Department of Environmental Conservation

D E C banner

Privacy Policy

CP-35 / Internet Privacy Policy

New York State Department of Environmental Conservation
DEC Policy

Issuing Authority: Denise M. Sheehan, Acting Commissioner

Date Issued: 8/27/2004

Latest Date Revised: 3/27/2005

I. Summary:

As required by the "Internet Security and Privacy Act" (Article II, Section 203 of the State Technology Law), this document establishes the Department of Environmental Conservation Internet Privacy Policy. This Policy describes the practices and procedures relating to the information collected about users through the Department's website and the retention and disclosure of that information.

II. Policy:

It is the policy of the Department of Environmental Conservation (Department) to respect and protect the privacy of the citizens and businesses who visit and use the Department's public website, and to comply with the Internet Security and Privacy Act. The Department shall post on its website a statement to users regarding this Internet Privacy Policy.

For purposes of this Policy, "user" means any individual or business who visits any part of the Department's website.

For purposes of this Policy, "personal information" means any information concerning an individual (i.e. a natural person) which, because of name, number, symbol, mark, or other identifier, can be used to identify that individual. The Department shall not use its website to collect any personal information about a user unless that information is provided by sending an e-mail or by initiating an online transaction, such as a survey, registration or order form.

For purposes of this Policy, "Department" includes any of the Department's contractors or subcontractors that collect personal information from users of the Department's website as described in this policy.

Information Collected Automatically On Website Users

When a user visits the Department's website, the following information will be automatically collected:

(1) The Internet Protocol Address and domain name used, but not the e-mail address. The Internet Protocol Address is a numerical identifier assigned either to an internet service provider or directly to a computer;
(2) The type of browser and operating system used;
(3) The date and time the website was visited;
(4) The web pages or services accessed at the website, and any files downloaded;
(5) The website visited prior to coming to the website, if a user arrived at the Department's site by following link from that site.

None of the foregoing information is deemed to constitute personal information.

The information that is collected automatically shall be used to improve the Department's website content and to help the Department understand how users interact with the website. This information shall be collected for statistical analysis, to determine what information is of most and least interest to website users, and to improve the utility of the content available on the website. The information shall not be collected for commercial marketing purposes and shall not be sold or otherwise disclosed for such purposes.


A cookie is a simple text file that is placed on the user's computer (usually in the web browser or on the hard drive) by the Department's website when the user visits the website. The use of cookies is a standard practice among all Internet websites, and is necessary in order to enable the user and the website to interact smoothly and quickly. Cookies, by themselves, cannot be used to obtain personal information about a user.

There are several types of cookies. The hardware and software used to access the Department's website allow the user to permit all, some, or none of these cookies to be placed or stored on their computer. The user can also delete existing cookies at any time. If the user does not allow for the use of cookies, the user may encounter problems in using the website, or may not be able to use the website at all.

The Department uses two types of cookies on its website, Session cookies and Persistent cookies.

Session cookies - These are temporary and are automatically erased when the user closes their browser at the end of a session. The next time the user visits the website, the site will not recognize the user and the user will be treated as a completely new visitor. The Department uses session cookies to enhance or customize the visits to its website by remembering what pages have been visited previously during that same one continuous session. Session cookies do not collect information from the user's computer, do not collect personal information, and do not compromise the user's privacy or security.

Persistent cookies - These remain on the user's computer until they are erased by the user or they expire. Persistent cookies are created when a user enters certain information on the Department's site, such as an identification or log in sequence. They are only used in cases where the user has affirmatively requested that the site recognize the user each time that they return to the site, and that information on the site be tailored to the user based upon the user's expressed needs, interests and request. The Department shall only use persistent cookies with the user's permission.

The software and hardware utilized by the user to access the website will allow the user to refuse new cookies or delete existing cookies. Refusing or deleting these cookies may limit the user's ability to take advantage of some features of the website, but this is the user's prerogative.

Information Collected When A User E-mails The Website Or Initiates An Online Transaction

If a user sends an e-mail to the Department, the e-mail address and the contents of the message shall be collected. The information collected shall not be limited to text characters and may include audio, video, and graphic information formats included in the message. The e-mail address and the information included in the message may be used to respond, to address issues identified, to improve the website, or to forward the message to another State agency for appropriate action. The e-mail address shall not be collected for commercial purposes and shall not be sold or otherwise disclosed for such purposes.

If a user initiates a transaction on the Department's website, such as a survey, registration, license application or order form, the information volunteered by the user shall be used by the Department in processing and recording that transaction and for those purposes that may be reasonably ascertained from the nature and terms of the transaction for which the information was submitted.

Pursuant to the Children's Online Privacy Protection Act (COPPA), the Department shall not knowingly collect unnecessary personal information from children or create profiles of children through its website. However, the collection of personal information submitted in an e-mail or in an appropriate online transaction shall be treated as though it was submitted by an adult, and may, unless exempted from access by federal or state law, be subject to public access.

Information And Choice

The Department shall not collect any personal information about an individual user during a visit to its website unless that information is provided voluntarily by sending an e-mail or initiating an online transaction such as a survey, registration, license application or order form. A user may choose not to send the department an e-mail, respond to a survey, apply for a license, or complete an order form through the website. While the choice to not participate in these activities may limit the ability to receive specific services or products through the website, it shall not prevent a user from requesting services or products from the Department by other means and will not normally have an impact on the ability to take advantage of other features of the website, including browsing or downloading publicly available information.

Disclosure Of Information Collected Through The Website

The disclosure of information, including personal information, collected through the website is both prohibited by the Personal Privacy Protection Law and exempted from disclosure by the Freedom of Information Law. The Department's full compliance with these two statutes serves as a further protection of the user's personal information.

