IRM Bulletin No. 2001-001

March 1, 2001

IRM BULLETIN NO. 2001-001

To:	Bureau Chief Information Officers
From:	Daryl W. White
	Chief Information Officer
Subject:	Policy Use of "Persistent Cookies" on Interior Web Sites

Background

The purpose of this Information Resources Management Bulletin is to clarify guidelines provided by the Office of Management and Budget on the use of "Persistent Cookies" on Federal web sites and pages.

This policy is based on the following policy recently issued by OMB:

OMB Policy memorandum M-00-13: Privacy Policies and Data Collection on Federal Web Sites dated June 22, 2000 (http://www.whitehouse.gov/OMB/memoranda/m00-13.html), and

Letter of September 5, 2000, from John T. Spotila, Administrator Office of Information and Regulatory Affairs to Roger Baker, Chief Information Officer, Department of Commerce (http://www.cio.gov/docs/OMBCookies2.htm)

The above policy documents plus OMB memorandum M-99-18 (http://www.cio.gov/docs/webpriv1.htm) provided guidelines to the Federal Government on the legal and policy requirements of providing privacy policies on Federal web pages. The intent of these documents was to provide policy which would increase the confidence the public has in the Government's ability to protect their privacy when visiting Government web pages.

OMB memorandum M-00-13 acknowledged the privacy concerns that may be raised when uses of web technology (such as the use of "cookies") can track the activities of users over time and across different web sites and pages. The concerns are especially great when individuals who have come to Government web sites do not have clear and conspicuous notice of these tracking activities. Although OMB, in its M-00-13 memorandum prohibited the use of "cookies" by Federal web sites unless certain conditions were met, John Spotila's letter of September 5 clarified that the "cookies" referred to are "Persistent Cookies" and not "Session Cookies."

"Persistent Cookies" Policy

Interior web sites and pages operated by Federal employees or operated by contractors on behalf of Interior agencies and offices should not use "Persistent Cookies" unless all four specific conditions below are met:

1. The site gives clear and conspicuous notice [of the use of "Persistent Cookies"];

2. There is a compelling need to gather the data on the site;

3. Appropriate and publicly disclosed privacy safeguards exist for handling any

information derived from the cookies; and

4. The agency head gives personal approval for the use.

By virtue of my authority as Chief Information Officer, I redelegate no lower than Heads of Bureaus and Director of the National Business Center the authority to give their personal written approval for the use of "Persistent Cookies" for web sites owned and operated by their organization, in accordance with guidelines 1 through 4 above.

Before "Persistent Cookies" are used, webmasters should ensure that they coordinate requests for approval and privacy policy statements with Privacy Officers and program persons. Approval documentation and justifications should be retained by webmasters to address future inquiries by the public or government offices on their use.

The use of "session cookies" does not require this approval process. However, notice of their use and purpose should be included in privacy policy statements on the appropriate web pages (refer to OMB M-99-18).

If you have any questions regarding this policy, please direct your questions to Steve King, Departmental Webmaster, at (202) 208-0596 or Marilyn Legnini, Departmental Privacy Officer, at (202) 219-0868.

IRM Bulletins