TREASURY DIRECTIVE XX-XX

TREASURY DIRECTIVE 81-08

Date: January 10, 2002

Sunset Review: January 10, 2006

SUBJECT: Certification Process for the Use of Persistent Cookies on Treasury Web Sites

1. PURPOSE. This Directive establishes the process for obtaining the certification for use of "persistent cookies" on Treasury web sites accessible to the public. This Directive also provides the guidelines for posting the appropriate notices on Department web sites that have received such certification.

2. POLICY. The use of "persistent cookies" on any Treasury web site without prior certification by the Department of the Treasury is prohibited. The use of "session cookies" is an acceptable practice. In addition, the approval of a certification for use of "persistent cookies" shall only be granted when the bureau or office has presented documentation which details a compelling need to gather necessary data on the subject web site. Finally, the authority to approve such use may only be granted by the Secretary of the Treasury. When the requisite approval has been granted by the Secretary, the Deputy Assistant Secretary for Information Systems and Chief Information Officer (DASIS/CIO) will notify the requesting bureau or office via memorandum which will also serve as the certificate of use.

3. DEFINITIONS.

a. Persistent Cookie. A small text record placed on the hard drive of a computer used by an individual or other entity who has accessed the web site. This "cookie" facilitates the transaction between the user and the web site and is left on the individual’s hard drive after session termination.

b. Session Cookie. The definition for this type of cookie is the same as the definition for persistent cookie. The principal difference is the session cookie text record is eradicated at the time the user closes the browser application, inasmuch as it is only held in dynamic memory and is never written to the hard drive.

c. Certificate of Use. The certification is the memorandum issued by the DASIS/CIO upon receipt of approval by the Secretary.

d. Compelling Need. The compelling need is the documented justification that demonstrates the necessity for the use of a persistent cookie, including business or technical requirements.

e. Exit Banner. This prominently-displayed banner gives notification to the user that he/she is leaving a Treasury publicly-accessible web site.

f. Web Site. A web site is any Internet site accessible by the public or other users external to Treasury’s bureaus and offices.

4. PROCEDURES FOR COOKIE REQUESTS. These procedures are used whenever bureaus and offices may identify new requirements that necessitate the use of persistent cookies, and for requests to continue the ongoing use of existing cookies.

a. Requests for Approval of New Cookies. When a bureau determines there is a need for the use of persistent cookies, it must prepare a document containing the information below prior to implementing the proposed action. The requesting bureau or office must:

(1) Prepare a written request for the use of a persistent cookie that outlines a "compelling need to gather such data,"

(2) Include strong justification of the compelling need,

(3) Explain how the cookie data will be protected,

(4) Propose language that will inform potential users of the bureau's cookie policy, and

(5) Forward the request to the DASIS/CIO for review and approval by the Secretary.

b. Notification of Approval. Upon receipt of the completed package, the DASIS/CIO will review the documentation and forward it to the Secretary who will evaluate each request on a case-by-case basis. If the Secretary approves the request, the DASIS/CIO will transmit the approval in writing to the requesting bureau or office. The memorandum transmitting the approval will serve as the certificate of use.

c. Current Cookie Use Approval. Bureaus with approval for continued use of persistent cookies must comply with the following steps:

(1) Post a prominently-displayed banner on the home page web site that informs all prospective users that persistent cookies are employed on that site,

(2) Include language in the banner that provides the appropriate assurance that all information collected through the use of the persistent cookies will be maintained in accordance with the statutory requirements of the Privacy Act, when applicable.

d. Current Status of Persistent Cookie Use. At the present time, each bureau or office using persistent cookies has received the Secretary’s approval. Any bureau using such cookies must submit a justification of compelling need within five business days of the issuance of this directive or terminate the use of these cookies immediately.

5. RELATED ISSUES. Of paramount importance when employing persistent cookies, the bureau/office must ensure that the information that is collected is properly protected. No bureau or office may share any information collected through the use of persistent cookies with any entity outside of the organization. To this end, the Office of Management and Budget (OMB) has issued guidance to all executive agencies concerning privacy policy statements.

a. Privacy Policy Statements. In addition to the information regarding the use of persistent cookies, each bureau and office must prominently display statements of the organization’s privacy policy. OMB Memorandum M-99-18, dated June 2, 1999, and its attachment contains samples of language for appropriate privacy policy statements. Each bureau and office should review the five examples in the attachment and determine which example is most appropriate, depending on the purpose and function of the bureau or office web site.

b. Exit Banners. Finally, as a means of providing complete service to Treasury’s customers, exit banners should be prominently displayed as a means of alerting users that they are leaving the Treasury web site. This notification should inform the user that he/she may be exiting to another site that employs different privacy procedures than those used by the Treasury web site.

(1) Bureaus and offices must complete the implementation of exit banners for public websites by January 31, 2002. At that time, Treasury’s Internet/Intranet Program Manager will canvas the bureaus and offices to ensure the action is complete.

(2) Each bureau and office must implement the use of exit banners to all other domain links including publicly accessible government websites not later than March 31, 2002.

c. Department-wide Website Inventory. Each bureau and office must annually update its website inventory and forward a copy of the inventory to the Department’s Internet/Intranet Program Manager.

6. GUIDELINES. The statutory and policy guidance applicable to the use of persistent cookies is cited below and should be referred to when considering whether or not to employ such a tool.

a. The use of persistent cookies must be consistent with Section 639 of the 2002 Treasury and General Government Appropriations Act, Title VI, Public Law 107-67, dated November 12, 2001.

b. OMB has published the guidance for privacy policy statements and the collection of data through the issuance of two separate memoranda. For privacy policy statement guidance, the applicable memorandum is OMB Memorandum (M-99-18), dated June 2, 1999. For data collection, bureaus and offices should refer to the June 22, 2000 Memorandum, Privacy Policies and Data Collection on Federal Web Sites (M-00-13).

7. RESPONSIBILITIES. The responsibility for the approval of the use of persistent cookies shall rest with the Secretary. The coordination of the approval process and the enforcement of this policy shall rest with the DASIS/CIO.

8. OFFICE OF PRIMARY INTEREST. The Office of Information Technology Policy and Strategy, Office of the Deputy Assistant Secretary (Information System)/Chief Information Officer, Office of the Assistant Secretary for Management and Chief Financial Officer.

/S/
James J. Flyzik
Acting Assistant Secretary for Management
and Chief Information Officer