Privacy Laws, Policies and Guidance

General privacy laws, OMB privacy policies and guidance, Departmental policies, and bureau/operating unit privacy policies.



  • The Privacy Act of 1974, 5 U.S.C. § 552a, provides privacy protections for records containing information about individuals (i.e., citizen and legal permanent resident) that are collected and maintained by the federal government and are retrieved by a personal identifier. The Act requires agencies to safeguard information contained in a system of records (SOR). It is currently being revised. It is currently being revised.

  • The Federal Information Security Modernization Act of 2014 (amends the Federal Information Security Management Act of 2002, 44 U.S.C. § 3541), requires agencies to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of an agency.

  • The E-Government Act of 2002 (44 U.S.C. 3601 et seq.) establishes procedures to ensure the privacy of personal information in electronic records.

  • Freedom of Information Act (FOIA) generally provides that any person has a right, enforceable in court, to obtain access to federal agency records, except to the extent that such records (or portions of them) are protected from public disclosure by one of nine exemptions or by one of three special law enforcement record exclusions.   

  • Trade Secrets Act (18 U.S.C. 1905) provides criminal penalties for the theft of trade secrets and other business identifiable information.

  • Paperwork Reduction Act (PRA) of 1995 (44 U.S.C. 3501 et seq.) is designed to reduce the public’s burden of answering unnecessary, duplicative, and burdensome government surveys.

  • Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501-06) (COPPA) regulates the online collection and use of personal information provided by and relating to children under the age of 13 (COPPA's Online Privacy Protection Rule).

  • The Social Security Number Fraud Prevention Act of 2017 (Public Law 115-59): (1) prohibits federal agencies from including any individual's Social Security account number on any document sent by mail unless the agency head determines that such inclusion is necessary; and (2) requires agencies that have Chief Financial Officers to issue regulations, within five years of this bill's enactment, that specify the circumstances under which such inclusion is necessary.

Back to Top

Office of Management and Budget (OMB) Memoranda

  • OMB Memorandum M-01-05, Guidance on Inter-Agency Sharing of Personal Data - Protecting Personal Privacy, applies to data matching activities or programs for purposes of establishing or verifying eligibility for Federal benefit programs or recouping payments or delinquent debts under such programs covered by the Computer Matching and Privacy Protection Act ("Matching Act"), an amendment to the Privacy Act of 1974, 5 U.S.C. Section 552a, whether data are shared between Federal agencies or matched with State agency data.
  • OMB Memorandum M-03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (September 26, 2003), requires agencies to conduct reviews of how information about individuals is handled when information technology (IT) is used to collect new information, or when agencies develop or buy new IT systems to handle collections of personally identifiable information (PII), and describes how the agency handles information that individuals provide electronically.

  • OMB Memorandum M-06-16, Protection of Sensitive Agency Information (June 23, 2006), requires agencies to implement encryption protections for PII being transported and/or stored offsite, allowing remote access only with two-factor authentication, using a time-out function for remote access, and logging all computer-readable data extracts from databases holding sensitive information; and verifies each extract, including sensitive data, has been erased within 90 days or its use is still required.

  • OMB Memorandum M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies, establishes new procedures and provides updated guidance and requirements for agency use of web measurement and customization technology.

  • OMB Memorandum M-10-23, Guidance for Agency use of Third-Party Websites and Applications, requires Federal agencies to take specific steps to protect the individual privacy whenever they use third-party websites and applications to engage with the public.
  • OMB Memorandum M-11-02, Sharing Data While Protecting Privacy (November 3, 2010), requires agencies to develop and implement solutions that allow data sharing to move forward in a manner that complies with applicable privacy laws, regulations, and policies.

  • OMB Memorandum M-13-13, Open Data Policy - Managing Information as an Asset requires agencies to collect or create information in a way that supports downstream information processing and dissemination activities. This includes using machine readable and open formats, data standards, and common core and extensible metadata for all new information creation and collection efforts.
  • OMB Memorandum M-13-20, Protecting Privacy while Reducing Improper Payments with the Do Not Pay Initiative which implements Section 5 of the Improper Payments Elimination and Recovery Improvement Act of 2012 (IPERIA) and provides guidance to help Federal agencies protect privacy while reducing improper payments with the Do Not Pay (DNP) Initiative.
  • OMB Memorandum M-14-04, Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, provides agencies with instructions for meeting their agencies’ fiscal year reporting requirements under the Federal Information Security Management Act (FISMA) and includes reporting instructions on agencies’ privacy management program.

  • OMB Memorandum M-14-06, Guidance for Providing and Using Administrative Data for Statistical Purposes, provides agencies with guidance for addressing the legal, policy, and operational issues that exist with respect to using administrative data for statistical purposes.
  • OMB Memorandum M-16-04, Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government, identifies and addresses critical cybersecurity gaps and emerging priorities, and makes specific recommendations to address those gaps and priorities.  The CSIP was developed to assist to strengthen Federal civilian cybersecurity through the following five objectives: (1) Prioritized Identification and Protection of high value information and assets; (2) Timely Detection of and Rapid Response to cyber incidents; (3) Rapid Recovery from incidents when they occur and Accelerated Adoption of lessons learned from the Sprint assessment; (4) Recruitment and Retention of the most highly-qualified Cybersecurity Workforce talent the Federal Government can bring to bear; and (5) Efficient and Effective Acquisition and Deployment of Existing and Emerging Technology. 