The collection of information through the website and the disclosure of that information are also subject to the provisions of the Internet Security and Privacy Act. Under these provisions the Department shall only collect personal information through its website or disclose personal information collected through its website if the user has consented to the collection or disclosure of such personal information. The voluntary disclosure of personal information to the Department by the user, whether solicited or unsolicited, constitutes consent to the collection and disclosure of the information by the Department for the purposes for which the user disclosed the information to the Department, as shall be reasonably ascertainable from the nature and terms of the disclosure.

However, the Department may collect or disclose personal information without user consent if the collection or disclosure is:

(1) necessary to perform the statutory duties of the Department, or necessary for the Department to operate a program authorized by law, or authorized by state or federal statute or regulation;
(2) made pursuant to a court order or by law;
(3) for the purpose of validating the identity of the user; or
(4) of information to be used solely for statistical purposes that is in a form that cannot be used to identify any particular person.

The Department may disclose personal information to federal or state law enforcement authorities to enforce the Department's rights against unauthorized access or attempted unauthorized access to the Department's information technology assets.

Retention Of Information Collected Through The Website

The information collected through its website shall be retained by the Department in accordance with the records retention and disposition requirements of the New York State Arts & Cultural Affairs Law.

In general, the Internet services logs of the Department, comprising electronic files or automated logs created to monitor access and use of Agency services provided through the website, shall be retained for an indeterminate period of time. Information, including personal information, that is submitted in an e-mail or when a user initiates an online transaction such as a survey, registration form, or order form shall be retained in accordance with the records retention and disposition schedule established for the records of the program unit to which the user submitted the information.

Access To And Correction Of Personal Information Collected Through The Website

Any user may submit a request to the Department's Privacy Compliance Officer to determine whether personal information pertaining to that user has been collected through the website. Any such request shall be made in writing and must be accompanied by reasonable proof of identity of the user. Reasonable proof of identity may include verification of a signature, inclusion of an identifier generally known only to the user, or similar appropriate identification.

The Privacy Compliance Officer shall, within five (5) business days of the date of the receipt of a proper request:

(1) provide access to the personal information;
(2) deny access in writing, explaining the reasons therefore; or
(3) acknowledge the receipt of the request in writing, stating the approximate date when the request will be granted or denied, which date shall not be more than thirty (30) days from the date of the acknowledgment.

In the event that the Department has collected personal information pertaining to a user through the state agency website and that information is to be provided to the user pursuant to the user's request, the Privacy Compliance Officer shall inform the user of his or her right to request that the personal information be amended or corrected under the procedures set forth in section 95 of the Public Officers Law.

Confidentiality And Integrity Of Personal Information Collected Through The Website

The Department is committed to protecting personal information collected through its website against unauthorized access, use, or disclosure. Consequently, the Department shall limit access to personal information collected through its website to only those employees who need access to the information in the performance of their official duties. Employees who have access to this information shall be required to follow appropriate procedures in connection with any disclosures of personal information.

In addition, the Department shall implement procedures to safeguard the integrity of its information technology assets, including, but not limited to, authentication, monitoring, auditing, and encryption. These security procedures shall be integrated into the design, implementation, and day-to-day operations of the website as part of a continuing commitment to the security of electronic content as well as the electronic transmission of information.


To provide users with certain information, the Department provides links to the websites of local, state, and federal government agencies, and to the websites of other organizations. A link to any such website does not constitute an endorsement of the content, viewpoint, accuracy, opinions, policies, products, services, or accessibility of that website. Once a user links to another website, the user is subject to the terms and conditions of that website, including, but not limited to, its internet privacy policy, if any.


The information provided in this privacy policy shall not be construed as giving business, legal, or other advice, or warranting as fail proof the security of information provided through the Department's website.

III. Purpose and Background:

Users of the Department's website need to know what kind of information the Web site collects, to whom it gives that information, and how it uses the information. Personal information that can be used to identify or contact the user, such as name, e-mail address, home or work address, or telephone number should not be collected without the user's permission. The Department's Web site only has access to such personal information that the user knowingly provides. For example, the Web site cannot determine a user's e-mail address unless the user provides it.

The Internet Security and Privacy Act requires each state agency that maintains a website to adopt and post an Internet Privacy Policy Statement. This requirement reflects the recognition that citizens and businesses must be confident that their privacy is protected when they visit a state agency website. This Policy provides the basis for the policy statement posted on the Department's website.

IV. Responsibility:

The Department's Privacy Compliance Officer is responsible for creating and updating this Policy, for responding to inquires related to this Policy, and ensuring that a statement of this Policy is posted on the Department's website.

The Department's Division of Information Services, and each Department division, office, contractor, subcontractor and trusted partner that collects personal information from users as described in this Policy, is responsible for developing the appropriate procedures necessary to implement this Policy.

V. Procedure:

The procedures required for the implementation of this Policy are to be developed by the divisions, office, contractor, subcontractor and trusted partner affected by the Policy.

VI. Related References:

Chapter 57-A of the Consolidated Laws, State Technology Law - Article II Internet Security and Privacy Act, Sections 201-207

Chapter 47 of the Consolidated Laws, Public Officers Law - Article 6-A, Personal Privacy Protection Law Sections 91-99

OFT Best Practice Guideline G-02-001 - Internet Privacy Policy

15 USC 6501 - Children's Online Privacy Protection

  • Contact for this Page
  • Office of Communication Services
    625 Broadway
    Albany, NY 12233-4500
    Send us an email
  • This Page Covers
  • Page applies to all NYS regions