The new memo applies to all federal agencies and their use of government or contractor third-party websites or applications used to engage with the public. The general message is, agencies may use third-party sites and applications, but when they do so, they must comply with the new privacy requirements in the memo as well as any existing requirements. General guidance is offered in five areas:
- External Links. If an agency posts a link that leads to a third-party website or any other location that is not part of an official government domain, the agency should provide an alert to the visitor, such as a statement adjacent to the link or a “pop-up,” explaining that visitors are being directed to a non-government website that may have different privacy policies from those of the agency’s official website.
- Agency Branding. In general, when an agency uses a third-party website or application that is not part of an official government domain, the agency should apply appropriate branding to distinguish the agency’s activities from those of non-government actors. For example, to the extent practicable, an agency should add its seal or emblem to its profile page on a social media website to indicate that it is an official agency presence.
- Information Collection. If information is collected through an agency’s use of a third-party website or application, the agency should collect only the information “necessary for the proper performance of agency functions and which has practical utility.” [Following a government requirement from OMB Circular A-130] If personally identifiable information (PII) is collected, the agency should collect only the minimum necessary to accomplish a purpose required by statute, regulation, or executive order.