DATE: April 29, 2015
SUBJECT: Certification Process for the Use of Web Measurement and Customization Technologies on Treasury Websites
1. PURPOSE. This Directive establishes the process for obtaining certification for the use of Web Measurement and Customization Technologies, including “Cookies,” on the Department of the Treasury’s (“Treasury” or “Department”) Public Access Websites. Any use of such technologies must be respectful of privacy, open and transparent, and solely for the purposes of improving the Department’s services and activities online. In accordance with Office of Management and Budget (OMB) Memorandum 10-22 (M-10-22), “Guidance for Online Use of Web Measurement and Customization Technologies,” the Directive also establishes the required steps for obtaining approval from the Deputy Assistant Secretary for Information Systems and Chief Information Officer (DASIS/CIO) for the use of Tier 3 multi-session technology that collects Personally Identifiable Information (PII).
2. SCOPE. This directive applies to all bureaus, offices, and organizations in the Department, including the Offices of Inspectors General within the Department. The provisions of this directive shall not be construed to interfere with or impede the authorities or independence of the Department’s Inspectors General. Pursuant to M-10-22, it does not apply to internal agency activities (such as intranets, applications, or interactions that do not involve the public) or to authorized law enforcement, national security, or intelligence activities.
3. POLICY. Treasury uses Web Measurement and Customization Technologies to measure and analyze the use of its online services and to improve the Department’s services and activities online.
a. When employing such technologies, it is the policy of the Department to:
1) use technologies that allow members of the public to easily opt-out of Web Measurement and Customization Technologies with respect to their activities;
2) provide users who decline to opt-in or decide to opt-out with access to information and services that are comparable to the information and services available to users who opt-in or decline to opt-out;
3) use web tracking and measurement technologies to remember that a user has opted out of all other uses of such technologies on the relevant domain or application;
4) retain data collected from Web Measurement and Customization Technologies for only as long as necessary to achieve the specific objective for which it was collected;
5) provide users clear and conspicuous notice (e.g., through the use of a Privacy Policy) of the decision to enable such technologies and, if applicable, the appropriate approval for use of a Tier 3 technology, Privacy Impact Assessment (PIA), and/or System of Records Notice (SORN);
6) only use Tier 3 technologies that require users to opt-in, that are reviewed by the Department’s Deputy Assistant Secretary for Privacy Transparency and Records (DASPTR), and that have written approval from the DASIS/CIO;
7) provide the public with a minimum of 30 days, unless waived by DASIS/CIO, to comment on any new proposed use of a Tier 3 technology or substantive changes to existing uses of such technologies;
8) annually review its systems and procedures to ensure that they are in compliance with this Directive, as well as all applicable legal, regulatory, and policy requirements; and
9) make the results of its annual review available to the public through the Department’s Open Government Initiative web page.
b. Under no circumstances will Treasury:
1) track individual-level user activity on the Internet outside of the website or application from which the technology originates;
2) share the data obtained through such technologies with other departments or agencies, without the user’s explicit consent;
3) cross-reference, without the user’s explicit consent, any data gathered from Web Measurement and Customization Technologies against PII to determine individual-level online activity;
4) collect PII without the user’s explicit consent in any fashion; or
5) use such technologies in a manner otherwise prohibited by OMB.
4. DEFINITIONS.
a. Certificate of Use. Certification issued by the DASIS/CIO that serves as the explicit written approval necessary to use Tier 3 technologies.
b. Cookie. A small text record placed on the hard drive of a computer that facilitates the transaction between the user and the website. In certain instances, the text may be left on the user’s hard drive following the session’s termination.
c. Personally Identifiable Information (PII). Information that can distinguish or trace an individual's identity, such as their name, social security number, or biometric records, alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, and mother’s maiden name.
d. Public Access Website. Any Internet site accessible by the public or other users external to Treasury’s bureaus and offices.
e. Web Measurement and Customization Technologies. Technologies used to remember a user’s online interactions with a website or online application in order to conduct measurement and analysis of usage or to customize the user’s experience.
1) Tier 1 technologies – single session. These technologies remember a user’s online interactions within a single session or visit. Any identifier correlated to a particular user is used only within that session, is not later reused, and is deleted immediately after the session ends. (Example: When a user visits a government website to view statistical data and run searches, a session cookie is created to enhance website navigation during the time the user is logged into the website. Any tracking data is deleted when the session ends.)
2) Tier 2 technologies – multi-session without PII. These technologies remember a user’s online interactions through multiple sessions. This approach requires the use of a persistent identifier for each user, which lasts across multiple sessions or visits. This Tier encompasses any use of multi-session Web Measurement and Customization Technologies when no PII is collected (including when the agency is unable to identify an individual as a result of its use of such technologies). (Example: An analyst wants to monitor internet traffic across a Public Access Website. To monitor the traffic the analyst uses a cookie to track users. The cookie does not require the user to provide any personal information and uses a random string of alpha-numeric characters that only the analyst who set the cookie can read.)
