Privacy Policy Statements and
Information Collection

Policy:

Major points of entry and any page where information is collected on any Department of Commerce organization's Web site shall include a clearly identifiable link to a privacy policy statement which shall disclose the information collection practices of the site.  This link must be called "Privacy Policy."   

In addition to disclosing the information collection practices of the site, all Privacy Policy statements must notify Web site visitors of their rights under the Privacy Act, regardless of whether the Web site uses or collects any Privacy Act information, or any information at all.  

Units of the Department which are subject to specific privacy-protecting laws (e.g., the Health Insurance Portability and Accountability Act of 1996, or the Family Education Rights and Privacy Act) must also notify Web site visitors of their rights under those laws.

The Discussion section below lists the specific requirements of the Privacy Policy statement and the Privacy Act notification and other required privacy notifications.

Scope:

Major points of entry and any page where information is collected.

NOTE:  Department policy on how and when "cookies" may be collected is addressed in the policy on Web Measurement and Customization Technologies Policy.

Purpose:

This policy is designed to ensure full disclosure of the information collection practices of Department of Commerce Web sites.

Exceptions:

Pages which do not otherwise require a Privacy Policy link do not require one by virtue of the page using email links ["mailto" tags] or by virtue of the automatic collection of IP addresses and other similar log data.  However, the Web sites still require the Privacy Policy link, just not on each page.

Deadline for Implementation:

October 31, 2000.

Discussion:

This policy is designed to ensure accurate and complete disclosure of the information collection practices of Commerce Department Web sites.

The Privacy Policy statement is not a static document.  It must accurately describe the information collection practices of the site and must be updated to reflect any changes in those practices as they occur. 

About Information Collection

Your office, as a representative of the Federal Government, cannot collect information from the public just because you have decided that you need the information.   Before you collect any information through your Web site, you must be sure you have any required clearances for the particular collection.  The Paperwork Reduction Act (PRA) requires clearance from the Office of Management and Budget (OMB) for planned information collections.  This applies to covered voluntary collections as well as mandatory ones.  In addition to the PRA, certain collections of information are covered by the Privacy Act.

The Department has previously distributed OMB Guidance and Model Language for Federal Web Site Privacy Policies [June 1, 1999, pdf] and this has since been supplemented by Federal legislation. 

Webmasters should be aware that additional requirements imposed by the PRA may apply to Web sites that use on-line forms to collect standardized information (other than contact information) from ten or more individuals outside the Government (e.g., applications, surveys, questionnaires, or registration forms that collect more than basic contact information).  Most information collection requires formal clearance from OMB.

Some information, such as IP addresses and domain names, may be collected without clearance as long as it is not stored or maintained in a personally identifiable way, but even this must be disclosed in the Privacy Policy.

An additional "Privacy Act Statement" is required when information is stored or retrievable by a personal identifier (e.g., name, social security number).

Web site content managers should contact their Operating Unit PRA Officer or Privacy Act Officer where on-line collections of information appear to fall within the scope of these Acts.

Contents of the Privacy Policy Statement

  1. General Privacy Policy Statement Requirements: The Privacy Policy statement shall cover each of the following elements, if applicable:
      • the kinds of information collected, including but not limited to email, data from forms, and information automatically collected by the server that administers your Web site.
      • how long the information is retained,
      • how it is used,
      • the conditions under which the information may be shared,
      • who it might be shared with,
      • the conditions under which the information may be made available to the public, and
      • whether information is collected from children.  [See Your Web site and children below.]

    The phrase "...conditions under which the information may be shared" refers to the possible sharing of information with other government entities. The phrase "...conditions under which the information may be made available to the public" refers to the potential availability of the information to the public or to private sector entities, such as pursuant to a Freedom of Information Act request or the sale to commercial entities. These instances must be clearly disclosed.

  1. Email and Persistent Tracking Technology:  In all cases, the Privacy Policy statement shall specifically address:
  2. Management, Operation, Technical Controls and Safeguards:  The Privacy Policy statement must include, in clear language, information about management, operation, and technical controls ensuring the security and confidentiality of personally identifiable records, and, in general terms, information about any additional safeguards used to identify and prevent unauthorized attempts to access or cause harm to information and systems (while not compromising security).

  3. For sites that do not collect Privacy Act information, this  requirement can be met by statements such as the following:

    We collect no personally identifiable information about you when you visit our site unless you choose to provide that information to us.  For the protection of users of our Web sites, we have safeguards in place to identify and prevent unauthorized attempts to access or cause harm to information and systems.

