Web Measurement Guidance

Web Measurement Guidance m10-221.pdf

Survey of Coal Mine Safety Interventions

Web Measurement Guidance

OMB: 0920-0862

Document [pdf]
Download: pdf | pdf
EXECUTIVE OFFICE OF THE PRESIDENT
O F F I C E O F MA N A G E ME N T A N D B U D G E T
W ASHINGTON, D.C. 20503

THE DIRECTOR

June 25, 2010

M-10-22
MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES
FROM:

Peter R. Orszag
Director

SUBJECT:

Guidance for Online Use of Web Measurement and Customization
Technologies

On January 21, 2009, the President issued a memorandum calling for the establishment of
“a system of transparency, public participation, and collaboration.” 1 The memorandum required
an Open Government Directive to be issued by the Director of the Office of Management and
Budget (OMB), instructing “executive departments and agencies to take specific actions
implementing the principles set forth in this memorandum.” Implementing the President’s
memorandum, OMB’s Open Government Directive requires a series of measures to promote the
commitments to transparency, participation, and collaboration. 2
As the Internet continues to evolve, the Federal Government has new opportunities to
promote these commitments by engaging with citizens, explaining what Federal agencies are
doing, seeking public comments, and improving the delivery of services. In the private sector, it
has become standard for commercial websites to use web measurement and customization
technologies to engage with members of the public.
For government agencies, the potential benefits of web measurement and customization
technologies are clear. With the help of such technologies, agencies will be able to allow users
to customize their settings, avoid filling out duplicative information, and navigate websites more
quickly and in a way that serves their interests and needs. These technologies will also allow
agencies to see what is useful to the public and respond accordingly. Services to customers and
users can be significantly improved as a result.

1

President Barack Obama, Memorandum on Transparency and Open Government (Jan. 21, 2009), available at
http://www.gpoaccess.gov/presdocs/2009/DCPD200900010.pdf
2

OMB Memorandum M-10-06, Open Government Directive (Dec. 8, 2009), available at
http://www.whitehouse.gov/omb/assets/memoranda_2010/m10-06.pdf

At the same time, OMB is acutely aware of, and sensitive to, the unique privacy
questions raised by government uses of such technologies. Any such uses must not compromise
or invade personal privacy. It is important to provide clear, firm, and unambiguous protection
against any uses that would compromise or invade personal privacy.
This Memorandum establishes new procedures and provides updated guidance and
requirements for agency use of web measurement and customization technologies. The central
goal is to respect and safeguard the privacy of the American public while also increasing the
Federal Government’s ability to serve the public by improving and modernizing its activities
online. Any use of such technologies must be respectful of privacy, open, and transparent, and
solely for the purposes of improving the Federal Government’s services and activities online.
For agency questions about this Memorandum, agencies should contact OMB at
infopolicy-oira@omb.eop.gov.
Thank you for your cooperation.
Attachments

2

Attachment 1
Principles for Federal Agency Use of Web Measurement and Customization Technologies
1. General.
Scope and applicability. This guidance applies to any Federal agency use of web
measurement and customization technologies. This guidance is not limited to any
specific technology or application (such as persistent cookies), and it includes Federal
agency use of third-party web measurement and customization technologies. Whenever
an agency uses third-party websites or applications to engage with the public, it should
refer to OMB’s memorandum providing Guidance for Agency Use of Third-Party
Websites and Applications. 3 In some cases, the third-party websites or applications use
web measurement and customization technologies solely for the third party’s own
purposes. This guidance does not apply as long as (1) third parties do not use web
measurement and customization technologies on behalf of a Federal agency, and (2)
Personally Identifiable Information (PII), or any information that could be used to
determine an individual’s online activity derived from such uses, is not shared with the
agency. However, agencies must consider the risk posed by such arrangements as part of
the Privacy Impact Assessment required in OMB’s memorandum providing Guidance for
Agency Use of Third-Party Websites and Applications.
This guidance does not apply to internal agency activities (such as on intranets,
applications, or interactions that do not involve the public) or to activities that are part of
authorized law enforcement, national security, or intelligence activities.
Modifications to current guidance. This Memorandum rescinds OMB Memorandum
M-00-13, Privacy Policies and Data Collection on Federal Web Sites, and the specified
sections in the following memorandum:
•

OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy
Provisions of the E-Government Act of 2002: Section III(D)(2)(v) concerning tracking
and customization activities, and Section VII(B) regarding the reporting of tracking
technologies.

2. Definitions.
Web measurement and customization technologies. These technologies are used to
remember a user’s online interactions with a website or online application in order to
conduct measurement and analysis of usage or to customize the user’s experience.

