Dated Signed: September 4, 2018
OPDIV: CMS
TPWA Unique Identifier (UID):
Tool(s) covered by this TPWA: Facebook Ads
Is this a new TPWA? No
If an existing TPWA, please provide the reason for revision:
Revised to include all CMS web properties that occasionally deliver digital advertising on third-party websites in order to reach new users. These additional CMS web properties include; www.CMS.gov, www.Medicare.gov, www.MyMedicare.gov, www.Medicaid.gov, www.InsureKidsNow.gov, HealthCare.gov, CuidadoDeSalud.gov.
Will the use of a third party Website or application create a new or modify an existing HHS/OPDIV System of Records Notice (SORN) under the Privacy Act? No.
If yes, indicate the SORN number (or identify plans to put one in place.): NOT APPLICABLE because CMS is not collecting or storing any personally identifiable information (PII).
Will the use of a third party Website or application create an information collection subject to OMB clearance under the Paperwork Reduction Act (PRA)? No.
If yes, indicate the OMB approval number and approval number expiration date (or describe the plans to obtain OMB clearance.)
OMB Approval Number: NOT APPLICABLE
Expiration Date: NOT APPLICABLE
Does the third party Website or application contain Federal Records? No.
Describe the specific purpose for the OPDIV use of the third party Website or application:
CMS will use Facebook Ads to deploy digital display ads and video ads across the Facebook platform to consumers. Facebook is a free social networking site that allows Facebook registered users to create profiles, upload photos and videos, send messages, and keep in touch with the people in their social network. CMS maintains an educational presence on Facebook in the form of CMS website branded pages.
Facebook Ads places a cookie or pixel (also known as a web beacon) for conversion tracking on certain pages of a CMS website. Conversion tracking allows Facebook Ads to measure the performance of CMS advertisements based on consumer activity and to report the ad performance to CMS. Conversion tracking reports inform the advertiser whether consumers who view or interact with an ad later visit a particular site or perform desired actions on that site. Facebook Ads will then provide CMS with summary-level conversion tracking reports that contain no personal information about consumers. These reports will allow CMS to measure how effective Facebook advertisements are to CMS’s digital advertising outreach and education efforts.
Facebook visitors, even if not registered with Facebook, will see advertising on the Facebook platform, regardless of whether they have “liked”, “shared”, commented on, or visited any CMS branded Facebook page. However, registered users may see ads that are targeted to them based, in part, on information these users have shared through their Facebook profile. Visitors not registered with Facebook may see ads based on different criteria, such as websites they have previously visited or the specific page they are looking at on Facebook. CMS will also use Facebook Ads for retargeting, an advertising technique used by online advertisers to present ads to users who have previously visited a particular site.
Have the third-party privacy policies been reviewed to evaluate any risks and to determine whether the Website or application is appropriate for OPDIV use?
Yes, and the review has determined that the application is appropriate for OPDIV use, taking into account the risks posed by the following: use of cookies, web beacons, and pixels for targeted advertising based on sensitive information; targeting, retargeting and conversion tracking based on Facebook profile information; and Facebook profile information leading to identification of CMS website visitors.
Describe alternative means by which the public can obtain comparable information or services if they choose not to use the third party Website or application:
If consumers do not want to interact with advertisements from Facebook Ads, consumers can learn about CMS campaigns through other advertising channels such as TV, radio, CMS websites, and events.
Does the third party Website or application have appropriate branding to distinguish the OPDIV activities from those of nongovernmental actors?
Yes. Facebook Ads appear within the Facebook platform and are accompanied by Facebook branding.
How does the public navigate to the third party Website or application from the OPDIV?
NOT APPLICABLE
Please describe how the public navigates to the third party Website or application:
NOT APPLICABLE
If the public navigates to the third party Website or application via an external hyperlink, is there an alert to notify the public that they are being directed to a nongovernmental Website?
NOT APPLICABLE
Has the OPDIV Privacy Policy been updated to describe the use of a third party Website or application? Yes.
