Internet Privacy: Implementation of Federal Guidance for Agency Use of Cookies

Federal agencies are using Internet "cookies" to enable electronic transactions and track visitors on their websites. Cookies are text files that have unique identifiers and are used to store and retrieve information that allow websites to recognize returning users, track on-line purchases, or maintain and serve customized web pages. This report discusses whether (1) federal websites complied with the Office of Management and Budget's (OMB) guidance on the use of cookies and (2) the guidance provided federal agencies with clear instructions on the use of cookies. GAO reviewed 65 websites randomly selected from the General Services Administration's government domain registry database between November 2000 and January 2001 to determine whether they used persistent cookies and whether such use was disclosed in the website's privacy policy. As of January 2001, most of the websites reviewed were following OMB's guidance on the use of cookies. Of the 65 sites GAO reviewed, 57 did not use persistent cookies on their websites, eight used persistent cookies, four did not disclose such use in their privacy policy, and the remaining four sites using persistent cookies did provide disclosure but did not meet OMB's other conditions for using cookies. In addition, four other sites that did not use cookies did not post privacy policies on their home pages. Those sites were taking, or planning to take, corrective action to address their noncompliance with OMB guidance. GAO found that although OMB's guidance proved useful in ensuring that federal websites address privacy issues, the guidance remained fragmented, with multiple documents addressing various aspects of Web site privacy and cookie issues. In addition, the guidance did not provide clear direction on the disclosure of session cookies.