EPA Home

Procedure: Web Measurement and Customization Technologies (Cookies)

Brief Description

(See the full document below for details)

This procedure establishes the steps for using web measurement and customization technologies, including "cookies", on the EPA Public Access website. It also establishes the required steps for obtaining waiver approval by the Chief Information Officer (CIO) for Tier 3 multi-session technology with personally identifiable information (PII) on an EPA Public Access website.

This procedure applies to any EPA use of web measurement and customization technologies. This procedure is not limited to any specific technology or application (such as persistent cookies), and it includes EPA use of third-party web measurement and customization technologies.

To summarize the procedure based on the OMB tier types for web measurement and customization technologies: 

  • Tier 1 technologies (e.g., session cookies) - No extra steps needed, as EPA website already has this enabled and provides the web analytics.
  • Tier 2 technologies – EPA offices can use persistent cookies, but must work with the Information Access Division (IAD) in OEI to ensure that the office has addressed the OMB requirements. IAD will not be deciding if an office can use, etc. but rather coordinating and making sure the office met the requirements. Failure to follow OMB guidelines on cookies can result in the website being shut down by EPA and by OMB.
  • Tier 3 technologies - persistent cookies with PII. OMB is very restrictive about using cookies with PII. The office that wishes to use tier three cookies will need to have the CIO’s permission (as required by OMB) as well as meet other restrictive OMB requirements.

Whenever an agency uses third-party websites or applications to engage with the public, it should refer to OMB's memorandum M-10-23 Guidance for Agency Use of Third-Party Websites and Applications (PDF)  Exit(103 K, 9 pp.) for additional steps. In some cases, the third-party websites or applications use web measurement and customization technologies solely for the third party's own purposes. This procedure does not apply in those situations as long as (1) third parties do not use web measurement and customization technologies on behalf of a Federal agency, and (2) Personally Identifiable Information (PII), or any information that could be used to determine an individual's online activity derived from such uses, is not shared with the agency. However, agencies must consider the risk posed by such arrangements as part of the Privacy Impact Assessment required in OMB's memorandum providing Guidance for Agency Use of Third-Party Websites and Applications.

This procedure does not apply to internal agency activities (such as on intranets, applications, or interactions that do not involve the public) or to activities that are part of authorized law enforcement, national security, or intelligence activities. OMB has clarified to EPA that the memo requirements apply to web measurement and customization technologies used on pages that are required for statutory, regulatory, or grant requirements.

On this page:

You will need Adobe Reader to view some of the files on this page. See EPA’s About PDF page to learn more.


Definitions

  • Content owners or providers: EPA employees who create, manage, own or are otherwise responsible for the content posted on a Web page. A content owner or provider must assign all Web content a content type and must keep the content current, or otherwise handle it as described in this procedure.
  • Cookie: A short string of text that is sent from a web server to a user's hard drive when the user accesses a Web page. When a browser requests a page from the server that sent it a cookie, the browser sends a copy of that cookie back to the server. Cookies can provide more efficient navigation through Web pages and speed the delivery of information to the user. Cookies can also be used to gather personal information and to track the Web sites accessed by individuals, raising a privacy concern
  • Multi-session technologies: Includes "persistent cookies". These technologies remember a user's online interactions through multiple sessions. This approach requires the use of a persistent identifier for each user, which lasts across multiple sessions or visits.
  • Personally Identifiable Information (PII): This term, as defined in OMB Memorandum M-07-16 (PDF)  Exit(22 pp., 227 K), refers to information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. The definition of PII is not anchored to any single category of information or technology. Rather, it demands a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for an agency to recognize that non-PII can become PII whenever additional information is made publicly available - in any medium and from any source - that, when combined with other available information, could be used to identify an individual. Single-session technologies. Includes "session cookies". These technologies remember a user's online interactions within a single session or visit. Any identifier correlated to a particular user is used only within that session, is not later reused, and is deleted immediately after the session ends.
  • Tier 1 - single session: This tier encompasses any use of single session web measurement and customization technologies.
  • Tier 2 - multi-session without PII: This tier encompasses any use of multi-session web measurement and customization technologies when no PII is collected (including when the agency is unable to identify an individual as a result of its use of such technologies).
  • Tier 3 - multi-session with PII: This tier encompasses any use of multi-session web measurement and customization technologies when PII is collected (including when the agency is able to identify an individual as a result of its use of such technologies).
  • Web measurement and customization technologies: These technologies are used to remember a user's online interactions with a website or online application in order to conduct measurement and analysis of usage or to customize the user's experience.

Top of Page

Required Steps

EPA follows the requirements for web measurement and customization as outlined in OMB M-10-22, "Guidance for Online Use of Web Measurement and Customization Technologies," June 25, 2010.

EPA may use web measurement and customization technologies for the purpose of improving EPA services online through conducting measurement and analysis of usage or through customization of the user's experience.

As outlined in OMB M-10-22, under no circumstances may EPA use such technologies:

  1. to track user individual-level activity on the Internet outside of the website or application from which the technology originates;
  2. to share the data obtained through such technologies, without the user's explicit consent, with other departments or agencies; (EPA note: EPA's Office of General Counsel confirmed with OMB that we can share aggregate data, but under no circumstances any type of PII)
  3. to cross-reference, without the user's explicit consent, any data gathered from web measurement and customization technologies against PII to determine individual-level online activity;
  4. to collect PII without the user's explicit consent in any fashion; or
  5. for any like usages so designated by OMB.

