Privacy policy published in footer with OMB M-17-06 reference
Why it matters
Every federal agency that operates a website must publish a privacy policy — it is a statutory requirement under the E-Government Act of 2002 (Section 208) and OMB M-17-06. Without one, citizens have no basis to understand how their PII is collected, stored, shared, or protected. Failure to reference OMB M-17-06 specifically signals the policy was written without awareness of federal obligations, leaving gaps around cookie disclosure, third-party analytics (DAP), and user rights that create compliance exposure and erode public trust. A generic or placeholder privacy page does not satisfy this requirement.
Severity rationale
Critical because absent or federally non-compliant privacy policies violate the E-Government Act of 2002 and OMB M-17-06, exposing the agency to compliance findings and leaving citizens without legally required disclosures about their data.
Remediation
Create a /privacy route and link it in your footer. The policy must explicitly reference OMB M-17-06 and address PII handling, cookies, third-party analytics, and user rights. Add the footer link in app/layout.tsx:
// app/layout.tsx — footer section
<footer>
<nav aria-label="Footer">
<a href="/privacy">Privacy Policy</a>
<a href="/accessibility">Accessibility</a>
</nav>
</footer>
In app/privacy/page.tsx, include an explicit statement like: "This privacy policy is maintained in accordance with OMB M-17-06 and Section 208 of the E-Government Act of 2002." Cover all five required topics: information collection, PII use, third-party analytics (DAP), cookie usage and opt-out, and how to contact the agency with privacy questions.
Detection
-
ID:
privacy-policy -
Severity:
critical -
What to look for: Examine the page footer and
/privacyor similar route for a published privacy policy. Search the policy text for references to "OMB M-17-06" or similar OMB memoranda about privacy and data governance. Count all footer links across layout files and enumerate which ones point to privacy-related pages. Quote the exact OMB memorandum reference text found in the policy (e.g., "in accordance with OMB M-17-06"). -
Pass criteria: A privacy policy is published (in footer as a link or on a dedicated page) covering at least 3 of the required topics: PII handling, cookie disclosure, third-party analytics, and user rights. The policy explicitly references OMB M-17-06 or describes compliance with federal privacy guidelines. Report the ratio of required policy sections present (e.g., "4 of 5 required sections found").
-
Fail criteria: No privacy policy found on the site, OR policy is published but contains no reference to OMB M-17-06 or federal privacy obligations. A generic "Privacy" link that leads to a 404 or placeholder page do NOT pass.
-
Skip (N/A) when: Never — all federal websites must publish a privacy policy.
-
Detail on fail:
"No privacy policy found on the site"or"Privacy policy exists but makes no reference to OMB M-17-06 or federal privacy requirements" -
Remediation: Create a privacy policy page and link it in the footer of your root layout. The policy should address:
- Information collection and use
- Third-party analytics disclosure (if using DAP or Google Analytics)
- Cookie usage and opt-out
- PII handling and security measures
- Links to OMB M-17-06 memoranda
Example footer link:
<footer> <a href="/privacy">Privacy Policy</a> <a href="/accessibility">Accessibility Statement</a> </footer>
External references
- external · omb-m-17-06 — OMB M-17-06 — Policies for Federal Agency Public Websites and Digital Services (privacy policy requirement)
- external · e-gov-act-2002-sec-208 — E-Government Act of 2002 § 208 — Privacy impact assessments and privacy policy disclosure
Taxons
History
- 2026-04-18·v1.0.0·Initial import from gov-web-standards·automated