OMB Memorandum M-00-13

On June 22, 2000, OMB issued OMB Memorandum M-00-13, entitled “Privacy Polices and Data Collection on Federal Web Sites.” The June 22 memorandum refers to the earlier OMB Memorandum M-99-18, and the need for agencies to comply with this earlier guidance; however, the June 22, 2000, memorandum provides additional guidance relating to the collection of information by federal Web sites using cookies.16

The guidance attached to OMB Memorandum M-99-18 states that agencies could use automatic means to collect information in logs or cookies. The June 22, 2000 memorandum states that cookies should not be used at federal Web sites unless clear and conspicuous notice is given and the following conditions are met: (1) there is a compelling need to gather the data on the site, (2) the agency takes appropriate and publicly disclosed privacy safeguards for handling information derived from cookies, and (3) the head of the agency has personally approved the use of cookies.

Concerning information collected from e-mails and Web pages, the OMB guidance notes that many Web sites receive identifiable information from e-mails or Web forms and advises agencies to state how they treat the identifiable information. The OMB guidance states “if true, the agency should inform visitors it uses the information included in an e-mail for the purposes for which it was provided and that the information will be destroyed after this purpose has been fulfilled.” The OMB guidance provides sample language to this effect from the FTC privacy policy posted at its Web site. The FTC privacy policy also informs individuals that the material they submit may be seen by various people in the agency and may also be shared with other government agencies enforcing protection, competition, and other laws. The FTC policy informs individuals that in other limited circumstances, such as requests from Congress or private individuals, FTC may be required by law to disclose information submitted by e-mail.

Concerning security, intrusion, and detection language, the OMB guidance notes that many Webmasters use information collected on a site to detect potentially harmful intrusion and to take action once an intrusion is detected. The OMB guidance further notes that in the event of authorized law enforcement investigations, and pursuant to any required legal process, information from those logs and other sources may be used to help identify an individual. The OMB guidance contains language from the Department of Defense’s (DOD) privacy policy posted on its Web site that states “for site security purposes, and to ensure that this service remains available to all users, this government computer system employs software programs to monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage.” The DOD privacy policy further states “except for authorized law enforcement investigations, no other attempts are made to identify individual users or their usage habits.”

Concerning significant actions where information enters a system of records, the OMB guidance states “to date, a large fraction of federal Web pages have not collected significant amounts of identifiable information in ways that are entered directly into systems of records covered by the Privacy Act.” The OMB guidance informs agencies that in systems of records where traditional paper collections of information are supplemented or replaced by electronic forms offered through a Web site, the rules of the Privacy Act continue to apply. The guidance also states that for those situations where a Privacy Act notice would be required in the paper-based world, it would be appropriate to post a relevant Privacy Act notice on the Web page, or through a well-marked hyperlink.