Agencies slow to meet online privacy criteria

A few more agency Web sites now have machine-readable privacy policies, but the adoption rate should be faster, according to a new report from Ernst and Young LLP. As of this month, almost 14 percent of 137 federal Web sites reviewed have privacy policies in a machine-readable format, according to a dashboard report from Ernst and Young. Nineteen sites, up 7 percent from January, have online privacy policies that follow requirements laid out in Section 508 of the E-Government Act of 2002.

The machine-readable format can be adopted using the Platform for Privacy Preferences Project (P3P) developed by the World Wide Web Consortium. The policies direct the browser to notify the user, block certain cookies and provide a summary of the policy.

The law does not present a deadline for compliance, but requires agencies to submit annual progress reports to OMB. The first report was released in March. At the current rate of compliance, it would take two and a half years for all the reviewed sites to follow the law, said Brian Tretick, a principal with Ernst and Young.

"So, to meet the mandate by the law, there has to be much more activity," he said. "There might be a lot of activity behind the scenes."

Tretick said many Web masters have indicated that they know they need to adopt these policies, but are not sure how to proceed. Some have not even seen the September 2003 memo from the Office of Management and Budget directing agency officials to adopt the machine-readable policies.

"The information in some cases hasn't trickled down from the agency [chief information officers], especially to the groups within the agency who might be owning and operating their own Web sites," Tretick said. "I think there needs to be better communication if the act is going to be implemented in a certain amount of time."

As of this month, none of the four sample domains in the Executive Office of the President was compliant, while just four of 15 federal department Web sites and 15 of 118 independent agency sites met requirements, according to the report. As of January, nine of 137 federal sites complied with the law.

The report reviews only a sample of all government sites, focusing on top-level or more prominent sites, Tretick said. Officials don't know how many of the remaining government sites have P3P policies or are on the path to compliance, he said. According to OMB's E-Government Act report in March, more than half of the 60 agencies reporting to officials said that they have or plan to soon have machine-readable privacy policies.