  4. Rights under the Privacy Act:  All Privacy Policy statements must notify Web site visitors of their rights under the Privacy Act.

    For Web sites that do not use or collect Privacy Act information, this requirement can be met by including a link to a site that provides the required information on rights under the Privacy Act. Links usable for this purpose include the following: 

    http://www.usa.gov/Topics/Reference-Shelf/FOIA.shtml

  5. Rights under Other Privacy-protecting Laws:  For units of the Department which are subject to other privacy-protecting laws in addition to the Privacy Act, and which therefore must also notify Web site visitors of their rights under those laws, the additional notification can be done in the body of the Privacy Policy statement, or via link to the specific applicable privacy regulation, or via link to other official summary of statutory rights.

  6. Collection of Voluntary Information – Additional Requirements:  When an agency Web site requests that a user provide voluntary information, and assuming the proposed collection of information is permissible, the Web site must explicitly inform the user that providing the information is voluntary.  The Privacy Policy statement must inform users how to grant consent to use of voluntarily-provided information.  In most cases, this can be done by a general statement such as, for example: "Submitting voluntary information constitutes your consent to the use of the information for the stated purpose."

  7. Collection of Mandatory Information – Additional Requirements:  When an agency Web site collects mandatory information, and assuming the collection of information is permissible, the Privacy Policy statement must inform users how to grant consent to use of mandatorily-provided information for other than statutorily-mandated uses or authorized routine uses under the Privacy Act.

  8. Collection of Information Subject to the Privacy Act – Additional Requirements:  The Privacy Act covers any "system of records," i.e., any group of "records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual." 

    When a Web site collects information subject to the Privacy Act, it must explain what portion of the information is maintained and retrieved, in a Privacy Act System of Records, by name or personal identifier; and it must provide a Privacy Act Statement either at the point of collection, or via link to the applicable Privacy Policy statement.

    When multiple Privacy Act Statements are incorporated in a Web Privacy Policy, a point-of-collection link must connect the Privacy Act Statement pertinent to the particular collection to which it applies.

    Privacy Act Statements must notify users of the authority for and purpose and use of the collection of information subject to the Privacy Act, regardless of whether providing the information is mandatory or voluntary, and of the effects of not providing all or any part of the requested information.

  9. Your Web Site and Children – Additional Requirements:   Where a Web site is directed toward children or information is knowingly collected from children, the Privacy Policy statement must also provide a contact and get parental consent before collecting, using or disclosing individually identifiable information about a child that is collected online, such as full name, home address, email address, telephone number or any other information that would allow someone to identify or contact the child.  This rule also covers other types of information -- for example, hobbies, interests and information collected through cookies or other types of tracking mechanisms -- when they are tied to individually identifiable information.  Consent is not required when a site is collecting email addresses from children in order to do any of the following:
      • respond to a one-time request from the child;
      • provide notice to, or seek consent from, the parent; or
      • send a newsletter or other information on a regular basis as long as the site notifies a parent and gives them a chance to say no to the arrangement.

When information is collected from children, the site must also provide a mechanism to allow parents to review personal information collected from their children. You should consult with the Office of the General Counsel if your site is collecting information from children.

Location of the Privacy Policy Link

Where Web forms are used, a link to the Privacy Policy statement shall be viewable without scrolling, OR located adjacent to the "submit" button on the form. When multi-page forms are used, a link shall be viewable without scrolling on the first page AND adjacent to any "submit" buttons.

Note on Shared Privacy Policy Statements

Some links take users to separate Web sites within the same organization. There is a concern that different information collection practices may then apply. Therefore, when the information collection practices of various Web sites differ within the same organization the Privacy Policy statement of the parent organization should contain language similar to:

This Privacy Statement applies only to this Web site. Some organizations within [add here the name of the agency, Operating Unit, line office, etc.] may have different information collection practices. You are encouraged to check the Privacy Policy statement when visiting another Web site.

Definition

Any page where information is collected:  The phrase "any page where information is collected," as used in this policy is a plain English term intended to be all inclusive and is not limited to personally identifiable information.

Resources

Frequently Asked Questions

 

Revision History:
September 24, 2008: Revision Approved by WAG
January 11, 2001: Approved. This policy supercedes the guidance published October 20, 2000,
by the Department of Commerce's Chief Information Officer.

Department of Commerce Web Advisory Council (WAC)
U.S. Department of Commerce

Send questions and comments about this page to WAC@doc.gov
Page last updated September 29, 2011