Privacy Requirements

Organizations should review the following laws and regulations related to privacy protections to ensure that their public websites meet the full range of requirements.

• OMB M-03–22, Guidance for Implementing the Privacy Provisions of the E–Government Act of 2002
• OMB M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies  (PDF, 102 KB, 9 pages, June 2010)
• OMB M-10-23, Guidance for Agency Use of Third-Party Websites and Applications  (PDF, 103 KB, 9 pages, June 2010)
• E–Government Act of 2002, Section 207(f)(1)(B)
• Privacy Act of 1974
• OMB Circular A–130, Appendix 1
• Children's Online Privacy Protection Act of 1998 (COPPA)
• Requirements for Accepting Externally-Issued Identity Credentials - memo from Federal CIO to Executive Branch Agency CIOs (PDF, 166 KB, 4 pages, October 2011)

Examples

• Challenge.gov provides a concise explanation of their Use of Persistent Cookies policy.
• The Social Security Administration has a comprehensive Privacy Policy that is written in plain language and clearly explains how SSA will handle personal information collected over the Internet.
• The Department of Commerce has a machine readable privacy policy statement.
• NOAA provides a clear explanation at the top of their Privacy Policy explaining that they are committed to privacy protection. They also provide an easy–to–read format about each topic related to privacy.
• The National Institute of Health's My NCBI portal gives users a variety of ways to sign in, including via Google, or using IDs from affiliated partner organizations.  

     *These requirements apply to executive departments and agencies and their public websites. Check the specific law to see if it also applies to the judicial or legislative agencies or to intranets.

Content Lead: Natalie Davidson
Page Reviewed/Updated: April 19, 2012