Privacy of Visitors to DOC Web Sites

Policy:

It is the policy of the Department of Commerce (DOC) to respect the privacy of visitors to Web sites of DOC organizations to the maximum extent possible consistent with the E-Government Act, the Privacy Act, and other laws. To this end, all Department Web sites are subject to the following requirements:

1. Privacy Policy Statements

Major points of entry and any page where personally identifiable information is collected on any Department of Commerce organization's Web site shall include a clearly identifiable and easily accessible link to a Privacy Policy statement. The link and the statement shall be titled "Privacy Policy." The Privacy Policy statement shall be written in plain language that is clear and easy to understand. It shall identify the information collection practices of the site with regard to the following elements as applicable:

• the kinds of information collected,
• how long the information is retained,
• how it is used,
• the conditions under which the information may be shared,
• who it might be shared with,
• the conditions under which the information may be made available to the public, and whether information is collected from children. (See Discussion below)
• how the user may consent to voluntarily provided information

In addition, the Privacy Policy statement shall specifically address:

• whether any information requested is voluntary or mandatory,
• how the user can grant consent for the collection of voluntary information,
• rights of Web site visitors under the Privacy Act or other privacy laws (See Discussion below),
• how email is handled, and
• the use of "cookies" or other persistent tracking technology and the extent to which information gathered through the use of such technology is safeguarded.

The Privacy Policy statement must accurately describe the information collection practices associated with the site and must be updated to reflect any changes in those practices as they occur. Where Web forms are used, a link to the Privacy Policy statement shall be viewable without scrolling, OR located adjacent to the "submit" button on the form. When multi-page forms are used, a link shall be viewable without scrolling on the first page AND adjacent to any "submit" buttons.

2. E-Gov Act Privacy Policy Requirements

Click here for further infomation and guidance on how to fulfill this requirement.

3. The Use of Persistent Tracking Technology

The use of persistent cookies or any other persistent tracking technology on Department of Commerce Web sites is prohibited except where:

• there is a compelling need,
• there are appropriate safeguards in place,
• the use is personally approved by the Secretary of Commerce, and
• there is clear and conspicuous notice to the public.

Approval Process: Before using a persistent cookie or any other persistent tracking technology on any Department of Commerce Web site, the Web site owner must submit an Approval Request to the Secretary of Commerce through the Web site owner's CIO and the Department's Chief Information Officer. The Approval Request shall contain the following elements:

• a description of the compelling need,
• a description of what information will be gathered through the cookie or other persistent tracking technology,
• a description of the measures taken to protect the information (e.g., the way safeguards will be implemented), and
• a copy of the proposed Web site Privacy Policy statement that is compliant with all of the requirements stated here.

Since the Approval Request may divulge methods used in safeguarding information it should always be marked as "For Official Use Only".

4. Collection of Voluntary Information

When an agency Web site requests that a user provide voluntary information, it must explicitly inform the user that providing the information is voluntary. "Explicitly" means the Web site (not just the Privacy Policy statement) should have a statement such as "Providing this information is voluntary." Note also that the Privacy Policy Statement must inform visitors how to consent to the use of voluntarily provided information.

Purpose:

This policy is designed to:

• assure members of the public that their privacy will be respected when they view Web sites of Department of Commerce organizations,
• ensure full disclosure of the information collection practices of Department of Commerce Web sites, and
• ensure that the Department's Operating Units and organizational components comply with directives from the Office of Management and Budget and all applicable public laws.

Exceptions:

None

Deadline for Implementation:

This policy will become effective December 15, 2003.

Scope:

This policy applies to all Department of Commerce Web sites which are accessible to the public.

Discussion:

Pages which do not otherwise require a Privacy Policy link do not require one by virtue of the page using email links ["mailto" tags] or by virtue of the automatic collection of IP addresses and other similar log data by the site's Web server.

General Philosophy

Visitors to Web sites of Department of Commerce organizations need to have assurance that their privacy will not be violated as a consequence of viewing DOC Web pages, and that information will not be taken from them or their computer without their knowledge, and that their computer will not be compromised as a consequence of viewing any Department of Commerce Web site. The Department is fully committed to setting an example in this regard.

Department of Commerce Web sites don't collect information from visitors without disclosure in the Privacy Policy. This policy is designed to ensure accurate and complete disclosure of the information collection practices of Commerce Department Web sites and to ensure Privacy Policies are updated as these practices change.

