Monitoring of Personally Identifiable Information on Users of Departmental Internet Sites

EXECUTIVE SUMMARY:

This final report provides results of our review of the Department's monitoring of personally identifiable information on users of its web sites. Contrary to departmental policy, we found that four operating divisions collected such information through the use of persistent cookies, without obtaining the required Secretarial prior approval, and did not warn the user that such information was being collected. We also found that 21 of the Department's web sites designed for children did not contain a privacy statement or a link to a privacy statement as required by the Children's Online Privacy Protection Act (COPPA). We recommended that current departmental policy be amended to require frequent review of web sites to detect the use of persistent cookies and that the persistent cookies we detected be immediately disabled. We also recommended that the Department direct the Chief Information Officers (CIOs) of the operating divisions to ensure that web sites do not use persistent cookies without the proper waiver form the Secretary, and that the web sites for children are in compliance with the COPPA. Finally, we recommended that all web site originators be required to certify to their respective CIOs that they are in compliance with applicable laws.

---