Privacy Laws, Policies and Guidance

General privacy laws, OMB privacy policies and guidance, Departmental policies, and bureau/operating unit privacy policies.



  • The Privacy Act of 1974, 5 U.S.C. § 552a, provides privacy protections for records containing information about individuals (i.e., citizen and legal permanent resident) that are collected and maintained by the federal government and are retrieved by a personal identifier. The Act requires agencies to safeguard information contained in a system of records (SOR). It is currently being revised. It is currently being revised.

  • The Federal Information Security Modernization Act of 2014 (amends the Federal Information Security Management Act of 2002, 44 U.S.C. § 3541), requires agencies to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of an agency.

  • The E-Government Act of 2002 (44 U.S.C. 3601 et seq.) establishes procedures to ensure the privacy of personal information in electronic records.

  • Freedom of Information Act (FOIA) generally provides that any person has a right, enforceable in court, to obtain access to federal agency records, except to the extent that such records (or portions of them) are protected from public disclosure by one of nine exemptions or by one of three special law enforcement record exclusions.   

  • Trade Secrets Act (18 U.S.C. 1905) provides criminal penalties for the theft of trade secrets and other business identifiable information.

  • Paperwork Reduction Act (PRA) of 1995 (44 U.S.C. 3501 et seq.) is designed to reduce the public’s burden of answering unnecessary, duplicative, and burdensome government surveys.

  • Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501-06) (COPPA) regulates the online collection and use of personal information provided by and relating to children under the age of 13.

Back to Top

Office of Management and Budget (OMB) Memoranda

  • OMB Memorandum M-03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (September 26, 2003), requires agencies to conduct reviews of how information about individuals is handled when information technology (IT) is used to collect new information, or when agencies develop or buy new IT systems to handle collections of personally identifiable information (PII), and describes how the agency handles information that individuals provide electronically.

  • OMB Memorandum M-06-15, Safeguarding PII (May 22, 2006), reiterates and emphasizes agency responsibilities under law and policy to appropriately safeguard sensitive PII; requires that agencies conduct a review of their policies and processes, and take corrective action as appropriate to ensure adequate safeguards to prevent the intentional or negligent misuse of, or unauthorized access to PII; and requires agencies train employees regarding their responsibilities for protecting privacy.

  • OMB Memorandum M-06-16, Protection of Sensitive Agency Information (June 23, 2006), requires agencies to implement encryption protections for PII being transported and/or stored offsite, allowing remote access only with two-factor authentication, using a time-out function for remote access, and logging all computer-readable data extracts from databases holding sensitive information; and verifies each extract, including sensitive data, has been erased within 90 days or its use is still required.

  • OMB Memorandum M-06-19, Reporting Incidents Involving PII and Incorporating the Cost for Security in Agency IT Investments (July 12, 2006), requires agencies to report all incidents involving PII to United States Computer Emergency Readiness Team (US-CERT) within one hour of discovery of the incident.

  • OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of PII (May 22, 2007), identifies existing procedures and establishes several new actions agencies should take to safeguard PII and to respond to Privacy Incident; eliminates the unnecessary use of social security numbers (SSN); and logs all computer-readable data extracts from databases holding sensitive information and verifies each extract, including whether sensitive data has been erased within 90 days or its use is still required (pages 6-8).

  • OMB Memorandum M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies, establishes new procedures and provides updated guidance and requirements for agency use of web measurement and customization technology.

  • OMB Memorandum M-10-23, Guidance for Agency use of Third-Party Websites and Applications, requires Federal agencies to take specific steps to protect the individual privacy whenever they use third-party websites and applications to engage with the public.
  • OMB Memorandum M-11-02, Sharing Data While Protecting Privacy (November 3, 2010), requires agencies to develop and implement solutions that allow data sharing to move forward in a manner that complies with applicable privacy laws, regulations, and policies.

  • OMB Memorandum M-14-04, Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, provides agencies with instructions for meeting their agencies’ fiscal year reporting requirements under the Federal Information Security Management Act (FISMA) and includes reporting instructions on agencies’ privacy management program.

