Location and Language
Information gathered at the website
Cookies, logs and other automatic information gathering processes.
No agency may commence using or continue to use "cookies" at their website without:
- notifying ITD of the agency's intention to do so;
- explaining the purposes for which the agency will use them; and
- receiving ITD's written approval for such use.
Forms, E-mail and other voluntary information gathering processes
The policy must describe all means by which the site collects voluntary information from users, including click-throughs, forms, and e-mails. The policy must state whether voluntarily collected information will include personally identifiable information.
Uses of personally identifiable information gathered at the site
Personally identifiable information is any information that could reasonably be used to identify a user personally, including his or her name, address, e-mail address, Social Security number, birth date, bank account information, credit card information, or any combination of information that could be used to identify the user. The term "personally identifiable information" should be used and defined in the policy.
The policy must describe how the agency uses personally identifiable information obtained by it through the site.
Dissemination of personally identifiable information
The policy cannot include any "guarantees" of privacy. Rather, it must specifically state that personally identifiable information collected at the site may be subject to disclosure to members of the general public under the Public Records Law, M.G. L. c. 66, sec. 10. In addition, the policy must identify those to whom the agency will provide such information, and state that only Commonwealth employees with a "need to know" will have access to it. The policy must also state that the agency complies with the Fair Information Practices Act, M.G.L. c. 66A, and Executive Order 412 with respect to all personally identifiable information collected at the site.
Websites directed at or knowingly collecting information from children
State agencies operating websites or web pages directed at children (age twelve or below), or knowingly collecting information from children on-line, must comply with the Children's Online Privacy Protection Act ("COPPA"), 15 U.S.C. sec. 6501 et seq., to the extent possible for a government agency. Agencies wishing to operate websites directed to children should consult with the Information Technology Division (ITD) prior to posting such material.
Privacy policies for such sites or pages must state the special privacy protections built into the site for the purpose of complying with the terms of this law.
Review and correction of personally identifiable information
If you have questions about any of the matters referred to in this directive, please contact Linda Hamel at (617)-626-4404 or Linda.Hamel@itd.state.ma.us.
Information provided by the Information Technology Division, Mass.Gov Office. Last reviewed: June 10, 2009.