If EPA is found to be using web measurement and customization technologies outside of the process or parameters specified in the Office of Management and Budget (OMB) Memorandum M-10-22, EPA must immediately cease use of such technologies and inform OMB of the extent of such unauthorized use. OMB will respond as necessary and appropriate.

The following required steps depend on the type of Web measurement and customization tools to be used. The usage tiers (Tier 1, Tier 2, and Tier 3) are defined by OMB.

  1. EPA offices are not required to complete any additional steps for Tier 1 - single session technologies (e.g., session cookies). The EPA website already employs session cookies for Web analysis. To obtain information and Web analytics from session cookies, please consult Maxamine.
  2. EPA offices that want to use Tier 2 - multi-session technologies without PII must work with the Information Access Division (IAD) in the Office of Information Analysis and Access (OIAA) in the Office of Environmental Information (OEI). IAD facilitates the process of making sure that all of the OMB and EPA requirements have been met, including the following:
    • Providing instructions for adding the required notification about using the multi-session technology along with instructions for opting-out, etc. In addition to the standard EPA Privacy and Security Notice, a persistent cookies notice must be included on the websites using the technologies as per OMB requirements. IAD has written a standard persistent cookies notice that may need to be customized depending on the multi-session technology used. IAD works with the Office of General Counsel (OGC) to approve the notice language.
    • Maintaining a list of all EPA websites using multi-session technologies.
    • Reporting to OMB.
  3. OMB does have provisions allowing for multi-session technology with PII, called Tier 3. In order to consider using a Tier 3 technology, the requesting EPA office must submit a waiver to the CIO and work with IAD before following the OMB required steps. As outlined in OMB M-10-22, OMB requires the following:
    • Privacy Office Review: Any proposals by the agency to engage in Tier 3 uses must be reviewed by the Senior Agency Official for Privacy (SAOP).
    • Notice and Comment: Following SAOP review, for new proposals of Tier 3 uses or substantive changes to existing uses of such technologies, agencies must:Note: With written approval from a Chief Information Officer (CIO), agencies are exempt from this requirement if the notice-and-comment process is reasonably likely to result in serious public harm.
      • Solicit comments through their Open Government Web page at www.[agency].gov/open for a minimum of 30 days. This notice and comment must include the agency's proposal to use such technologies and a description of how they will be used, which should at a minimum address the items in the Privacy Policy as described in OMB M-10-22 Attachment 3; and
      • Review and consider substantive comments and make changes to their intended use of Web measurement and customization technologies, where appropriate.
    • Tier 3 technologies must use opt-in functionality

Tier 3 Review: Agencies using Web measurement and customization technologies in a manner subject to Tier 3 must have explicit written approval from their CIO. This approval must be cited in the agency's online Privacy Policy. After this approval has been obtained and after notice and comment, as specified in (3) above, has been completed, EPA is authorized to use Tier 3 Web measurement and customization technologies.

Top of Page

Rationale

EPA's website is a fundamental communication tool for every Agency program and Region. The website allows EPA to engage with the public by communicating what we are doing, seeking public interaction and involvement, and improving the delivery of our services. As the Internet continues to evolve, EPA can improve the EPA website by maximizing the potential benefits of web measurement and customization.

At the same time, due to privacy concerns raised by the uses of such web measurement and customization technologies, EPA must ensure that it follows OMB requirements. The central goal is to respect and safeguard the privacy of EPA's website users while also increasing EPA's ability to serve the public by improving its activities online. Any use of such technologies must be solely for the purposes of improving the EPA's services and activities online.

Top of Page

Exemptions

EPA offices that want to use Tier 3 multi session technologies with PII must request permission from the Chief Information Officer and follow OMB's Tier 3 requirements outlined in OMB M-10-22. Each application will be evaluated separately, weighing the benefit to the user against the compromise of privacy. Consideration for a waiver includes situations where the absence of a persistent cookie adds substantial burden to the customer and there are no viable alternatives to the cookie.

Required Steps for a Tier 3 Waiver

  1. The EPA office seeking to place a Tier 3 multi session technology with PII on an EPA Public Access Web site will provide a memorandum originating from the requesting office's Senior Information Official (SIO) and approved in writing from the requesting office's Assistant Administrator or equivalent, requesting the waiver through the Office of Information Analysis and Access Office Director (Office of Environmental Information) to the CIO which:
    • identifies the Office Director responsible for the EPA page, as well as a contact at the staff level;
    • describes the content and purpose of the page containing the proposed Tier 3 cookie;
    • describes the compelling need to gather data on the Web site, and the privacy safeguards to be used for handling information derived from the cookie;
    • discusses alternatives to the cookie placement and their disadvantages;
    • includes the proposed notice to users that the cookie is being placed on their computers;
    • describes any alternate access paths in lieu of accepting the cookie; and
    • provides the Universal Resource Locator (URL) for the test Web site (provide ID and password) or a paper document mock-up of the site.
  2. The CIO will review the request within 20 business days. Note: Memorandums are entered into the Correspondence Management System and approval or denial of the request is sent from the CIO's office to the office making the waiver request.

Top of Page

See Also

Top of Page

Related governance documents

EPA

Related Policies

Related Procedures

  • None

Related Standards

  • None

Related Guidance

  • None

Non-EPA

Top of Page

Full Metadata about this standard

Name Web Measurement and Customization Technologies (Cookies) 
Type Procedure
Required or Recommended Required 
Effective date 
Date approved 04/13/2011
Category Area Setup, Scripts and Codes, Things to Avoid
Web Council review by 03/03/2013 (or earlier if deemed necessary by the Web Council) 
Governing Policy Web Governance and Management (PDF) Intranet(5 pp, 339K)

Top of Page