OMB cookie memo crumbles under its own weight

Walter R. Houser

Thanks to the drug czar, cookies are one recreational substance federal webmasters will have to forswear. The Office of National Drug Control Policy Web site was gathering data about its users with the help of the site-tracking company DoubleClick Inc. of New York to manage the cookies. DoubleClick has been notoriously aggressive about acquiring and selling the data it gathers.

But the White House overreacted in this case. Signed June 22, an Office of Management and Budget memo, 'Privacy Policies and Data Collection on Federal Web Sites,' found at, effectively bans the use of cookies on federal Web sites.

The memo states: 'Under this new federal policy, cookies should not be used at federal Web sites, or by contractors when operating Web sites on behalf of agencies, unless, in addition to clear and conspicuous notice, the following conditions are met: a compelling need to gather the data on the site; appropriate and publicly disclosed
privacy safeguards for handling of information derived from cookies; and personal approval by the head of the agency.'

This directive comes in the midst of a White House push to promote privacy on the Internet. The United States is undertaking sensitive trade negotiations with the European Commission over data sharing. The commission has much stricter rules for protecting personal privacy and has resisted exporting to the United States information about European citizens.

The Federal Trade Commission is seeking authority from Congress to police commercial Web site privacy because self-regulation is not working. The administration declined to support FTC, asking industry to solve the problem. The recent controversy is all the more embarrassing because the Privacy Act provides stiff penalties for federal employees and agencies abusing their special access to personal data about citizens.

Defense and most other departments already prohibit collection of user-identifying information. DOD permits the use of cookies for other purposes, so long as those purposes are clearly stated and the cookies do not identify individuals.

The policy currently does not make a distinction between so-called session and persistent cookies. If only the agency head can approve cookies, the policy amounts to an outright prohibition. OMB has already backed off an absolute ban, telling agencies verbally that the memo is intended to address persistent cookies, not temporary session cookies.

Cookies 'can track ' users ' over time and across different Web sites,' the OMB memo points out. But session cookies expire quickly, whereas persistent cookies store themselves on users' hard drives permanently.

One wonders why webmasters need to use persistent cookies on publicly available federal Web sites.

Cookies are often necessary to track visitors through a site. Each Web page download is a completely independent action. There is no context for the page displayed or information entered unless data is maintained on either the client PC or server host. For example, cookies are the principal way a Web store can associate an order with a payment.

The OMB cookie ban is redundant to existing privacy law and regulations. Worse, it hampers agency efforts to securely link their Web sites to legacy systems. A ban on cookies could cripple federal agencies trying to implement online customer services.

Electronic government will not go beyond the talk stage without cookies or their functional equivalent.

OMB should clarify its memo, saying that cookies may be used pursuant to established Privacy Act systems of records.

The act requires agencies to publish every two years detailed descriptions of personal information they collect, why they collect it and what they do with it.

The drug policy office may have violated the Privacy Act, but it acted promptly to correct the error. So why a sweeping new order?

OMB's previous memo regarding this subject, found at, was technically solid policy. It advised federal webmasters to clearly advise visitors of cookies, and when and why they are used.

By contrast, the latest memo is hasty and ill-advised.

My guess is we haven't heard the end of this controversy.

Walter R. Houser, who has more than two decades of experience in federal information management, is webmaster for a Cabinet agency. His personal Web home page is at


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected