The following was released to FierceGovernmentIT prior to a press briefing on June 25.
Click here for the original, .doc version.

Updated Web Use Policies for Federal Government

OMB Director Peter Orszag spoke recently about the significant IT gap that has developed over the past decade and a half between the public and private sectors, contributing to the productivity divide between the two. He stressed that closing this IT gap is key to boosting efficiency and making government more open and responsive to the wants and needs of the public.

The web technology policy updates announced today will help to close that gap by availing the Federal Government to the critical innovations that Americans rely on. Tools like social networking sites, video uploading platforms, and customized information delivery will modernize government efforts and improve the delivery of services.

These changes are not new, but rather a much-needed upgrade to policies that were established over 10 years ago - before any of these innovations became a critical part of our day-to-day lives. As such, we're also updating the safeguards for web users to ensure that individual privacy continues to be protected.

There are two pieces to this policy update: a) enabling government agencies to use outside applications and web sites, and b) enabling the public and government agencies to benefit from web measurement and customization technologies. Both were developed with input from stakeholders across the political spectrum to ensure that legitimate privacy concerns are addressed.

Guidance for Agency Use of Third-Party Websites and Applications

Purpose

Enable government agencies to use outside applications and web sites that Americans rely on, while safeguarding individual privacy.

Background

Agencies have begun using third-party websites and applications to engage with the public.  These technologies - such as "social media" websites and "web 2.0" applications - provide exciting new opportunities for public participation and collaboration.  For example:

• President Obama has held online "Town Hall" meetings using a third-party website.
• FEMA uses a third-party website to host videos providing timely information to help people prepare for, respond to, and recover from disasters.
• The Department of State has used third-party websites to launch a Virtual Student Foreign Service that allows American students to conduct digital diplomacy.

Following the December 2009 Open Government Directive, OMB is releasing a memorandum to facilitate agencies' use of these new technologies while also safeguarding the privacy of the American public.  The guidance will protect individuals' privacy by establishing new requirements that agencies must meet before using these technologies.

Overview of the New Policy

The new policy requires agencies to take specific steps to protect privacy when using third-party websites and applications to engage with the public.  These steps include:

• Examining the third party's privacy policies to evaluate the risks and determine whether the website or application is appropriate for the agency's use. The third party's policies should be monitored for changes and the risks should be periodically reassessed.
• Performing a Privacy Impact Assessment to evaluate the privacy implications, to identify appropriate safeguards, and to ensure that such safeguards are in place. Generally, these assessments should be posted on the agency's website.
• Updating the agency's Privacy Policy to inform the public about its practices with respect to any personally identifiable information that will be available to the agency. The Privacy Policy should be centrally located on the agency's website.
• To the extent practicable, providing a Privacy Notice on the specific website or application that the agency is using. The notice should give people an opportunity to understand the agency's practices before engaging with the agency.

Together with OMB's existing policies, these new requirements will help agencies promote greater openness in government while protecting the privacy of individuals.

Guidance for Online Use of Web Measurement and Customization Technologies

Purpose

Enable the public and government agencies to benefit from secure web measurement and customization technologies, while safeguarding individual privacy.

Background

On June 22, 2000, OMB issued memorandum M-00-13, which was later updated by memorandum M-03-22, prohibiting the use of  technologies (such as persistent cookies) that enable web measurement and customization unless the agency head approved the use of these technologies due to a compelling need.  The result was a de facto ban on the use of these technologies by government websites.

Most commercial websites now use these technologies, with widespread public acceptance of their use.  Among other things, technologies such as persistent cookies enable websites to remember a visitor's preferences and settings, allowing for a more personalized, responsive, and user-friendly experience.  These technologies also facilitate accurate analytics of web traffic, which in turn helps inform decisions about how to improve a website and how to allocate resources efficiently.  With the implementation of this new OMB policy, we can ensure that government agencies and the public have the ability to benefit from these technologies.

Overview of the new policy

This new policy establishes procedures and provides updated guidance for Federal agency use of web measurement and customization technologies.  The central goal of the new policy is to improve the Federal Government's services online while also safeguarding the privacy of the American public visiting government websites.

While the potential benefits of web measurement and customization technologies are many, OMB is acutely aware of, and sensitive to, the privacy questions raised by government use of such technologies. 

• The new policy makes clear that there are only two uses for which agencies may employ these technologies: (1) to conduct measurement and analysis of usage, or (2) to customize the user's experience.
• Personally identifiable information can only be collected from the use of such technologies through opt in, voluntary consent of the user. Before such consent can be given, however, agencies must undergo a 30-day notice and comment period on their proposed use of the information.
• As additional protection, the new policy makes clear that under no circumstances can agencies use web measurement and customization technologies:
       a. to track a user's online activity on other websites outside the government;
       b. to share the data gathered through the use of such technologies with other departments or agencies unless the user has consented;
       c. to cross-reference, without the user's explicit consent, any information gathered from such technologies against personally identifiable information to determine an individual's online activity;
       d. to collect, in any fashion, personally identifiable information without the user's explicit consent.
• Lastly, agencies will need to conduct an annual review of their compliance with the new policy and post the results of this review online.

Overall this new policy will help bring government websites to a higher level of user friendliness and interactivity that the public is used to and now expects when going online.