go to NIST home page go to CSRC home page go to Focus Areas page go to Publications page go to Advisories page go to Events page go to Site Map page go to ITL home page CSRC home page link
header image with links

 CSRC Homepage
 
 CSRC Site Map

   Search CSRC:

 CSD Publications:
   - Draft Publications
   - Special Publications
   - FIPS Pubs
   - ITL Security Bulletins
   - NIST IRs

 CSD Focus Areas:
   - Cryptographic Standards
       & Application
   - Security Testing
   - Security Research /
       Emerging Technologies
   - Security Management
       & Assistance

 General Information:
   - Site Map
   - List of Acronyms
   - Archived Projects
        & Conferences
   - Virus Information
   - National Vulnerability
        Database

 News & Events  
   - Federal News
   - Security Events


 Services For the: 
   - Federal Community
   - Vendor
   - User
   - Small/Medium
     Businesses


 Links & Organizations
   - Academic
   - Government
   - Professional
   - Additional Links

 NIST's National
 Vulnerability Database:
Search for Vulnerabilities
Enter vendor, software, or keyword

Policies header image

June 22, 2000

M-00-13

MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES

FROM: Jacob J. Lew
Director

 
SUBJECT: Privacy Policies and Data Collection
on Federal Web Sites

The purpose of this memorandum is to remind you that each agency is required by law and policy to establish clear privacy policies for its web activities and to comply with those policies. Agency contractors should also comply with those policies when operating web sites on behalf of agencies.

As described in my memorandum of June 2, 1999, on "Privacy Policies on Federal Web Sites," agencies are to post clear privacy policies on agency principal web sites, as well as at any other known, major entry points to sites, and at any web page where substantial amounts of personal information are posted. Privacy policies must be clearly labeled and easily accessed when someone visits a web site.

Agencies must take care to ensure full adherence with stated privacy policies. For example, if an agency web site states that the information provided will not be available to any other entities, it is the responsibility of the agency to assure that no such sharing takes place. To ensure such adherence, each agency should immediately review its compliance with its stated web privacy policies.

Particular privacy concerns may be raised when uses of web technology can track the activities of users over time and across different web sites. These concerns are especially great where individuals who have come to government web sites do not have clear and conspicuous notice of any such tracking activities. "Cookies" -- small bits of software that are placed on a web user's hard drive -- are a principal example of current web technology that can be used in this way. The guidance issued on June 2, 1999, provided that agencies could only use "cookies" or other automatic means of collecting information if they gave clear notice of those activities.

Because of the unique laws and traditions about government access to citizens' personal information, the presumption should be that "cookies" will not be used at Federal web sites. Under this new Federal policy, "cookies" should not be used at Federal web sites, or by contractors when operating web sites on behalf of agencies, unless, in addition to clear and conspicuous notice, the following conditions are met: a compelling need to gather the data on the site; appropriate and publicly disclosed privacy safeguards for handling of information derived from "cookies"; and personal approval by the head of the agency. In addition, it is federal policy that all Federal web sites and contractors when operating on behalf of agencies shall comply with the standards set forth in the Children's Online Privacy Protection Act of 1998 with respect to the collection of personal information online at web sites directed to children.

A description of your privacy practices and the steps taken to ensure compliance with this memorandum should be included as part of the submission on information technology that is incorporated into the agency budget submission this fall.

 :

Last updated: March 3, 2003
Page created: June 28, 2000

Disclaimer Notice & Privacy Statement / Security Notice
Send comments or suggestions to webmaster-csrc@nist.gov
NIST is an Agency of the U.S. Commerce Department's
Technology Administration