Internet Privacy:

Implementation of Federal Guidance for Agency Use of Cookies

GAO-01-424: Published: Apr 27, 2001. Publicly Released: May 30, 2001.

Additional Materials:

Contact:

Linda D. Koontz
(202) 512-7487
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Federal agencies are using Internet "cookies" to enable electronic transactions and track visitors on their websites. Cookies are text files that have unique identifiers and are used to store and retrieve information that allow websites to recognize returning users, track on-line purchases, or maintain and serve customized web pages. This report discusses whether (1) federal websites complied with the Office of Management and Budget's (OMB) guidance on the use of cookies and (2) the guidance provided federal agencies with clear instructions on the use of cookies. GAO reviewed 65 websites randomly selected from the General Services Administration's government domain registry database between November 2000 and January 2001 to determine whether they used persistent cookies and whether such use was disclosed in the website's privacy policy. As of January 2001, most of the websites reviewed were following OMB's guidance on the use of cookies. Of the 65 sites GAO reviewed, 57 did not use persistent cookies on their websites, eight used persistent cookies, four did not disclose such use in their privacy policy, and the remaining four sites using persistent cookies did provide disclosure but did not meet OMB's other conditions for using cookies. In addition, four other sites that did not use cookies did not post privacy policies on their home pages. Those sites were taking, or planning to take, corrective action to address their noncompliance with OMB guidance. GAO found that although OMB's guidance proved useful in ensuring that federal websites address privacy issues, the guidance remained fragmented, with multiple documents addressing various aspects of Web site privacy and cookie issues. In addition, the guidance did not provide clear direction on the disclosure of session cookies.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: On September 26, 2003, OMB issued OMB Guidance for Implementing the Privacy Provisions of the E-government Act of 2002 (Memorandum-03-22). Section III. of the memorandum unifies OMB's guidance on Web site privacy policies and the use of cookies.

    Recommendation: To clarify agency requirements on the use of automatic collections of information, including the use of cookies on their Web sites, the Director, OMB, in consultation with other parties, such as agency officials and the Chief Information Officers (CIO) Council, should unify OMB's guidance on Web site privacy policies and the use of cookies.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  2. Status: Closed - Implemented

    Comments: On September 26, 2003, OMB issued OMB Guidance for Implementing the Privacy Provisions of the E-government Act of 2002 (Memorandum-03-22). Section III. of the memorandum provides comprehensive direction on the use of cookies by federal agencies on their Web sites.

    Recommendation: To clarify agency requirements on the use of automatic collections of information, including the use of cookies on their Web sites, the Director, OMB, in consultation with other parties, such as agency officials and the CIO Council, should clarify the resulting guidance to provide comprehensive direction on the use of cookies by federal agencies on their Web sites.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  3. Status: Closed - Implemented

    Comments: On September 26, 2003, OMB issued OMB Guidance for Implementing the Privacy Provisions of the E-government Act of 2002 (Memorandum-03-22). Section III. of the memoranda directs agencies to disclose, in their web site privacy notices, what visitor information is being automatically collected by their web sites, including information provided by session cookies.

    Recommendation: To clarify agency requirements on the use of automatic collections of information, including the use of cookies on their Web sites, the Director, OMB, in consultation with other parties, such as agency officials and the CIO Council, should consider directing federal agencies to disclose the use of session cookies in their Web site privacy notices.

    Agency Affected: Executive Office of the President: Office of Management and Budget

 

Explore the full database of GAO's Open Recommendations »

Sep 20, 2016

Sep 15, 2016

Jun 29, 2016

Jun 21, 2016

Apr 28, 2016

Apr 14, 2016

Apr 12, 2016

Mar 23, 2016

Dec 17, 2015

Nov 17, 2015

Looking for more? Browse all our products here