3

OMB Memorandum M-10-23, Guidance for Agency Use of Third-Party Websites and Applications (June 25,
2010), available at http://www.whitehouse.gov/omb/assets/memoranda_2010/m10-23.pdf

3

Single-session technologies. These technologies remember a user’s online interactions
within a single session or visit. Any identifier correlated to a particular user is used only
within that session, is not later reused, and is deleted immediately after the session ends.
Multi-session technologies. These technologies remember a user’s online interactions
through multiple sessions. This approach requires the use of a persistent identifier for
each user, which lasts across multiple sessions or visits.
Personally Identifiable Information (PII). This term, as defined in OMB
Memorandum M-07-16, 4 refers to information that can be used to distinguish or trace an
individual’s identity, either alone or when combined with other personal or identifying
information that is linked or linkable to a specific individual. The definition of PII is not
anchored to any single category of information or technology. Rather, it demands a caseby-case assessment of the specific risk that an individual can be identified. In performing
this assessment, it is important for an agency to recognize that non-PII can become PII
whenever additional information is made publicly available — in any medium and from
any source — that, when combined with other available information, could be used to
identify an individual.
3. Appropriate Use and Prohibitions. Subject to the limitations described below, agencies
may use web measurement and customization technologies for the purpose of improving
Federal services online through conducting measurement and analysis of usage or
through customization of the user’s experience.
Under no circumstances may agencies use such technologies:
a. to track user individual-level activity on the Internet outside of the website or
application from which the technology originates;
b. to share the data obtained through such technologies, without the user’s explicit
consent, with other departments or agencies;
c. to cross-reference, without the user’s explicit consent, any data gathered from
web measurement and customization technologies against PII to determine
individual-level online activity;
d. to collect PII without the user’s explicit consent in any fashion; or
e. for any like usages so designated by OMB.
4. Usage Tiers. Below are the defined tiers for authorized use of web measurement and
customization technologies.

4

OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable
Information (May 22, 2007), available at http://www.whitehouse.gov/OMB/memoranda/fy2007/m07-16.pdf

4

a. Tier 1 – single session. This tier encompasses any use of single session web
measurement and customization technologies.
b. Tier 2 – multi-session without PII. This tier encompasses any use of multisession web measurement and customization technologies when no PII is
collected (including when the agency is unable to identify an individual as a result
of its use of such technologies).
c. Tier 3 – multi-session with PII. This tier encompasses any use of multi-session
web measurement and customization technologies when PII is collected
(including when the agency is able to identify an individual as a result of its use of
such technologies).
5. Clear Notice and Personal Choice. Agencies must not use web measurement and
customization technologies from which it is not easy for the public to opt-out. Agencies
should explain in their Privacy Policy the decision to enable web measurement and
customization technologies by default or not, thus requiring users to make an opt-out or
opt-in decision. Agencies must provide users who decline to opt-in or decide to opt-out
with access to information that is comparable to the information available to users who
opt-in or decline to opt-out.
a. Agency side opt-out. Agencies are encouraged and authorized, where
appropriate, to use web tracking and measurement technologies in order to
remember that a user has opted out of all other uses of such technologies on the
relevant domain or application. Such uses are considered Tier 2.
b. Client side opt-out. If agency side opt-out mechanisms are not appropriate or
available, instructions on how to enable client side opt-out mechanisms may be
used. Client side opt-out mechanisms allow the user to opt out of web
measurement and customization technologies by changing the settings of a
specific application or program on the user’s local computer. For example, users
may be able to disable persistent cookies by changing the settings on commonly
used web browsers. Agencies should refer to
http://www.usa.gov/optout_instructions.shtml, which contains general instructions
on how the public can opt out of some of the most commonly used web
measurement and customization technologies.
c. Tier 3 restrictions. Agencies employing Tier 3 uses must use opt-in
functionality.
6. Data Safeguarding and Privacy. All uses of web measurement and customization
technologies must comply with existing policies with respect to privacy and data
safeguarding standards. If applicable, agencies must cite the appropriate Privacy Impact
Assessment (PIA) and/or System of Records Notice (SORN) in their online Privacy
Policy.

5

a. Comparable information and services. If agencies are using a website or
application hosted on a third-party site using web measurement and customization
technologies to which Federal privacy and data safeguarding standards do not
apply, they should provide the public with alternatives for acquiring comparable
information and services. For example, members of the public should be able to
learn about the agency’s activities or to communicate with the agency without
having to join a third-party social media website. If the third-party service is used
to solicit feedback, agencies should provide an alternative government email
address where users can also send feedback.
7. Data Retention Limits and Access Limits. Agencies may retain data collected from
web measurement and customization technologies for only as long as necessary to
achieve the specific objective for which it was collected. Moreover, only employees who
need to have access to the data should be allowed to do so.
a. Retention time. The time frame for retention of data must be both limited and
correlated to a specific objective. If not required by law, policy, or a specific need
for the web measurement or customization objective, agencies should limit the
retention of such data to one year or less.
b. Records disposition schedule. Information collected from web measurement
and customization technologies that is determined to be a Federal Record must
comply with Federal Records Act regulations. General Records Schedule 20
(GRS 20) pertains to Electronic Records; specifically, the disposition authority
cited in General Record Schedule 20 Item 1C, "Electronic Records"
(“Files/Records Relating to the Creation, Use, and Maintenance of Computer
Systems, Applications, or Electronic Records - Electronic files … created to
monitor system usage…”) is applicable to information collected from web
measurement and customization technologies. 5 Use of GRS 20 is mandatory for
those categories of electronic records described in the schedule unless the
agencies have requested an alternative disposition authority from the National
Archives and Records Administration.
8. Enforcement. To the extent feasible, technical enforcement mechanisms should be put
in place to implement stated retention times and to limit access to authorized personnel.
Where technical enforcement mechanisms are not feasible, policy or contractual
enforcement mechanisms must be present.
9. Verification. Agencies using web measurement and customization technology must
annually review their systems and procedures to demonstrate that they are in compliance
with this policy. The results of this review shall be posted on the agency’s “/open” page

