5 FAM 740 

COOKIES

(CT:IM-237;   11-14-2018)
(Office of Origin: IIP/CSS)

5 FAM 741  GENERAL POLICY

(CT:IM-154;   09-17-2014)

a. If cookies are used on Department web sites (see 5 FAM 742, Cookie Intranet Use and 743, Cookie Internet Use), the web site must display a privacy statement informing users that cookies are used at the site, whether any data being collected is stored, and for what purpose.

b. If either persistent or session cookies are used for the purpose of collecting information, the requirements of 5 FAM 460, Privacy Act Requirements, must be met.

c.  There are other types of web site tracking technologies in use, such as web beacons, but this subchapter is focused exclusively on the use of cookies, as defined in 5 FAM 743.

5 FAM 742  COOKIE INTRANET USE

(CT:IM-33;   02-27-2002

Both persistent and session cookies may be used on Department Intranet web sites.

5 FAM 743  COOKIE INTERNET USE

(CT:IM-237;   11-14-2018)

a. (Office of Management and Budget) OMB Memorandum M-10-22 authorizes Federal agencies to use cookies or other tracking technologies on Department-hosted and managed public web sites, subject to certain conditions.

b. There are two basic types of cookies:

(1)  Single-session:  These technologies remember a user’s online interactions within a single session or visit.  Any identifier correlated to a particular user is used only within that session, is not later reused, and is deleted immediately after the session ends.  OMB terms this use as tier 1; and

(2)  Multi-session:  These technologies remember a user’s online interactions through multiple sessions.  This approach requires the use of a persistent identifier for each user, which lasts across multiple sessions or visits.  OMB defines two levels of multi-session technologies:

(a)  Tier 2:  Multi-session that does not collect personally identifiable information (PII) and has no way to identify individual site visitors; and

(b)  Tier 3:  Multi-session that also collects PII.  In this situation, the user must opt-in.

c.  Single-session cookies may be used only if they retain the information during the session or for the purpose of completing a particular online transaction, without any capacity to track users over time and across different web sites.

d. Department public web sites may use tier 2 and 3 persistent cookies when site managers ensure the site meets the conditions outlined in 5 FAM 743, paragraph e, and they obtain required approvals as described.  Tier 2 persistent cookies may also be used through participation in the Federal Government’s Digital Analytics Program, run by the General Services Administration (GSA).

e. Mandatory requirements for using cookies or tracking technologies:

(1)  The site’s privacy policy must notify site visitors that cookies are being used and provide a straightforward way for site visitors to opt-out of the cookies being placed on their devices.  Opt-out options include:

(a)  Agency side opt-out:  Use cookies to remember that a user has opted-out of all “other uses of such technologies on the relevant domain or application.  Such uses are considered tier 2”; and

(b)  Client side opt-out:  Provide instructions to site visitors on how they can change their browser settings to prevent cookies from being set;

(NOTE:  If you use tier 3 cookies, users must opt-in)

(2)  Provide comparable information and access to opt-in and opt-out users;

(3)  Cite the relevant privacy impact assessment (PIA) and/or System of Records Notice (SORN) that discusses the use of any data collected through cookies, where appropriate.  See SORN State-79 in the listing for the Digital Outreach and Communications SORN;

(4)  Keep the data gathered from cookies only as long as necessary to meet the objective for its collection and, per OMB, no longer than 1 year, unless a longer term is required by law, policy, or specific need for which the data contributes to program objectives.  Strictly limit data access to only those who need it to perform their job functions.  If the data collected is determined to be a Federal record, it must be archived in accordance with the General Record Schedule 20;

(5)  Store data in only one cookie per user;

(6)  Do not track user activity outside the domain where the web site or application originates;

(7)  Do not share user activity with other institutions unless the user gives explicit consent to do so; and

(8)  Do not cross-reference user data with PII to determine user activity unless the user gives explicit consent to do so.

f.  Recommended practices for cookie usage are described in the following list.  Cookies should:

(1)  Be no larger than 4096 bytes;

(2)  Be encrypted with server side scripts (preferably salted hashes);

(3)  Be decrypted only on the server;

