recommended reading

White House abolishes decade-old cookies ban

As expected, White House officials on Friday rolled back a 10-year-old prohibition on web-tracking devices called cookies, a policy that online experts said prevented agencies from personalizing online services to engage the public.

For nearly a year, the Office of Management and Budget had been consulting with privacy advocates and agencies to update the policy in a way that would bring government sites into the 21st century, where people are accustomed to navigating commercial websites that rely on cookies, but also protect visitors' privacy. The ban initially was instituted to uphold civil liberties. But many agencies found legal work-arounds to use the tools.

"Our view is that this is going on already and it has been for many years, and it's important that we set down a clear set of rules for the road so that agencies are confident they are doing it in . . . a way that really respects privacy," said Michael Fitzpatrick, associate administrator of OMB's Office of Information and Regulatory Affairs.

Cookies are small files deposited on Internet users' computers when they visit a website. They often store the Web pages a visitor regularly views and other preferences, as well as measure the site's traffic volume and visitor demographics.

Friday's policy takes pains to limit the collection of personally identifiable information that can be combined to discern an individual's name, such as the series of numbers that identify a user's computer, personal mailing addresses and e-mail addresses. Agencies can gather such information only if a user consents. In addition, agencies must give 30 days' notice to the public and seek citizens' input before moving ahead with the technology.

Websites will be barred from tracking a visitor's activity on nongovernment sites and from sharing with other agencies the data they collect without gaining the user's permission first. Agencies can cross-reference the information they collect with personally identifiable information to further analyze visitors' activity only with their explicit consent.

To finalize the new rules, White House officials met with privacy groups including the Electronic Privacy Information Center and the Center for Democracy and Technology, as well as federal chief information officers, agency Web managers and Web analytics companies.

In a related move, OMB added privacy stipulations to existing guidance on the use of other organizations' social media tools such as YouTube. "Agencies must go back and review their current relationship with third parties and bring them into compliance with this new guidance," Fitzpatrick said.

Many agencies use online community sites such as Facebook and YouTube to interact with citizens and involve them in policymaking. "What has been missing is a clear set of guidelines with respect to privacy protections when they engage in these practices," Fitzpatrick said.

Under the new rules, agencies partnering with a third-party website must review the other entity's privacy policy to determine whether it is appropriate for the agency, he said. The policy also requires agencies to conduct a privacy impact assessment that examines whether controls are in place to comply with federal privacy regulations. In addition, officials must update their agency's privacy policies to inform the public that third parties could be providing the agency with personally identifiable information.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.