Skip Navigation
  • Text Size: A A A
  • Print
  • Email
  • Facebook
  • Tweet
  • Share

HHS IRM Policy for Usage of Persistent Cookies

January 8, 2001

HHS-IRM-2000-0009

Table of Contents

  1. 1. Purpose
  2. 2. Background
  3. 3. Scope
  4. 4. Policy
  5. 5. Roles and Responsibilities
  6. 6. Applicable Laws/Guidance
  7. 7. Information and Assistance
  8. 8. Effective Date/Implementation
  9. 9. Approved
  10. Glossary

     

    1. Purpose

    This document establishes the policies and responsibilities for the Usage of Web Cookies by the Department of Health and Human Services (HHS) and its Agencies.

    2. Background

    On June 22, 2000, the Office of Management and Budget issued Memorandum M-00-13 on "Privacy Policies and Data Collection on Federal Web Sites" which included language on the usage of web cookies for tracking Internet visitors. The Federal CIO Council requested clarification to this memorandum on July 28, 2000. OMB provided specifications on "session" and "persistent" web cookies on September 5, 2000.

    "We are concerned about persistent cookies even if they do not themselves contain personally identifiable information. Such cookies can often be linked to a person after the fact, even where that was not the original intent of the web site operator. For instance, a person using the computer later may give his or her name or e-mail address to the agency. It may then be technically easy for the agency to learn the complete history of the browsing previously done by users of that computer, raising privacy concerns even when the agency did not originally know the names of the users.

    "We recognize that agency web sites can also seek information from visitors in ways that do not raise privacy concerns. Specifically, they may retain the information only during the session or for the purpose of completing a particular online transaction, without any capacity to track users over time and across different web sites. When used only for a single session or transaction, such information can assist web users in their electronic interactions with government, without threatening their privacy. One example of such an approach that supports electronic government would be the use of a shopping cart to purchase a number of items online from the U.S. Mint. Another example would be the current technology that assists users in filling out applications that require accessing multiple web pages on the Department of Education's Direct Consolidation Loan site. We do not regard such activities as falling within the scope of Memorandum 00-13."

    3. Scope

    This policy applies to all Departmental (Operating Division and Staff Division) web sites, whether owned and operated by HHS, or operated on behalf of HHS.

    4. Policy

    Persistent" web cookies shall not be used on HHS web sites, or by contractors when operating web sites on behalf of HHS agencies, unless the following conditions are met:

    • The site gives clear and conspicuous notice;
    • There is a compelling need to gather the data on the site;
    • Appropriate and publicly disclosed privacy safeguards exist for handling any information derived from the cookies; and
    • The HHS Secretary gives personal prior approval for the use.

    "Persistent" web cookies are defined as web cookies that can track "the activities of users over time and across different web sites."

    "Session" web cookies do not fall within the scope of this policy. Exempted cookies include those that retain information only during the session or for the purpose of completing a particular online transaction, without any capacity to track users over time and across different web sites. (Examples: for using a shopping cart to purchase a number of items online, or for filling out applications that require accessing multiple web pages.)

    Any HHS organization utilizing persistent cookies as of the date of issuance of this Policy shall submit a written waiver request to the HHS Secretary, through the HHS Deputy Assistant Secretary for Information Resources Management (DASIRM) within 14 calendar days.

    The OPDIVs shall register any usage of "persistent" cookies with the HHS Office of Information Resources Management quarterly. A master list of all HHS persistent cookies shall be maintained by the HHS Office of Information Resources Management.

    5. Roles and Responsibilities

    5.1 The HHS Secretary

    As required by OMB (see section 6.), the HHS Secretary is responsible for approving any usage of "persistent" cookies on HHS owned and/or sponsored web sites, prior to their usage.

    5.2 The Deputy Assistant Secretary for Information Resources Management(DASIRM)

    The Deputy Assistant Secretary for Information Resources Management (DASIRM) shall work with the OPDIV CIOs to ensure there is a compelling need to gather the data on the site, and the usage of "persistent" cookies is limited.

    The DASIRM shall ensure that Secretarial approval is acquired prior to the usage of "persistent" cookies; and shall maintain a record of any such approval.

    5.3 The OPDIV Chief Information Officers (CIOs)

    The OPDIV CIOs shall submit justification paperwork for any planned usage of "persistent" cookies, prior to their usage, to the HHS Secretary, through the DASIRM.

    The OPDIV CIOs shall ensure that

    • clear and conspicuous notice of "persistent" cookies usage is provided;
    • there is a compelling need to gather the data on the site
    • appropriate and publicly disclosed privacy safeguards exist for handling any information derived from the cookies; and
    • the Secretary’s prior personal approval is acquired.

    The OPDIV CIOs shall quarterly register any usage of "persistent" cookies with the DASIRM.

    5.4 The OPDIV Webmaster/System Administrator

    The OPDIV Webmaster/System Administrator shall be responsible for posting clear and conspicuous notice of any "persistent" cookies usage on their web site; and shall ensure that appropriate and publicly disclosed privacy safeguards exist for handling any information derived from the cookies.

    6. Applicable Laws/Guidance

    The following executive documents are applicable:

    • OMB Memorandum M-00-13 (http://www.whitehouse.gov/OMB/memoranda/m00-13.html – 06/22/00)
    • Federal CIO Council clarification request (http://cio.gov/docs/Cookiesresponse.htm – 07/28/00)
    • OMB specifications letter (http://cio.gov/docs/OMBCookies2.htm – 09/05/00)

    7. Information and Assistance

    Direct questions, comments, suggestions or requests for further information to the Deputy Assistant Secretary for Information Resources Management, (202) 690-6162.

    8. Effective Date/Implementation

    The effective date of this policy is the date the policy is approved.

    The HHS policies contained in this issuance shall be exercised in accordance with Public Law 93-638, the Indian Self-Determination and Education Assistance Act, as amended, and the Secretary's policy statement dated August 7, 1997, as amended, titled "Department Policy on Consultation with American Indian/Alaska Native Tribes and Indian Organizations." It is HHS' policy to consult with Indian people to the greatest practicable extent and to the extent permitted by law before taking actions that affect these governments and people; to assess the impact of the Department's plans, projects, programs and activities on tribal and other available resources; and to remove any procedural impediments to working directly with tribal governments or Indian people.

    9. Approved

    ____/s/____________________________ ___01/08/01___

    John J. Callahan
    Assistant Secretary for Management and Budget

     

    Glossary

    "Persistent" Web Cookies - A persistent web cookie is a web cookie that can track "the activities of users over time and across different web sites."

    "Session" Web Cookies - A session web cookie retains information only during the session or for the purpose of completing a particular online transaction, without any capacity to track users over time and across different web sites.

    Web Cookies - A cookie is a mechanism that allows the server to store its own information about a user on the user's own computer.