U.S. Department of Commerce

Office of the Chief Information Officer

Web Measurement and Customization Technologies

Policy

Background

It has become standard practice for commercial Web sites to use Web measurement and customization technologies to engage with members of the public. Corporations and other non-governmental organizations have found that these technologies provide new ways to communicate and engage with their customers, stakeholders, and the general public. In recognition of the usefulness of Web measurement and customization technology, the Office of Management and Budget (OMB) has lifted its former prohibition on the use of certain multisession customization technologies on federal agency Web sites. The Commerce Department will take advantage of this policy change to better engage with citizens, explain our programs and activities, encourage public comments, and improve the delivery of services.

Policy

To optimize user experience and provide statistically accurate data about use of Web sites, the Department of Commerce allows the use of Web measurement and customization technologies. These technologies include, but are not limited to, cookies. Cookies are pieces of text placed in the user’s browser to track the user’s activity on a Web site and customize the user experience.

Scope

All Department of Commerce operating unit public-facing Web sites are covered. This policy does not apply to Commerce operating unit intranets. Commerce Web sites using tracking technologies that do not collect personally identifiable information (PII) from the public do not require authorization.

Purpose

This policy is designed to ensure that the Department of Commerce's operating units and organizational components comply with directives from OMB designed to protect personal privacy while successfully employing Web customization and measurement technologies.

Effective Date

Immediate.

Guidance

The Department of Commerce's Web policy on Privacy Policy Statements and Information Collection and, in particular, this policy on the use of Web measurement and customization technologies are designed to fully implement guidance issued by OMB. In some cases, third-party Web sites or applications use Web measurement and customization technologies solely for the third party’s own purposes. This Commerce policy does not apply as long as third parties do not use Web measurement and customization technologies on behalf of the Commerce operating unit, and personally identifiable information (PII), or any information that could be used to determine an individual’s online activity derived from such uses, is not shared with the Commerce operating unit.

Additionally, any Commerce Web site that contains PII must have a privacy impact assessment (PIA) approved by the Commerce Chief Privacy Officer (CPO). The Commerce IT Privacy Policy explains what a PIA must contain. Commerce has adopted OMB’s three tier designations for the authorized use of Web measurement and customization technologies:

Tier 1 – Single session. This technology tracks the user’s online interactions within a single session or visit to a single Web site. Any information related to a particular visit to the Web site is deleted from the user’s computer immediately after the session ends. No Department of Commerce permission is required.

Example: A user visits a government Web site to view statistical data and run searches, a session cookie is created to enhance site navigation during the time the user is logged into the Web site. Any tracking data is deleted when the session ends.

Tier 2 – Multi-session without PII. This type of technologynotices when a user returns to a Web site and remembers his or her online interactions and preferences across multiple sessions, typically for the purpose of Web analytics, but also for customizing the user’s online experience. No Department of Commerce permission is required.

Example: A user visits a Commerce Web site for the weather forecast in their area. Once they enter their zip code, the site stores that information and returns a personalized weather forecast each time the user returns.

Tier 3 – Multi-session with PII. This type of tracking mechanism is the same as Tier 2, but ties the tracking mechanism to the user’s PII. Tier 3 use requires a much more intensive process to ensure it complies with OMB’s guidance. Department of Commerce permission is required.

Example: A user registers on a Commerce Web site to order statistical data products. The user’s IP address, credit card number, and expiration date are retained for subsequent transactions on the Web site.

Approval Process for Tier 3 Technologies

Commerce operating units must seek permission from the Department’s Chief Privacy Officer (CPO) and Chief Information Officer (CIO) before Tier 3 technology can be deployed on a Commerce public-facing Web site. Operating units employing Tier 3 technologies must use opt-in functionality.

• Request for permission must be submitted through the requestor’s operating unit’s CIO for approval. The request must describe the proposed use and the need to employ Tier 3 technologies. The operating unit’s CIO will coordinate review and approval with the operating unit’s CPO or privacy contact. The operating unit’s CIO will then forward approved requests to the Commerce CIO who will review the request jointly with the Commerce CPO.

• Operating units deciding to use Tier 3 technologies must allow for at least 30 days notice for the public to comment. The notice for public comment will be posted on the Department of Commerce Open Government Web site at www.commerce.gov/open by the Office of Privacy and Open Government. A Tier 3 comment mailbox will be used to receive comments from the public on this Web site. The Commerce CPO and CIO will review the comments and determine if the operating unit’s proposed use of Tier 3 technologies must be modified and advise the requesting operating unit accordingly.

• The Commerce Office of the CIO will maintain an inventory of all approved Tier 3 usage.

Content for Web Privacy Policies

As outlined in OMB Memorandum M-10-22, “Guidance for Online Use of Web Measurement and Customization Technologies,” the following items must be added as part of each operating unit’s public-facing Privacy Policy in any instance when Web measurement and customization technologies are used:

• The purpose of the Web measurement and/or customization technology.

• The usage tier, session type, and technology used.

• The nature of the information collected.

• The purpose and use of the information.

• Whether and to whom the information will be disclosed.

• The privacy safeguards applied to the information. Cite whether or not a PIA or Systems of Records Notice (SORN) is associated with the Web site.

• The data retention policy for the information.

• Whether the technology is enabled by default or not and why.

• How to opt out of the Web measurement and/or customization technology; it is essential that this process be transparent and easy to follow.

• A statement that opting out still permits users to access comparable information or services.

• The identities of all third-party vendors involved in the measurement and customization process.

• If Tier 3 technologies are employed, the policy must refer to the fact that public notice and comments were sought. Also note that both the CPO and CIO provided written approval for the use of Tier 3 technologies on the Web site.

Resources

President Barack Obama, Memorandum on Transparency and Open Government, January 21, 2009.

OMB Memorandum M-09-12, President’s Memorandum on Transparency and Open Government – Interagency Collaboration, February 24, 2009.

OMB Memorandum M-10-06, Open Government Directive, December 8, 2009.

OMB Memorandum M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies, June 25, 2010.

OMB Memorandum M-10-23, Guidance for Agency Use of Third Party Websites and Applications, June 25, 2010.

Commerce Social Media Policy, Policy on the Approval and Use of Social Media and Web 2.0, December 9, 2010.

Commerce IT Privacy Policy and Privacy Impact Assessment Description, IT Privacy Policy.

Commerce's Web policy on Privacy Policy Statements and Information Collection

Contacts for Additional Information

• Office of the General Counsel, General Law Division (202-482-5951 or epackard@doc.gov).

• Linel Soto, Office of IT Policy and Planning, OCIO (202-482-0266 or LSoto@doc.gov).

• Mike Kruger, Director of New Media, Office of Public Affairs, (202-482-2556 or mkruger@doc.gov)

• Catrina Purvis, Chief Privacy Officer and Director of Open Government (202-482-3463 or cpurvis@doc.gov)

• Wendy Couch, Records Management Officer, OCIO (202-482-4559 or wcouch@doc.gov)

Date of policy superseded: None

Revision status: None

Approved by Simon Szykman, Chief Information Officer, 9/27/2011