5

National Archives and Records Administration, Electronic Records, General Record Schedule 20 (2010), available
at http://www.archives.gov/records-mgmt/grs/grs20.html

6

located at www.[agency].gov/open, 6 with a mechanism for the public to provide feedback
on the results.
Attachment 2
Process for Agency Use of Web Measurement and Customization Technologies
1. Privacy Policy. Federal agencies using web measurement and customization
technologies in a manner subject to Tier 1 or Tier 2 are authorized to use such
technologies so long as the agencies (1) are in compliance with this Memorandum and all
other relevant policies; (2) provide clear and conspicuous notice in their online Privacy
Policy citing the use of such technologies, as specified in Attachment 3; and (3) comply
with their internal policies governing the use of such technologies.
2. Privacy Office Review. Any proposals by the agency to engage in Tier 3 uses must be
reviewed by the Senior Agency Official for Privacy (SAOP). 7
3. Notice and Comment. Following SAOP review, for new proposals of Tier 3 uses or
substantive changes to existing uses of such technologies, agencies must:
a. Solicit comment through their Open Government Webpage at
www.[agency].gov/open for a minimum of 30 days. This notice and comment
must include the agency’s proposal to use such technologies and a description of
how they will be used, which should at a minimum address the items in the
Privacy Policy as described in Attachment 3; and
b. Review and consider substantive comments and make changes to their intended
use of web measurement and customization technologies where appropriate.
With written approval from a Chief Information Officer (CIO), agencies are exempt from
this requirement if the notice-and-comment process is reasonably likely to result in
serious public harm.
4. Tier 3 Review. Agencies using web measurement and customization technologies in a
manner subject to Tier 3 must have explicit written approval from their CIO. This
approval must be cited in the agency’s online Privacy Policy. After this approval has
been obtained and after notice and comment, as specified in (3) above, has been
completed, agencies are authorized to use Tier 3 web measurement and customization
technologies.
5. Previous Authorization for Use of Web Measurement and Customization
Technologies. Agencies that have received approval from their agency head under
6

See OMB Memorandum, M-10-06, Open Government Directive (Dec. 8, 2009) (requiring each agency to create a
“/open” webpage), available at http://www.whitehouse.gov/omb/assets/memoranda_2010/m10-06.pdf
7
OMB Memorandum M-05-08, Designation of Senior Agency Officials for Privacy (Feb. 11, 2005), available at
http://www.whitehouse.gov/omb/memoranda/fy2008/m08-05.pdf

7

previous guidance to use web measurement and customization technologies, or similar
technologies, must bring their previous use of such technologies into compliance with
this Memorandum within four months of the date of its publication.
6. Unauthorized Use. If any agency is found to be using web measurement and
customization technologies outside of the process or parameters specified in this
Memorandum, the agency must immediately cease use of such technologies and inform
OMB of the extent of such unauthorized use. OMB will respond as necessary and
appropriate.

8

Attachment 3
Required Additions to the Agency Privacy Policy when
Web Measurement and Customization Technologies are Used
The following items must be added as part of the agency’s online Privacy Policy, if they are not
present, in any instance when web measurement and customization technologies are used:
i.

the purpose of the web measurement and/or customization technology;

ii.

the usage Tier, session type, and technology used;

iii.

the nature of the information collected;

iv.

the purpose and use of the information;

v.

whether and to whom the information will be disclosed;

vi.

the privacy safeguards applied to the information;

vii. the data retention policy for the information;
viii. whether the technology is enabled by default or not and why;
ix.

how to opt-out of the web measurement and/or customization technology;

x.

statement that opting-out still permits users to access comparable information or services;
and

xi.

the identities of all third-party vendors involved in the measurement and customization
process.

9


File Typeapplication/pdf
File TitleMemorandum for the Heads of Executive Departments and Agencies
SubjectMemorandum for the Heads of Executive Departments and Agencies, Guidance for Online Use of Web Measurement and Customization Tec
AuthorOMB
File Modified2010-07-27
File Created2010-06-25

© 2024 OMB.report | Privacy Policy