of an official government domain, the agency should apply appropriate branding to distinguish the agency's activities from those of nongovernment actors. For example, to the extent practicable, an agency should add its seal or emblem to its profile page on a social media website to indicate that it is an official agency presence.
- Information Collection. If information is collected through an agency’s use of a third-party website or application, the agency should collect only the information "necessary for the proper performance of agency functions and which has practical utility." If personally identifiable information (PII) is collected, the agency should collect only the minimum necessary to accomplish a purpose required by statute, regulation, or executive order.
Privacy Impact Assessment Edit
This Guide asks agencies to prepare an adapted Privacy Impact Assessment (PIA) that is tailored to address the specific functions of a third-party website or application that is being used. According to the memorandum, the PIA should describe:
- the specific purpose of the agency's use of the third-party website or application;
- any PII that is likely to become available to the agency through public use of the third-party website or application;
- the agency's intended or expected use of PII;
- with whom the agency will share PII;
- whether and how the agency will maintain PII, and for how long;
- how the agency will secure PII that it uses or maintains;
- what other privacy risks exist and how the agency will mitigate those risks; and
- whether the agency's activities will create or modify a "system of records" under the Privacy Act of 1974.
An agency may prepare one PIA to cover multiple websites or applications that are functionally comparable, as long as the agency's practices are substantially similar across each website and application. For example, one PIA may be sufficient to cover an agency's use of multiple social media websites where limited PII is made available to the agency, but none is collected, shared, or maintained. However, if an agency's use of a website or application raises distinct privacy risks, the agency should prepare a PIA that is exclusive to that website or application.
- "Privacy Impact Assessment" section: Model Privacy Impact Assesment for Agency Use of Third-Party Websites and Applications.