It is the policy of the Department of Commerce (DOC) to respect the privacy of visitors to Web sites of DOC organizations to the maximum extent possible consistent with the E-Government Act, the Privacy Act, and other laws. To this end, all Department Web sites are subject to the following requirements:
- the kinds of information collected,
- how long the information is retained,
- how it is used,
- the conditions under which the information may be shared,
- who it might be shared with,
- the conditions under which the information may be made available to the public, and whether information is collected from children. (See Discussion below)
- how the user may consent to voluntarily provided information
- whether any information requested is voluntary or mandatory,
- how the user can grant consent for the collection of voluntary information,
- rights of Web site visitors under the Privacy Act or other privacy laws (See Discussion below),
- how email is handled, and
- the use of "cookies" or other persistent tracking technology and the extent to which information gathered through the use of such technology is safeguarded.
Click here for further infomation and guidance on how to fulfill this requirement.
3. The Use of Persistent Tracking Technology
The use of persistent cookies or any other persistent tracking technology on Department of Commerce Web sites is prohibited except where:
- there is a compelling need,
- there are appropriate safeguards in place,
- the use is personally approved by the Secretary of Commerce, and
- there is clear and conspicuous notice to the public.
Approval Process: Before using a persistent cookie or any other persistent tracking technology on any Department of Commerce Web site, the Web site owner must submit an Approval Request to the Secretary of Commerce through the Web site owner's CIO and the Department's Chief Information Officer. The Approval Request shall contain the following elements:
- a description of the compelling need,
- a description of what information will be gathered through the cookie or other persistent tracking technology,
- a description of the measures taken to protect the information (e.g., the way safeguards will be implemented), and
Since the Approval Request may divulge methods used in safeguarding information it should always be marked as "For Official Use Only".
4. Collection of Voluntary Information
This policy is designed to:
- assure members of the public that their privacy will be respected when they view Web sites of Department of Commerce organizations,
- ensure full disclosure of the information collection practices of Department of Commerce Web sites, and
- ensure that the Department's Operating Units and organizational components comply with directives from the Office of Management and Budget and all applicable public laws.
Deadline for Implementation:
This policy will become effective December 15, 2003.
This policy applies to all Department of Commerce Web sites which are accessible to the public.
Visitors to Web sites of Department of Commerce organizations need to have assurance that their privacy will not be violated as a consequence of viewing DOC Web pages, and that information will not be taken from them or their computer without their knowledge, and that their computer will not be compromised as a consequence of viewing any Department of Commerce Web site. The Department is fully committed to setting an example in this regard.
Paperwork Reduction Act Collections of Personally identifiable Information
This policy requires separate disclosure of "...conditions under which the information may be shared" and "...conditions under which the information may be made available to the public." The former refers to the possible sharing of information with other government entities. The latter focuses on the potential availability of the information to the public or to private sector entities, such as pursuant to a FOIA request or the sale to commercial entities. These instances must be clearly disclosed.
New rules were recently added to this guidance. See attachment B (http://www.osec.doc.gov/webresources/policies/Privacy_B.htm).
Some links take users to separate Web sites within the same organization. There is a concern that different information collection practices may then apply. Therefore, when the information collection practices of various Web sites differ within the same organization the Privacy Statement of the parent organization should contain language similar to:
Web Site Interaction with Children
- respond to a one-time request from the child;
- provide notice to, or seek consent from, the parent; or
- send a newsletter or other information on a regular basis as long as the site notifies a parent and gives them a chance to say no to the arrangement.
When information is collected from children, the site must also provide a mechanism to allow parents to review personal information collected from their children. You should consult with the Office of the General Counsel if your site is collecting information from children.
Persistent Tracking Technology
Persistent tracking technology, including "persistent cookies" can be used to track the activities of users over time and across different web sites, thus making it possible to build a profile of a Web user's preferences, tastes, Web reading habits, and other characteristics by combining information gathered from multiple visits to different Web sites. OMB and the Department of Commerce have therefore taken the position that, because of the unique laws and traditions about government access to citizens' personal information, the presumption should be that this technology will not be used at Federal Web sites.
The policy outlined above is designed to limit the use of "persistent cookies" to those circumstances which are of a compelling nature. This policy does not apply to "session cookies," (i.e. cookies which are intended to be used only in the browser session in which they were created). The use of these session cookies, however, shall continue to be disclosed in the Web site privacy policies.
"any page where information is collected" - a plain English term intended to be all inclusive and is not limited to personally identifiable information.
Cookie - Data that a Web server causes to be placed on a user's hard drive (or equivalent) that can be read by a Web server.
Persistent Cookie - A cookie that is intended to maintain information over more than one browser session.
Persistent Tracking Technology - Any technology that is intended to maintain about a Web site visitor information over more than one browser session.
Publicly Accessible Web Site - Any Web site on the internet accessible with a web browser.
Session Cookie - A cookie that is intended to be used only in the browser session in which it is created.