Guidance Attached to OMB Memorandum M-99-18

The guidance attached to OMB Memorandum M-99-18 states “every federal Web site must include a privacy policy statement, even if the site does not collect any information resulting in creating a Privacy Act record.” The guidance also states that “federal agencies’ Web sites are highly diverse, have many different purposes, and that agencies must tailor their statement to the information practices of each individual Web site.” The guidance advises agencies on how to prepare privacy policy statements for five different situations: (1) introductory language; (2) information collected and stored automatically; (3) information collected from e-mails and Web forms; (4) security, intrusion, and detection language; and (5) significant actions where information enters a system of records. Finally, the guidance provides examples of model privacy language to assist agencies in drafting their policies.

Concerning the posting of introductory language on agency Web sites, the guidance describes Web sites as “the front door” for many contacts by individuals, and advises agencies to inform individuals about the agencies’ privacy policies concerning the collection and use of information. As examples, the guidance contains language from the White House and the Social Security Administration Web sites. The privacy policy Web site states it will not collect any personal information from individuals visiting the Web site unless they choose to provide that information. The Social Security Administration’s Web site informs visitors that under its privacy policy, it will not collect any personally identifiable information from them such as their names, addresses, or Social Security numbers, when they visit its Web site unless they willingly provide such information.

Concerning information that is collected and stored automatically, OMB’s guidance notes that in the course of operating a Web site, certain information may be collected automatically. The OMB guidance advises agencies to make clear to individuals whether they are collecting information automatically and whether they plan to collect more information. The OMB guidance provides language from the White House Web site, which informs visitors that its policy is to collect the Internet domain name, the type of browser and operating system visitors use to access the site, the date and time the site was accessed, and the pages visited. The White House Web site also informs visitors that although it uses the information to make its site more useful to visitors, its policy is not to track or record information about individuals and their visits.