  • OMB Memorandum M-14-06, Guidance for Providing and Using Administrative Data for Statistical Purposes, provides agencies with guidance for addressing the legal, policy, and operational issues that exist with respect to using administrative data for statistical purposes.
  • OMB Memorandum M-15-01, Guidance on Improving Federal Information Security and Privacy Management Practices, identifies current Administration information security priorities, provides agencies with FISMA and Privacy Management reporting guidance and deadlines, and establishes new policy guidelines to improve Federal information security posture.

  • OMB Memorandum M-16-04, Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government, identifies and addresses critical cybersecurity gaps and emerging priorities, and makes specific recommendations to address those gaps and priorities.  The CSIP was developed to assist to strengthen Federal civilian cybersecurity through the following five objectives: (1) Prioritized Identification and Protection of high value information and assets; (2) Timely Detection of and Rapid Response to cyber incidents; (3) Rapid Recovery from incidents when they occur and Accelerated Adoption of lessons learned from the Sprint assessment; (4) Recruitment and Retention of the most highly-qualified Cybersecurity Workforce talent the Federal Government can bring to bear; and (5) Efficient and Effective Acquisition and Deployment of Existing and Emerging Technology. 

  • OMB Memorandum M-16-14, Category Management Policy 16-2: Providing Comprehensive Identity Protection Services, Identity Monitoring, and Data Breach Response (July 1, 2016), which requires federal agencies, with limited exceptions, to address their requirements, when they need to identify protection services, by using the government-wide blanket purchase agreements (BPAs) for Identity Monitoring Data Breach Response and Protection Services (i.e., IPS BPAs) awarded by the General Services Administration (GSA).
  • OMB Memorandum M-16-24, Role and Designation of Senior Agency Officials for Privacy, revises policies on the role and designation of the Senior Agency Official for Privacy (SAOP), as required by Executive Order 13719, Establishment of the Federal Privacy Council.
  • OMB Memorandum 17-05, Fiscal Year 2016 – 2017 Guidance on Federal Information Security and Privacy Management Requirements, establishes current Administration information security priorities and provides agencies with Fiscal Year 2016 – 2017 Federal Information Security Modernization Act (FISMA) and Privacy Management reporting guidance and deadlines. OMB M-17-05 provides Federal agencies with timelines and requirements for quarterly and annual reporting; establishes detailed instructions for preparing the annual agency FISMA reports; and provides updates to the definition of “major incident” and the U.S. Computer Emergency Readiness Team (US-CERT) Incident Notification Guidelines. Please note:  This memorandum does not apply to national security systems, but agencies are encouraged to adopt the initiatives within this memorandum.

  • OMB Memorandum 17-06, Policies for Federal Agency Public Websites and Digital Services, updates policies regarding Federal Agency public websites and digital services and requires that each agency maintain a central resource page dedicated to its privacy program on the agency’s principal website. The agency’s Privacy Program page must serve as a central source for information about the agency’s practices with respect to PII. The agency’s Privacy Program Page must be located at www.[agency].gov/privacy and must be accessible through the agency’s “About” page. 

  • OMB Memorandum 17-09, Management of Federal High Value Assets, contains general guidance for the planning, identification, categorization, prioritization, reporting, assessment, and remediation of Federal High Value Assets (HVAs), as well as the handling of information related to HVAs by the Federal Government. 

  • Model Privacy Impact Assessment for Agency Use of Third-Party Websites and Applications (December 29, 2011), is the required PIA model for agencies to use when preparing an adapted PIA before engaging the public through third-party websites and applications.

Back to Top

OMB Circulars

  • OMB Circular A-130, Management of Federal Information Resources, provides uniform government-wide information resources management policies as required by the Paperwork Reduction Act of 1980, as amended by the Paperwork Reduction Act of 1995, 44 U.S.C. Chapter 35. This Circular establishes policy for the management of Federal information resources and rescinds OMB Memoranda A-108. 

Back to Top

Bureau/Operating Unit Privacy Policies

Back to Top

Questions and Comments

Send Questions, Comments or Complaints on the Commerce Privacy program to


Office of Privacy and Open Government
Office of the Chief Financial Officer and Assistant Secretary for Administration
U.S. Department of Commerce

Page last updated: December 13, 2016