Units of the Department which are subject to specific privacy-protecting laws (e.g., the Health Insurance Portability and Accountability Act of 1996, or the Family Education Rights and Privacy Act) must also notify Web site visitors of their rights under those laws.
Major points of entry and any page where information is collected.
NOTE: Department policy on how and when "cookies" may be collected is addressed in the policy on Web Measurement and Customization Technologies Policy.
This policy is designed to ensure full disclosure of the information collection practices of Department of Commerce Web sites.
Deadline for Implementation:
October 31, 2000.
This policy is designed to ensure accurate and complete disclosure of the information collection practices of Commerce Department Web sites.
About Information Collection
Your office, as a representative of the Federal Government, cannot collect information from the public just because you have decided that you need the information. Before you collect any information through your Web site, you must be sure you have any required clearances for the particular collection. The Paperwork Reduction Act (PRA) requires clearance from the Office of Management and Budget (OMB) for planned information collections. This applies to covered voluntary collections as well as mandatory ones. In addition to the PRA, certain collections of information are covered by the Privacy Act.
The Department has previously distributed OMB Guidance and Model Language for Federal Web Site Privacy Policies [June 1, 1999, pdf] and this has since been supplemented by Federal legislation.
Webmasters should be aware that additional requirements imposed by the PRA may apply to Web sites that use on-line forms to collect standardized information (other than contact information) from ten or more individuals outside the Government (e.g., applications, surveys, questionnaires, or registration forms that collect more than basic contact information). Most information collection requires formal clearance from OMB.
An additional "Privacy Act Statement" is required when information is stored or retrievable by a personal identifier (e.g., name, social security number).
Web site content managers should contact their Operating Unit PRA Officer or Privacy Act Officer where on-line collections of information appear to fall within the scope of these Acts.
- the kinds of information collected, including but not limited to email, data from forms, and information automatically collected by the server that administers your Web site.
- how long the information is retained,
- how it is used,
- the conditions under which the information may be shared,
- who it might be shared with,
- the conditions under which the information may be made available to the public, and
- whether information is collected from children. [See Your Web site and children below.]
The phrase "...conditions under which the information may be shared" refers to the possible sharing of information with other government entities. The phrase "...conditions under which the information may be made available to the public" refers to the potential availability of the information to the public or to private sector entities, such as pursuant to a Freedom of Information Act request or the sale to commercial entities. These instances must be clearly disclosed.
- how email is handled, and
- the use of "cookies" and other persistent tracking technology, and the extent to which information gathered this way is safeguarded.
[See policy on Web Measurement and Customization Technologies Policy]
For Web sites that do not use or collect Privacy Act information, this requirement can be met by including a link to a site that provides the required information on rights under the Privacy Act. Links usable for this purpose include the following:
- Collection of Information Subject to the Privacy Act – Additional Requirements: The Privacy Act covers any "system of records," i.e., any group of "records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual."
Privacy Act Statements must notify users of the authority for and purpose and use of the collection of information subject to the Privacy Act, regardless of whether providing the information is mandatory or voluntary, and of the effects of not providing all or any part of the requested information.
- respond to a one-time request from the child;
- provide notice to, or seek consent from, the parent; or
- send a newsletter or other information on a regular basis as long as the site notifies a parent and gives them a chance to say no to the arrangement.
For sites that do not collect Privacy Act information, this requirement can be met by statements such as the following:
We collect no personally identifiable information about you when you visit our site unless you choose to provide that information to us. For the protection of users of our Web sites, we have safeguards in place to identify and prevent unauthorized attempts to access or cause harm to information and systems.
When information is collected from children, the site must also provide a mechanism to allow parents to review personal information collected from their children. You should consult with the Office of the General Counsel if your site is collecting information from children.
Any page where information is collected: The phrase "any page where information is collected," as used in this policy is a plain English term intended to be all inclusive and is not limited to personally identifiable information.
September 24, 2008: Revision Approved by WAG
January 11, 2001: Approved. This policy supercedes the guidance published October 20, 2000,
by the Department of Commerce's Chief Information Officer.