Paperwork Reduction Act Collections of Personally identifiable Information

The Department has previously distributed guidance to all bureau CIOs regarding compliance with OMB's guidance for privacy policy statements, the Paperwork Reduction Act, and the Privacy Act. Web masters should be aware of this guidance and understand that special disclosure statements may be required by the Paperwork Reduction Act on sites that use on-line forms to collect standardized information (other than contact information) from ten or more individuals outside the Government (e.g., applications, surveys, questionnaires, or registration forms that collect more than basic contact information). An additional "Privacy Act Statement" is required when information is stored or retrievable by a personal identifier (e.g., name, social security number). Web masters should contact their bureau's Paperwork Reduction Act Officer or Privacy Act Officer where on-line collections of information appear to fall within the scope of these acts.

This policy requires separate disclosure of "...conditions under which the information may be shared" and "...conditions under which the information may be made available to the public." The former refers to the possible sharing of information with other government entities. The latter focuses on the potential availability of the information to the public or to private sector entities, such as pursuant to a FOIA request or the sale to commercial entities. These instances must be clearly disclosed.

New rules were recently added to this guidance. See attachment B (http://www.osec.doc.gov/webresources/policies/Privacy_B.htm).

Offsite Notification

Some links take users to separate Web sites within the same organization. There is a concern that different information collection practices may then apply. Therefore, when the information collection practices of various Web sites differ within the same organization the Privacy Statement of the parent organization should contain language similar to:

"This Privacy Policy statement applies only to this Web site. Some organizations within [add here the name of the agency, line office, bureau, etc.] may have other information collection practices. You are encouraged to check the Privacy Statements when going to another Web site."

Web Site Interaction with Children

Where a Web site is directed toward children or information is knowingly collected from children, the Web site Privacy Policy statement must also provide a contact and get parental consent before collecting, using or disclosing individually identifiable information about a child that is collected online, such as full name, home address, email address, telephone number or any other information that would allow someone to identify or contact the child. This rule also covers other types of information -- for example, hobbies, interests and information collected through cookies or other types of tracking mechanisms -- when they are tied to individually identifiable information. Consent is not required when a site is collecting email addresses from children in order to do any of the following:

• respond to a one-time request from the child;
• provide notice to, or seek consent from, the parent; or
• send a newsletter or other information on a regular basis as long as the site notifies a parent and gives them a chance to say no to the arrangement.

When information is collected from children, the site must also provide a mechanism to allow parents to review personal information collected from their children. You should consult with the Office of the General Counsel if your site is collecting information from children.

Persistent Tracking Technology

Persistent tracking technology, including "persistent cookies" can be used to track the activities of users over time and across different web sites, thus making it possible to build a profile of a Web user's preferences, tastes, Web reading habits, and other characteristics by combining information gathered from multiple visits to different Web sites. OMB and the Department of Commerce have therefore taken the position that, because of the unique laws and traditions about government access to citizens' personal information, the presumption should be that this technology will not be used at Federal Web sites.

The policy outlined above is designed to limit the use of "persistent cookies" to those circumstances which are of a compelling nature. This policy does not apply to "session cookies," (i.e. cookies which are intended to be used only in the browser session in which they were created). The use of these session cookies, however, shall continue to be disclosed in the Web site privacy policies.

Definitions:

"any page where information is collected" - a plain English term intended to be all inclusive and is not limited to personally identifiable information.

Cookie - Data that a Web server causes to be placed on a user's hard drive (or equivalent) that can be read by a Web server.

Persistent Cookie - A cookie that is intended to maintain information over more than one browser session.

Persistent Tracking Technology - Any technology that is intended to maintain about a Web site visitor information over more than one browser session.

Publicly Accessible Web Site - Any Web site on the internet accessible with a web browser.

Session Cookie - A cookie that is intended to be used only in the browser session in which it is created.

Department of Commerce Web Advisory Council (WAC)
U.S. Department of Commerce

Send questions and comments about this page to WAC@doc.gov
Page last updated October 12, 2010

• Alicia R. Sowah
  Deputy Director of Digital Engagement

Gregory Johnson

Co-Chair, Web Advisory Commmitee

 

• WAC Charter
• WAC Members
• Social Media

• Social Media Application

• Definitions

• Partnered By