Every federal agency that operates a website must publish a privacy policy — it is a statutory requirement under the E-Government Act of 2002 (Section 208) and OMB M-17-06. Without one, citizens have no basis to understand how their PII is collected, stored, shared, or protected. Failure to reference OMB M-17-06 specifically signals the policy was written without awareness of federal obligations, leaving gaps around cookie disclosure, third-party analytics (DAP), and user rights that create compliance exposure and erode public trust. A generic or placeholder privacy page does not satisfy this requirement.
Critical because absent or federally non-compliant privacy policies violate the E-Government Act of 2002 and OMB M-17-06, exposing the agency to compliance findings and leaving citizens without legally required disclosures about their data.
Create a /privacy route and link it in your footer. The policy must explicitly reference OMB M-17-06 and address PII handling, cookies, third-party analytics, and user rights. Add the footer link in app/layout.tsx:
// app/layout.tsx — footer section
<footer>
<nav aria-label="Footer">
<a href="/privacy">Privacy Policy</a>
<a href="/accessibility">Accessibility</a>
</nav>
</footer>
In app/privacy/page.tsx, include an explicit statement like: "This privacy policy is maintained in accordance with OMB M-17-06 and Section 208 of the E-Government Act of 2002." Cover all five required topics: information collection, PII use, third-party analytics (DAP), cookie usage and opt-out, and how to contact the agency with privacy questions.
ID: gov-web-standards.required-content.privacy-policy
Severity: critical
What to look for: Examine the page footer and /privacy or similar route for a published privacy policy. Search the policy text for references to "OMB M-17-06" or similar OMB memoranda about privacy and data governance. Count all footer links across layout files and enumerate which ones point to privacy-related pages. Quote the exact OMB memorandum reference text found in the policy (e.g., "in accordance with OMB M-17-06").
Pass criteria: A privacy policy is published (in footer as a link or on a dedicated page) covering at least 3 of the required topics: PII handling, cookie disclosure, third-party analytics, and user rights. The policy explicitly references OMB M-17-06 or describes compliance with federal privacy guidelines. Report the ratio of required policy sections present (e.g., "4 of 5 required sections found").
Fail criteria: No privacy policy found on the site, OR policy is published but contains no reference to OMB M-17-06 or federal privacy obligations. A generic "Privacy" link that leads to a 404 or placeholder page do NOT pass.
Skip (N/A) when: Never — all federal websites must publish a privacy policy.
Detail on fail: "No privacy policy found on the site" or "Privacy policy exists but makes no reference to OMB M-17-06 or federal privacy requirements"
Remediation: Create a privacy policy page and link it in the footer of your root layout. The policy should address:
Example footer link:
<footer>
<a href="/privacy">Privacy Policy</a>
<a href="/accessibility">Accessibility Statement</a>
</footer>