OMB issues exception to 'no cookies' rule

Federal agencies, barred in June from using 'cookies' on their Web sites, have been granted permission to use certain types of the tracking software, according to the Office of Management and Budget.

In a June 22 memo, OMB director Jacob Lew forbade agencies from using cookies on their Web sites. A cookie is a small piece of information written to the hard drive of the computer of a Web surfer visiting a site. The files can extract a variety of information, including where on the site the user visited.

But the no-cookies policy applies only to software that tracks information over time or across Web sites, said Peter Swire, the Clinton administration's chief adviser on privacy issues.

"Other mechanisms do not raise privacy concerns," he said. Such mechanisms, known as "session cookies," include those that close when a user closes his or her browser at the end of a session or those that keep information only until a single transaction is completed.

For example, the U.S. Mint could keep cookie files on the computers of people who place orders online until the orders are shipped. Or, at the Department of Education, session cookies could be used to keep track of multiple student loan forms that a user may want to submit together, Swire said.

OMB consulted with the federal CIO Council about the June memo after Roger Baker, CIO at the Commerce Department and chair of the council's committee on privacy, asked OMB to clarify its stance on the use of session cookies. Baker and others were concerned about the policy's effect on e-commerce efforts at federal Web sites.

Agencies can provide e-government and e-commerce without violating privacy policies, Swire said. The key difference between session cookies and others is that the link between a computer and a Web site disappears at the end of a short time frame.

Privacy advocates were consulted and agreed with OMB's clarification, Swire said. The CIO Council has also asked OMB to amend its policy for agency intranets, but the issue is still under consideration, he said.

A recent General Accounting Office study showed that 69 out of 70 federal Web sites had privacy policies. Since the report was released, the remaining site, the Federal Thrift Savings Board's, has posted such a policy. In April, a survey found that only one-third of agency sites had privacy policies. "We've made a lot of progress since last year," Swire said.