(4)  Have an expiration date no greater than 1 year unless a longer term is needed to meet legal requirements or specific program objectives;

(5)  Be used to collect site-specific activity such as the referring site; the pages the user visits and duration; return visits; the exit page; and/or visits to other sites the bureau or post manages;

(6)  Not contain user-specific identity information that is PII.  If there is a business requirement to collect PII, you must follow the procedures in 5 FAM 743, paragraph g; and

(7)  Use secure socket layer (SSL) encryption to transmit all user and session authentication information.  This practice, along with server-created session IDs, helps avoid session hijacking.

g. In addition to the requirements listed this section, multi-session cookies that gather PII (Tier 3) must meet these requirements:

(1)  The Senior Agency Official for Privacy (SAOP) must review and clear the use of Tier 3 cookies.  This clearance does not constitute final approval; the Chief Information Officer (CIO) must give final approval (see 5 FAM 743, subparagraph g(3)); and

(2)  For notice and comment following SAOP review, for new proposals of Tier 3 uses or substantive changes to existing uses of such technologies, you must:

(a)  Solicit comment through the Department’s Open Government Web page for a minimum of 30 days.  This notice must describe your proposed use of Tier 3 cookies, and include each of the required additions to agency privacy policies listed in Attachment 3 of Memorandum M-10-22 ; and

(b)  Review and consider substantive comments and make changes to your intended use of Tier 3 cookies where appropriate;

(NOTE:  The CIO may, in writing, approve an exemption from the notice-and-comment process if it is reasonably likely to result in serious public harm)

(3)  The CIO must give explicit written approval for the use of Tier 3 cookies.  This approval must be cited in the Department’s Privacy Policy; and

(4)  Annually review Tier 3 cookie usage to determine if the data being collected is still needed to achieve program objectives.

5 FAM 744  Third-party cookie use

(CT:IM-154;   09-17-2014)

a. OMB Memorandum M-10-23 (June 2010) provides the requirements Federal agencies must meet to protect the privacy of those who visit or interact with the agency on third-party platforms and applications.

b. These platforms typically use multi-session cookies and the information they collect varies by platform.  The Department cannot control this usage but must, to the extent possible, post a privacy notice to inform site visitors that they are subject both to the Department’s privacy policy and that of the platform.  To do this:

(1)  Post a link to the privacy policy at http://www.state.gov/misc/415.htm; and

(2)  Post the required standard Terms of Use for Department sites, which contains a privacy policy statement.  See 5 FAM 793.4 for details.

c.  Comply with the branding requirement in 5 FAM 793.1.

d. If you use a third-party tool to collect information from site visitors, you must:

(1)  Minimize collecting and storing personal information to only that which is needed for a specific Department function;

(2)  Post a privacy notice explaining what information is being collected, for what it is being used, and how long it will be stored.  Ensure the user is not required to complete a questionnaire to obtain Department program information;

(3)  Keep in mind any associated records management requirements.  Consult the Records Management staff at records@state.gov for assistance; and

(4)  Keep in mind that collecting information from the public may trigger the Paperwork Reduction Act.  See 5 FAM 795.1, paragraph h, for details.

5 FAM 745 THROUGH 749  UNASSIGNED

5 FAM Exhibit 743  
OMB MEMORANDUM M-10-22 (JUNE 2010)

(CT:IM-154;   09-17-2014

Attachment 3

Required Additions to the Agency Privacy Policy when Web Measurement and Customization Technologies are Used

The following items must be added as part of the agency’s online Privacy Policy, if they are not present, in any instance when Web measurement and customization technologies are used:

i. The purpose of the Web measurement and/or customization technology;

ii. The usage Tier, session type, and technology used;

iii. The nature of the information collected;

iv. The purpose and use of the information;

v. Whether and to whom the information will be disclosed;

vi. The privacy safeguards applied to the information;

vii. The data retention policy for the information;

viii. Whether the technology is enabled by default and why;

ix. How to opt-out of the Web measurement and/or customization technology;

x. Statement that opting-out still permits users to access comparable information or services; and

xi. The identities of all third-party vendors involved in the measurement and customization process.