February 9, 2001
Recently enacted appropriations law required agency Inspectors General to report within 60 days on the collection of information about individuals accessing agency web sites. With limited exceptions, the Department of Energy is prohibited from collecting personal information from individuals accessing its public web sites, and must post conspicuous privacy notices containing clear and unambiguous explanations of any permissible data collection activities and their purpose. The most prominent example of an impermissible collection method is through the use of "persistent cookies." Persistent cookies are small files containing unique identifiers that a web server places on a site visitor's computer that can be used to retrieve information about the user. These files remain embedded in a user's hard drive and can facilitate information collection until they expire or are removed. The objective of our audit was to determine whether the Department's method of collecting data from its public web site visitors was consistent with applicable Federal regulations.