OMB M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies

On Friday, June 25th OMB released M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies, the long awaited update to it's federal cookie policy.  The new policy rescinds OMB M-00-13, Privacy Policies and Data Collection on Federal Web Sites and updates OMB M-03-22 Guidance for Implementing the Privacy Provisions of the E-government Act of 2002 Section III(D)(2)(v) and Section VII(B). The new policy allows agencies to use both session and persistent cookies; however, it puts forward three tiers of acceptable use and five appropriate use prohibitions.

First and foremost I want to highlight the somewhat expanded definition of Personally Identifiable Information (PII) that the new policy puts forward.  While the memo still inherits the standard definition of PII from OMB M-07-16 it has added an excellent addendum: "The definition of PII is not anchored to any single category of information or technology. Rather, it demands a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for an agency to recognize that non-PII can become PII whenever additional information is made publicly available - in any medium and from any source - that, when combined with other available information, could be used to identify an individual." Privacy professionals have been saying this for years, great to see it finally codified in policy.

Below is an analysis of the privacy impact of the new memo and a break down of the new requirements.  I will warn you it is a bit lengthy...

Privacy Analysis

The bottom line is that cookies are now an acceptable technology within the Federal domain.  The memo is an improvement on the outright ban of cookies and will allow the government to take advantage of greater technologies to bolster open participation and Open Government directives.  However, the privacy protections and risk mitigation included by the policy are somewhat lacking and confusing. 

The policy directs agencies to update already largely unread and confusing privacy policies to effectively communicate this new technology.  However, the memo does not effectively communicate the issues at hand that well.  The policy rebrands the understood term "cookies" into "web measurement and customization technologies" adding a level of confusion and vagueness to the whole policy. The rebranding of persistent-cookies into "multi-session technology" is , to hazard a guess, a simple attempt to stay away from the terminology "persistent" and "cookies," which tend to get the tin-foil hat set riled up.

User choice of opting-in or opting-out is also presented in a confusing manner. Section 5(a) of the memo allows an agency to set a persistent (multi-session) cookie to inform the agency that the user does not want any OTHER agency cookies. To be clear: if a user opts-out of accepting agency cookies, the user will have a cookie set on his/her computer. The mere presence of that cookie is a data point that can be tracked. However, I will say that it is a technically savvy way of dealing with the issue. Unlike the advice given at Section 5(b), which refers the agencies to under the auspices of "containing general instructions on how the public can opt out of some of the most commonly used web measurement and customization technologies."   Upon review of the webpage, the general instructions are for users to simply block ALL cookies, thus impacting the overall web experience on non-Federal sites. This is bad advice, even if it is under the guise of "general instructions." Now that the federal government is using cookies one piece of advice it's offering is to break a key web resource (albeit one that enables tracking of individuals across the web). Further, with the weight of the Federal government behind this suggestion, it may be widely implemented without knowledge of its ramifications.  

Heather West of the Center for Democracy and Technology (CDT) puts it much more eloquently, "This is an entirely inadequate policy for OMB to be promoting, particularly when the explanation linked from the memo recommends disabling all first-party cookies (whereas a clear opt-out process would opt users out of only those tracking technologies employed by government agencies). A large majority of commercial websites rely on first-party cookies in order to function properly. Many of these sites instruct users to turn first-party cookies on if they are off. Thus, users who follow the guidance suggested by OMB will likely end up with no privacy protection at all. A more protective policy would have required agencies conducting measurement or customization on an opt-out model to provided targeted, highly-visible opt-out mechanisms."

I would like to see the resource as a one-stop shop for Federal cookies.  All domains, websites, and applications that will be using cookies should be listed there, sorted by agency.  Instructions should be given on how to block those specific domains, websites, or applications instead of blindly turning off all cookies.

Readers: what are your thoughts on the new policy?  Any ideas on a better opt-out system? 

The New Requirements

  1. Scope and applicability: Applies to any Federal agency use of web measurement and customization technologies (i.e. cookies used by the likes of Google Analytics and those used to remember user preferences respectively). The memo does not apply to internal agency activities such as intranet based applications.
  2. Definitions: The policy rebrands session and persistent cookies as "single-session" and "mutli-session technologies" respectively. If you are unclear on what web cookies are or how they work please read the following article that does an excellent job of explaining:
  3. Approved Usage Tier System:
    • Tier 1 - single session technologies - example:  a user lands on a federal agency webpage and that action is counted by third-party software such as Google Analytics.  The agency must provide clear and conspicuous notice in Privacy Policies that such activities are taking place.
    • Tier 2 - multi-session technology without PII - example: A cookie may be set remembering user preferences such as widgets displayed on a webpage or a webpage template. The agency must provide clear and conspicuous notice in Privacy Policies that such activities are taking place.
    • Tier 3 - multi-session technology with PII - example: A cookie may be set to remember user information such as name or username to remember preferences or make it easier to perform actions.  Tier 3 must use opt-in technology.  Further, Tier 3 use must be approved in writing by agency CIO, have been reviewed and approved by the agency SAOP, and go through a 30 day(minimum) public comment window.  The comments must be hosted on the Agency's Open government webpage ("www.[agency].gov/open").  Note: if the notice and comment process is likely to result in public harm, the CIO may provide written approve to exempt a Tier 3 use from such a process. 
  4. Appropriate Use and Prohibitions:  Under no circumstances may an agency make use of Tier 1, 2, or 3 technologies: 
    1. To track user individual-level activity on the Internet outside of the website or application from which the technology originates;
    2. To share the data obtained through such technologies, without the user's explicit consent, with other departments or agencies;
    3. To cross-reference, without the user's explicit consent, any data gathered from web measurement and customization technologies against PII to determine individual-level online activity;
    4. To collect PII without the user's explicitly consent in any fashion; or
    5. For any like usages designated by OMB.
  5. Data Retention Limits and Access Limits:
    Agencies may retain data collect from these technologies for only as long as necessary to achieve a specified objective for which it was collected.  This time frame must be both limited and correlated to a specific objective.  Unless otherwise instructed by law, policy, or specific need agencies should limit the retention of this data to one year or less. The data generated from these activities falls under the National Archives and Records Administration (NARA) General Records Schedule (GRS) 20 Item IC "Electronic Records" and must be handled per that schedules requirements.
  6. Notice and Personal Choice
    Users must be thoroughly informed that Federal websites are employing one Tier-type of this technology.  Users must also be allowed to opt-out or opt-in depending on the technology tier.  Agencies are encouraged and authorized to use Tier 2 (persistent cookie) technology that would remember that a user has opted-out of all other uses of such technologies on the relevant domain or application.  If such technology is not feasible, agencies should provide detailed instructions on how to opt-out of all agency cookie use.  These instructions should be posted within Agency privacy policies.
  7. Updating Privacy Policies:  This new OMB memo requires all agencies to update their Privacy Policy and provides 11 new items that must be addressed:
    1. the purpose of the web measurement and/or customization technology;
    2. the usage Tier, session type, and technology used;
    3. the nature of the information collected;
    4. the purpose and use of the information;
    5. whether and to whom the information will be disclosed;
    6. the privacy safeguards applied to the information;
    7. the data retention policy for the information;
    8. whether the technology is enabled by default or not and why;
    9. how to opt-out of the web measurement and/or customization technology;
    10. statement that opting-out still permits users to access comparable information or services; and
    11. the identities of all third-party vendors involved in the measurement and customization process