  • OMB Memorandum M-16-14, Category Management Policy 16-2: Providing Comprehensive Identity Protection Services, Identity Monitoring, and Data Breach Response (July 1, 2016), which requires federal agencies, with limited exceptions, to address their requirements, when they need to identify protection services, by using the government-wide blanket purchase agreements (BPAs) for Identity Monitoring Data Breach Response and Protection Services (i.e., IPS BPAs) awarded by the General Services Administration (GSA).
  • OMB Memorandum M-16-24, Role and Designation of Senior Agency Officials for Privacy, revises policies on the role and designation of the Senior Agency Official for Privacy (SAOP), as required by Executive Order 13719, Establishment of the Federal Privacy Council.
  • OMB Memorandum 17-06, Policies for Federal Agency Public Websites and Digital Services, updates policies regarding Federal Agency public websites and digital services and requires that each agency maintain a central resource page dedicated to its privacy program on the agency’s principal website. The agency’s Privacy Program page must serve as a central source for information about the agency’s practices with respect to PII. The agency’s Privacy Program Page must be located at www.[agency].gov/privacy and must be accessible through the agency’s “About” page. 
  • OMB Memorandum 17-09, Management of Federal High Value Assets, contains general guidance for the planning, identification, categorization, prioritization, reporting, assessment, and remediation of Federal High Value Assets (HVAs), as well as the handling of information related to HVAs by the Federal Government. 
  • OMB Memorandum 17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, which sets forth the policy for Federal agencies to prepare for and respond to a breach of personally identifiable information (PII).
  • OMB Memoradum 18-02, Fiscal Year (FY) 2017-2018 Guidance on Federal Information Security and Privacy Management Requirements, which provides agencies with FY 2017-2018 Federal Information Security Modernization Act of 2014 (FISMA) reporting guidance and deadlines.
  • OMB Memorandum 21-04, Modernizing Access to and Consent for Disclosure of Records Subject to the Privacy Act, which provides guidance for Federal agencies to modernize the processes by which individuals may request access to, and consent to the disclosure of, records protected under the Privacy Act of 1974. As required by the Creating Advanced Streamlined Electronic Services for Constituents Act of 2019 (" CASES Act"), this guidance outlines the responsibilities of agencies for accepting access and consent forms provided in a digital format from individuals who are properly identity-proofed and authenticated.
  • Memorandum for Privacy Act Officers of Departments and Agencies, Status of Biennial Reporting Requirements under the Privacy Act and the Computer Matching and Privacy Protection Act (June 21, 2000), streamlines some of the reporting requirements for federal departments and agencies under OMB Circular A-130, Appendix I.
  • Model Privacy Impact Assessment for Agency Use of Third-Party Websites and Applications (December 29, 2011), is the required PIA model for agencies to use when preparing an adapted PIA before engaging the public through third-party websites and applications.

Back to Top

OMB Circulars

  • OMB Circular A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act, which describes agency responsibilities for implementing the review, reporting, and publication requirements of the Privacy Act of 1974 (“the Privacy Act”),and related OMB policies.
  • OMB Circular A-123, Management's Responsibility for Internal Control, which defines management's responsibility for internal control in Federal agencies. The policy changes in this circular are intended to strengthen the requirements for conducting management’s assessment of internal control over financial reporting. The circular also emphasizes the need for agencies to integrate and coordinate internal control assessments with other internal control-related activities.
  • OMB Circular A-130, Management of Federal Information Resources, provides uniform government-wide information resources management policies as required by the Paperwork Reduction Act of 1980, as amended by the Paperwork Reduction Act of 1995, 44 U.S.C. Chapter 35.  

Back to Top

Privacy Guidance

  • DOC Privacy Program Plan - An overview of the Department’s privacy program.
  • DOC Continuous Monitoring Strategy - Determines if the complete set of planned, required, and deployed privacy controls, within an information system or inherited by the system, continue to be effective over time in light of the inevitable changes that occur.
  • DOC Guide to Effective Privacy Impact Assessments (PIA) - This guide provides a framework for conducting PIAs at the Department of Commerce (DOC or Department) and a methodology for assessing how PII is to be managed in electronic information systems. The DOC Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) requires that all PIAs at the Department be conducted in accordance with this guidance.
  • DOC Privacy Overlays - Specification of security controls, control enhancements, supplemental guidance, and other supporting information that is intended to complement (and further refine) security control baselines. The purposes of the privacy overlays include implementing standard security and privacy controls for systems containing PII, ensuring integration of privacy considerations into the system development life cycle and security processes in the early stages, and providing guidance for privacy requirements for protected health information.

Back to Top

Department of Commerce (DOC) Policies

Back to Top

Bureau/Operating Unit Privacy Policies

Back to Top

Questions and Comments

Send Questions, Comments or Complaints on the Commerce Privacy program to


Office of Privacy and Open Government
Office of the Chief Financial Officer and Assistant Secretary for Administration
U.S. Department of Commerce

Page last updated: October 12, 2021