OMB updates rules for cookies and privacy on U.S. government websites

U.S. agencies can now use social media platforms and other third-party sites.

Earlier today, the United States federal government significantly updated its online cookie policy to allow government agencies to use third-party websites and applications. The two memoranda on the use of cookies and web analytics, embedded after the jump, balance provisions that will enable government agencies to use social media, video sharing and discussion platforms with guidance on privacy safeguards for individual citizens.

“I can finally use persistent cookies on our websites! Couldn’t use Google Analytics before today’s guidance,” tweeted Neil Bonner, manager of applications development at the Transportation Security Administration.

The updated government cookie policy, with its privacy provisions, are directly tied to issues of customization and e-services on government portals. The ability to provide better online experiences on government websites is a theme federal CIO Vivek Kundra has emphasized since his appointment. The updated guidance recognizes the immense changes that have occurred online since policies governing analytics and cookies on government websites were issued a decade ago, including the explosion in government use of third-party websites like Facebook, Twitter and YouTube.

“President Obama has made it a touchstone of his administration to open government and make it more transparent than it ever has been before,” said Michael Fitzpatrick, associate administrator of the Office of Information and Regulatory Affairs. “Over the last year, we’ve been involved in a collaborative effort with the public for how the government should harness new technologies. We needed to put down rules of the road so that agencies can be confident they’re doing it in the right way.”

The way the government has traditionally communicated with the public is through the Federal Register, said Fitzpatrick. And as those who have looked at that entity’s release of bulk XML and are aware, the Federal Register itself is innovating and repackaging the way it provides that information.

“Agencies more and more are looking for ways to communicate with the public in the regulatory realm using social media, chartrooms, webcasts, webinars and virtual town halls,” said Fitzpatrick. “It’s our belief that agencies will reach a much broader segment of the american public than the existing federal Register Model.”

Fitzpatrick says the new guidance will supplement that existing model: “[This memo] will break it open so that it can be accessed by millions and millions of American citizens who have grown up communicating with each other in very different ways than the government models over the last 40 or 50 years.”

Given the support for the use of the social media platforms that have exploded in popularity over the past five years, the updated policies are likely to improve the federal government’s ability to interact and engage with citizens online, deliver e-services and provide information. The new guidance may also begin to close the significant IT gap between the public and private sectors that OMB Director Peter Orzag has recently described.

There are inevitable trade-offs in government gathering citizen information in order to deliver more e-services. Kundra has repeatedly referred to improving .gov websites to reflect the experience that people have come to expect from visiting and other e-tailers. In 2010, smarter websites that remember what you liked, what you clicked, what you bought, and what you browsed are the standard.

Although many citizens have acclimated to that tradeoff commercially, the trend of web giants like Google and Yahoo offering consumer dashboards that provide data collection has accelerated in recent months, in part due to the concerns of privacy advocates and inquiries by federal regulators. It remains to be seen if citizens will be as comfortable about the use of cookies on .gov websites as they have been on .com sites, even if cookie use is necessary to deliver better service, like the renewal of licensing or other documents.

The updated guidance also makes clear to agencies that they must make e-services and information that are available on third-party services available on their .gov websites as well. Specifically, the memo states that:

Agencies should also provide individuals with alternatives to third-party websites and applications. People should be able to obtain comparable information and services through an agency’s official website or other official means. For example, members of the public should be able to learn about the agency’s activities and to communicate with the agency without having to join a third-party social media website. In addition, if an agency uses a third-party service to solicit feedback, the agency should provide an alternative government email address where users can also send feedback.

Citizens that visit .gov websites over the next year, in other words, should expect to find the same information that they’d see on an agency Facebook page, along with an email address to contact the relevant officials.

New online privacy guidance

While the new policy allows the use of cookies, its also requires government agencies to take specific steps to protect privacy when using third-party websites and applications. According to the FAQ releases by OMB, these include:

  • Examining the third party’s privacy policies to evaluate the risks and determine whether the website or application is appropriate for the agency’s use. The third party’s policies should be monitored for changes and the risks should be periodically reassessed.
  • Performing a Privacy Impact Assessment to evaluate the privacy implications, to identify appropriate safeguards, and to ensure that such safeguards are in place. Generally, these assessments should be posted on the agency’s website.
  • Updating the agency’s privacy policy to inform the public about its practices with respect to any personally identifiable information that will be available to the agency. The privacy policy should be centrally located on the agency’s website.
  • To the extent practicable, providing a privacy Nnotice on the specific website or application that the agency is using. The notice should give people an opportunity to understand the agency’s practices before engaging with the agency.

OMB guidance for agency use of third-party websites and applications

“The central goal is to respect and safeguard the privacy of the American public while also increasing the Federal Government’s ability to serve the public by improving and modernizing its activities online,” wrote Orzag. “Any use of such technologies must be respectful of privacy, open, and transparent, and solely for the purposes of improving the Federal Government’s services and activities online.”

OMB guidance for online use of web measurement and customization technologies

The memorandum on the use of Web measurement and customization technologies establishes new procedures and provides updated guidance and requirements for agency use of Web measurement and customization technologies. Almost exactly a decade ago, on June 22, 2000, OMB issued memorandum M-00-13, which was then updated by memorandum M-03-22. These memoranda prohibited the use of technologies, including persistent cookies, that allow website publishers to measure traffic and customize user experience unless a government agency head approved the use of such technologies “due to a compelling need.”

That restriction effectively led to a ban on Web analytics on .gov websites, despite
widespread public acceptance of their use on commercial .com websites. That deprived government webmasters of the ability to customize user experiences or measure the success of campaigns or redesigns. As government websites implement the new OMB policy, both government agencies and citizens consuming their pages should benefit from the change.

Audio of the press call on the new government cookie policy is available at

tags: ,