Use this guidance if your Web site is associated with a Privacy Act System of Records.
It is important that you also consult with your operating unit's Privacy Officer.
Changes are in bold.
Revision to existing Web privacy policy
- The "Privacy Statement" or "Privacy Notice" must now be renamed "Privacy Policy" (hereafter referred to as privacy policy statement).
This is a name change.
- The privacy policy statement must notify Web site visitors of their rights under the Privacy Act or other privacy-protecting laws that may primarily apply to specific agencies (e.g., the Health Insurance Portability and Accountability Act of 1996, or the Family Education Rights and Privacy Act). This can be done in the body of the privacy policy statement, or via link to the applicable agency regulation, or via link to other official summary of statutory rights.
This is a new requirement.
- The privacy policy statement must inform users how to grant consent to use of voluntarily-provided information. In most cases, this can be done by a general statement such as, for example: "Submitting voluntary information constitutes your consent to the use of the information for the stated purpose."
This is a new requirement.
- When an agency Web site requests that a user provide voluntary information, it must explicitly inform the user that providing the information is voluntary.
This is a new requirement.
- The privacy policy statement must inform users how to grant consent to use of mandatorily-provided information for other than statutorily-mandated uses or authorized routine uses under the Privacy Act.
This is a new requirement.
- The privacy policy statement must include, in clear language, information about management, operation, and technical controls ensuring the security and confidentiality of personally identifiable records (while not compromising security).
This is a new requirement.
- The privacy policy statement must include, in general terms, information about any additional safeguards used to identify and prevent unauthorized attempts to access or cause harm to information and systems (while not compromising security).
This is a new requirement.
- When a Web site collects information subject to the Privacy Act, it must explain what portion of the information is maintained and retrieved by name or personal identifier in a Privacy Act System of Records and provide a Privacy Act Statement either:
- at the point of collection, or
- via link to the applicable privacy policy statement.
When multiple Privacy Act Statements are incorporated in a Web privacy policy, a point-of-collection link must connect to the Privacy Act Statement pertinent to the particular collection.
This is a new requirement.
- Privacy Act Statements must notify users of the authority for and purpose and use of the collection of information subject to the Privacy Act, regardless of whether providing the information is mandatory or voluntary, and of the effects of not providing all or any part of the requested information.
This is a new requirement.
Revision to Persistent Cookie Policy
Note:
Please be aware that the former Commerce policy of allowing use of persistent cookies and other tracking technologies for users of Commerce Web sites only with a Secretarial waiver has been rescinded. Recently issued OMB guidance rendered the former policy obsolete. The Commerce Persistant Cookie Policy memorandum is the official notification of this policy change.
Department of Commerce Web Advisory Council (WAC)
U.S. Department of Commerce
Send questions and comments about this page to WAC@doc.gov
Page last updated October 12, 2010
- Alicia R. Sowah
Deputy Director of Digital Engagement
Gregory Johnson
Co-Chair, Web Advisory Commmitee
-
Partnered By