3) Tier 3 technologies – multi-session with PII. These technologies encompass any use of multi-session Web Measurement and Customization Technologies when PII is collected (including when the agency is able to identify an individual as a result of its use of such technologies). (Example: A user registers on a Treasury website to order statistical data products. The user’s IP address, credit card number, and expiration date are retained for subsequent transactions on the website.)
5. RESPONSIBILITIES.
a. The Deputy Assistant Secretary for Information System and Chief Information Officer (DASIS/CIO) shall:
1) review and approve or deny all requests for the use of Tier 3 technologies;
2) review all requests to waive the 30-day required notice and approve or deny the request accordingly; and
3) issue Certificates of Use for Tier 3 technologies that will serve as the written authorization for such technologies.
b. The Deputy Assistant Secretary of Privacy, Transparency and Records (DASPTR) shall:
1) review all requests for the use of Tier 3 technologies or substantive changes to existing uses of such technologies;
2) inform the Senior Agency Official for Privacy of proposals for the use of Tier 3 technologies or substantive changes to existing uses of such technologies;
3) solicit public comment through Treasury’s Open Government Initiative web page, with a minimum comment period of 30 days (unless waived by the DASIS/CIO), on the proposed use of Tier 3 technologies or substantive changes to existing uses of such technologies. The description of the Tier 3 technologies will include:
(1) those items enumerated in OMB M-10-22, Attachment 3; and
(2) a description of the PII (including each data element) that will be collected, used and/or accessed;
4) review comments received during the 30-day public comment period and work with the appropriate Privacy and Civil Liberties Officer to ensure that any necessary changes are made to the intended use of the technology;
5) sign and submit a written request for a Certificate of Use to the DASIS/CIO;
6) annually review the Department’s ongoing use of Web Measurement and Customization Technologies, as well as the associated policies and procedures, to ensure that they are in compliance with applicable legal, regulatory, and policy requirements; and
7) make the results of annual review of Web Measurement and Customization Technologies available to the public through the Department’s Open Government Initiative web page.
c. The Heads of Bureaus and the Inspectors General, as it relates to their respective bureau and office, shall:
1) work with their respective Privacy and Civil Liberties Officer to ensure all legal, regulatory, and policy requirements are met when procuring and subsequently employing Web Customization and Measurement Technologies; and
2) annually review their systems and procedures to ensure they are in compliance with this Directive, as well as all other applicable legal, regulatory, and policy requirements.
d. Any Treasury component proposing to employ or substantively change an existing use of a Tier 3 technology shall:
1) coordinate all new proposals of Tier 3 technologies or substantive changes to existing uses of such technologies with the DASIS/CIO and the DASPTR;
2) prepare a written request for a Certificate of Use that includes:
a) a description of the proposed technology, including how it improves the Department’s services and activities online, and the PII that it collects;
b) an explanation of how the PII collected by the technology will be protected;
c) the anticipated data retention period; and
d) proposed language, if applicable, to inform potential users of the policies associated with the use of the technology, including the opt-in functionality, and the alternate access paths for users who decline to opt-in or decide to opt-out.
3) consider if the required 30-day notice-and-comment process is reasonably likely to result in serious public harm, and if so, submit a written request to the DASIS/CIO to waive this requirement;
4) submit a written request for a Certificate of Use to the DASPTR for review;
5) review and consider substantive comments received during the 30-day public comment period, if applicable, and make changes to the intended use of the technology where appropriate;
6) upon receipt of the approved Certificate of Use, review and revise any relevant privacy policies to include those items enumerated in OMB M-10-22, Attachment 3, as necessary.
6. AUTHORITIES.
a. OMB Memorandum 10-22, “Guidance for Online Use of Web Measurement and Customization Technologies.”
b. OMB Memorandum 10-06, “Open Government Directive.”
c. OMB Memorandum 05-04, “Policies for Federal Agency Public Websites.”
d. OMB Memorandum 03-22, “OMB Guidance for Implementing Privacy Provisions of the E-Government Act of 2002,” as amended by OMB Memorandum 10-22.
e. OMB Memorandum 07-16, “Safeguarding Against the Breach of Personally Identifiable Information.”
7. REFERENCES.
a. OMB Memorandum 99-18, “Privacy Policies on Federal Websites.”
b. Privacy Act of 1974, 5 U.S.C. § 552a, as amended.
8. CANCELLATION. Treasury Directive 81-08, “Certification Process for the Use of Persistent Cookies on Treasury Websites,” dated January 10, 2002, is superseded.
9. OFFICE OF PRIMARY INTEREST. Office of the Deputy Assistant Secretary for Information System and Chief Information Officer, Office of the Deputy Assistant Secretary for Privacy, Transparency, and Records, and Office of the Assistant Secretary for Management.
/S/
Brodi Fontenot
Assistant Secretary for Management