Skip to content Department of Commerce Home page
Department of Commerce Web Advisory Group Banner
 
Commerce Home
Policies &
Best Practices
Definitions
WAG Charter
E-mail List
 
USA.gov logo
 Home > Policies > Revised Privacy Policy > Privacy Policy Requirements > Attachment A
ATTACHMENT A

Use this guidance if your Web site is not associated with a Privacy Act System of Recordsand is accessible to the public.

Changes are in bold.

Revision to existing Web privacy policy

  • The "Privacy Statement" or "Privacy Notice" must now be renamed "Privacy Policy" (hereafter referred to as privacy policy statement).

    This is a name change.

  • The privacy policy statements of all Commerce Web sites must notify Web site visitors of their rights under the Privacy Act. This requirement applies regardless of whether the Web site uses or collects any Privacy Act information, or indeed, any information at all. For those Web sites that do not use or collect Privacy Act information, this requirement can be met by including a link to a site that provides the required information on rights under the Privacy Act. Links usable for this purpose include the following:

    • This is a new requirement.

  • The privacy policy statement must inform users how to grant consent to use of voluntarily-provided information. In most cases, this can be done by a general statement such as, for example: "Submitting voluntary information constitutes your consent to the use of the information for the stated purpose."

    This is a new requirement.

  • When an agency Web site requests that a user provide voluntary information, it must explicitly inform the user that providing the information is voluntary.

    This is a new requirement.

  • The privacy policy statement must include, in clear language, information about management, operation, and technical controls ensuring the security and confidentiality of personally identifiable records, and, in general terms, information about any additional safeguards used to identify and prevent unauthorized attempts to access or cause harm to information and systems (while not compromising security). If the site does not involve Privacy Act information, this requirement can be met by statements such as the following:
    We collect no personally identifiable information about you when you visit our site unless you choose to provide that information to us.

    For the protection of users of our Web sites, we have safeguards in place to identify and prevent unauthorized attempts to access or cause harm to information and systems.

    This is a new requirement.

Revision to Persistent Cookie Policy

  • The policy on use of persistent cookies is extended to include any persistent tracking technology. Therefore, prior to use of any such technology, approval must be obtained from the Secretary of Commerce in the same fashion as for persistent cookies. If any persistent tracking technology is used, the applicable privacy policy statement must specify:

    • the purpose of the tracking (e.g., site customization);

    • that accepting the customizing feature is voluntary;

    • that declining the feature still permits the individual to use the site; and

    • the privacy safeguards in place for handling the information collected.

    Note that session cookies are still allowed, and password access is still permissible, as long as it does not involve persistent cookies or other similar technology. On the other hand, tracking for site customization, regardless of the method used, is treated like tracking with persistent cookies, and therefore authorization will be required for site customization as well as for persistent cookies.

    • This is an extension of the persistent cookie policy.
  Home | Policies | Best Practices | Definitions Related to Policies | WAG Charter

US Department of Commerce
Office of the CIO

Privacy Policy
Information Quality
FOIA

About DOC
Disclaimer
Contact Us

  Page last updated: 19 March, 2008 1:17 PM