A 2002 federal law,
the E-Government Act,
requires any federal agency that collects personal information through a website to first publish a written privacy impact assessment
explaining what it collects and where the information goes.
The Privacy Act of 1974 requires a separate, parallel public notice,
a “system of records notice”,
describing the records the agency keeps.
A 2010 office of management and budget memorandum extended both requirements to federal agencies’ use of commercial
web-tracking tools, including the kind that PostHog provides.
The Guardian could find no such filings for the studio’s web-tracking layer.
None of the four sites carry a privacy impact assessment naming PostHog or describing the IP addresses and on-site activity the tool collects.
None of the four are covered by a system of records notice that addresses what is collected or where it goes.
The one published privacy instrument that relates to any of the four programmes,
a treasury notice for the Trump Accounts programme,
describes how the children’s-investment programme is administered
but does not name PostHog and does not describe the tracking on trumpaccounts.gov at all.
Davisson, the EPIC attorney,
called the studio’s failure to publish such a notice
“a pretty clearcut violation of section 208” of the E-Government Act,
adding: “There’s just no suggestion that they’re trying to comply in good faith with any of their obligations when it comes to the collection of personal information.”
It’s not known what data was collected from users of the government websites while the tools were live,
whether it was retained
and who has custody of the data.
#posthog #JoeGebbia #nds #doge #tracking #surveillance