Use this guidance if your Web site is associated with a Privacy Act System of Records.

It is important that you also consult with your operating unit's Privacy Officer.

Changes are in bold.

Revision to existing Web privacy policy

• The "Privacy Statement" or "Privacy Notice" must now be renamed "Privacy Policy" (hereafter referred to as privacy policy statement).

  This is a name change.

• The privacy policy statement must notify Web site visitors of their rights under the Privacy Act or other privacy-protecting laws that may primarily apply to specific agencies (e.g., the Health Insurance Portability and Accountability Act of 1996, or the Family Education Rights and Privacy Act). This can be done in the body of the privacy policy statement, or via link to the applicable agency regulation, or via link to other official summary of statutory rights.

  This is a new requirement.

• The privacy policy statement must inform users how to grant consent to use of voluntarily-provided information. In most cases, this can be done by a general statement such as, for example: "Submitting voluntary information constitutes your consent to the use of the information for the stated purpose."

  This is a new requirement.

• When an agency Web site requests that a user provide voluntary information, it must explicitly inform the user that providing the information is voluntary.

  This is a new requirement.

• The privacy policy statement must inform users how to grant consent to use of mandatorily-provided information for other than statutorily-mandated uses or authorized routine uses under the Privacy Act.

This is a new requirement.

• The privacy policy statement must include, in clear language, information about management, operation, and technical controls ensuring the security and confidentiality of personally identifiable records (while not compromising security).

This is a new requirement.

• The privacy policy statement must include, in general terms, information about any additional safeguards used to identify and prevent unauthorized attempts to access or cause harm to information and systems (while not compromising security).

  This is a new requirement.

• When a Web site collects information subject to the Privacy Act, it must explain what portion of the information is maintained and retrieved by name or personal identifier in a Privacy Act System of Records and provide a Privacy Act Statement either:

  1. at the point of collection, or

  2. via link to the applicable privacy policy statement.

  When multiple Privacy Act Statements are incorporated in a Web privacy policy, a point-of-collection link must connect to the Privacy Act Statement pertinent to the particular collection.

  This is a new requirement.

• Privacy Act Statements must notify users of the authority for and purpose and use of the collection of information subject to the Privacy Act, regardless of whether providing the information is mandatory or voluntary, and of the effects of not providing all or any part of the requested information.

This is a new requirement.

Revision to Persistent Cookie Policy

• The policy on use of persistent cookies is extended to include any persistent tracking technology. Therefore, prior to use of any such technology, approval must be obtained from the Secretary of Commerce in the same fashion as for persistent cookies. If any persistent tracking technology is used, the applicable privacy policy statement must specify:

  1. the purpose of the tracking (e.g., site customization);

  2. that accepting the customizing feature is voluntary;

  3. that declining the feature still permits the individual to use the site; and

  4. the privacy safeguards in place for handling the information collected.

  Note that session cookies are still allowed, and password access is still permissible, as long as it does not involve persistent cookies or other similar technology. On the other hand, tracking for site customization, regardless of the method used, is treated like tracking with persistent cookies, and therefore authorization will be required for site customization as well as for persistent cookies.

  This is an extension of the persistent cookie policy.