Persistent Cookies and Other Persistent Tracking Technology

Note:

Please be aware that the former Commerce policy of allowing use of persistent cookies and other tracking technologies for users of Commerce Web sites only with a Secretarial waiver has been rescinded.  Recently issued OMB guidance rendered the former policy obsolete. The Commerce Persistant Cookie Policy memorandum is the official notification of this policy change.


Policy:

It is the policy of the Department to prohibit the use of persistent cookies or other persistent tracking technology on Department of Commerce Web sites except where: there is a compelling need; there are appropriate safeguards in place; the use is personally approved by the Secretary of Commerce; and there is clear and conspicuous notice to the public.

Approval Process: Before using a persistent cookie or any persistent tracking technology on any Department of Commerce Web site, the Web site owner must submit an Approval Request to the Secretary of Commerce through the Web site owner's Chief Information Officer and the Department's Chief Information Officer.

The Approval Request shall contain the following elements:

    • a description of the compelling need ;
    • a description of what information will be gathered through the cookie or tracking technology;
    • a description of the measures taken to protect the information (i.e. the way safeguards will be implemented); and
    • a copy of the proposed Web site Privacy Policy statement that is compliant with the requirements outlined in Web policy on Privacy Policy Statements and Information Collection and which contains the following four additional elements:
      1. the purpose of the tracking (e.g., site customization);
      2. that accepting the tracking (or feature using the tracking) is voluntary;
      3. that declining the tracking (or feature using the tracking) still permits use of the site; and
      4. indicating (without compromising security) the privacy safeguards in place for handling the information collected.

Since the Approval Request may divulge methods used in safeguarding information it should always be marked as "For Official Use Only."

Note that session cookies are still allowed, and password access is still permissible, as long as it does not involve persistent cookies or other persistent tracking technology. On the other hand, tracking for site customization, regardless of the method used, is treated like tracking with persistent cookies, and therefore authorization will be required for site customization as well as for persistent cookies

Scope:

All Department of Commerce Web sites, except intranet sites not available to the public.

Purpose:

This policy is designed to ensure that the Department's Operating Units and organizational components comply with directives from the Office of Management and Budget.

Exceptions:

None.

Deadline for Implementation:

Immediate.

Discussion:

The Department's Web policy on Privacy Policy Statements and Information Collection and in particular this policy on the use of cookies, is designed to fully implement guidance issued by the Office of Management and Budget (OMB).

"Persistent cookies" can be used to track the activities of users over time and across different Web sites, thus making it possible to build a profile of a Web user's preferences, tastes, Web reading habits, and other characteristics by combining information gathered from multiple visits to different Web sites. OMB and the Department of Commerce have therefore taken the position that, because of the unique laws and traditions about government access to citizens' personal information, the presumption should be that cookies or other similar persistent tracking technology will not be used at Federal Web sites.

This policy is designed to limit the use of persistent tracking technology to those circumstances which are of a compelling nature. It does not apply to  cookies which are intended to be used only in the browser session in which they are created ("session cookies"). However, the use of these session cookies shall continue to be disclosed in the Web site Privacy Policy statements as required by the policy on Privacy Policy Statements and Information Collection

Definitions:

Cookie

Data that a Web server causes to be placed on a user's hard drive (or equivalent) that can be read by a Web server.

Persistent Cookie

A cookie that is intended to maintain information over more than one browser session.

Persistent Tracking Technology

Any tracking technology that is intended to maintain information over more than one browser session.

Session Cookie

A cookie that is intended to be used only in the browser session in which it is created.

 

Revision History:
September 24, 2008: Revised as approved by the WAG.
January 11, 2001: Approved. This policy supercedes the guidance published October 20, 2000, by the Department of Commerce's Chief Information Officer.

Department of Commerce Web Advisory Council (WAC)
U.S. Department of Commerce

Send questions and comments about this page to WAC@doc.gov
Page last updated October 12, 2010