The Dire Need For an Updated Cookie Policy

The Open Government Initiative is continuing to take input on ways that the government can change policy to catch up with technology and enhance functionality of federal web sites – this time, they’re focusing on the cookie policy for federal government web sites. We’ve written a series of posts about the cookie policy, and how the existing Office of Management and Budget (OMB) guidance needs to be updated to reflect the changing state of the Internet, user expectations, and innovations in user control.

As part of the Open Government Dialogue, the White House Office of Science and Technology Policy (OSTP) had begun discussing changes to the policy to enable citizen participation by allowing the use of new technologies while continuing to protect privacy. The cookie policy (which actually applies more broadly to “tracking technologies”) dates back to 2000, when the Clinton administration decided that federal web sites should not be using new tracking technologies willy-nilly.

However, the Internet has changed a lot since 2000, and it’s high time for updated federal guidance. We’re happy to see that OMB is working on this, that they are asking for input very early in the process, and that they have asked for specific information. This should help them frame their new policy. Specifically, they want to know more about: The basic principles governing the use of tracking technologies The appropriate tiers for differentiating between types of tracking, with the appropriate use and restrictions on each The appropriate kinds of notice that should appear on each web site where tracking technologies are being used The applicability and scope of such a framework on federal agency use of third-party applications or web sites The choice between opt-in and opt-out approaches for users Unintended or non-obvious privacy implications.

Of course, not all uses of cookies are created equally, and we’re glad to see that OMB is already differentiating between session cookies, tracking for analytics, and persistent cookies for other uses. In addition, they note that it is important to provide services to users whether or not they opt in or out of tracking. While the request for comment suggests that more invasive technologies should be subject to more stringent review, they do not explain how- that’s up to us to discuss, for now.

The team prefers that we comment on the OSTP blog [link?] to foster conversation, but they are also taking comments via the a traditional Federal Register request for comments [http://frwebgate5.access.gpo.gov/cgi-bin/TEXTgate.cgi?WAISdocID=752564171870+1+1+0&WAISaction=retrieve], and email [[email protected]]. Unfortunately, comments must be submitted by August 10th, creating a short timeline, but we hope you’ll join the discussion.