Provide a hyperlink to the OPDIV Privacy Policy:
https://www.healthcare.gov/privacy/
Is an OPDIV Privacy Notice posted on the third party Website or application?
NOT APPLICABLE Facebook Ads does not provide the ability to place a privacy notice within an ad on the Facebook platform.
Confirm that the Privacy Notice contains all of the following elements: (i) An explanation that the Website or application is not government-owned or government-operated; (ii) An indication of whether and how the OPDIV will maintain, use, or share PII that becomes available; (iii) An explanation that by using the third-party Website or application to communicate with the OPDIV, individuals may be providing nongovernmental third-parties with access to PII; (iv) A link to the official OPDIV Website; and (v) A link to the OPDIV Privacy Policy:
NOT APPLICABLE
Is the OPDIV's Privacy Notice prominently displayed at all locations on the third party Website or application where the public might make PII available? NOT APPLICABLE
Is PII collected by the OPDIV from the third party Website or application? No.
Will the third party Website or application make PII available to the OPDIV? No.
Describe the PII that will be collected by the OPDIV from the third-party Website or application and/or the PII which the public could make available to the OPDIV through the use of the third-party Website or application and the intended or expected use of the PII:
Not Applicable. CMS does not receive any PII through its use of Facebook Ads.
Describe the type of PII from the third party Website or application that will be shared, with whom the PII will be shared, and the purpose of the information sharing:
Not Applicable. Facebook Ads does not share any PII with CMS.
If PII is shared, how are the risks of sharing PII mitigated? NOT APPLICABLE
Will the PII from the third party Website or application be maintained by the OPDIV? NOT APPLICABLE
If PII will be maintained, indicate how long the PII will be maintained: NOT APPLICABLE
Describe how PII that is used or maintained will be secured:
NOT APPLICABLE CMS does not receive, use, or maintain PII from Facebook Ads.
What other privacy risks exist and how will they be mitigated?
CMS employs Facebook Ads solely for the purposes of improving CMS services and activities online.
Potential Risk:
The use of cookies, pixels (web beacons) generally presents the risk that an application could collect information about a user’s activity on the Internet for purposes the user did not intend. The unintended purposes include providing users with behaviorally targeted advertising based on information that a user may consider to be sensitive.
Additional Background:
Cookies, pixels and web beacons allow Facebook to display advertising to individuals who have previously visited CMS websites. Persistent cookies will be stored on the user’s computer for up to 90 days, unless removed by the user.
Mitigation:
CMS websites and Facebook provide users information about the use of persistent cookies and related technologies, what data is collected, and the data gathering choices, including choices related to behaviorally targeted advertising.
Tealium iQ Privacy Manager offers the ability to opt out of persistent cookies. Tealium settings can be accessed via the CMS privacy policy on CMS websites. CMS will not implement Facebook Ad pixels or web beacons, which enable behavioral targeting and place persistent cookies on a browser, if Tealium iQ is not available on a CMS website.
CMS includes the Digital Advertising Alliance AdChoices icon on all targeted digital advertising. The AdChoices icon is an industry standard tool that allows users to opt out of being tracked for advertising purposes. Users may also disable cookies through their web browser.
Facebook also offers users the ability to opt-out of having Facebook advertising cookies related to CMS websites on its own website.
Potential Risk:
Facebook Ads targets consumers based on information voluntarily provided within the user’s registered profiles. Facebook Ads uses data derived from user profile information, aggregated by Facebook, combined with information about a user’s behavior across multiple sites and over time. The resulting combined information could be viewed by some consumers as revealing patterns in behavior that the user may consider to be sensitive. These patterns in behavior could enable and/or improve targeting by other advertisers who may wish to target customers within the health care sector, including targeting based on the type of data that some consumers may consider to be sensitive.
Additional Information:
Third party data targeting allows for the deployment of ads to consumers whose profiles or on-site actions (e.g., “likes” of specific pages or brand posts) match specific attributes an online advertiser is looking to target. CMS will engage Facebook Ads to use third party advertising techniques to deliver CMS digital advertising to persons who are more likely to be interested in CMS advertising content.
Mitigation:
Facebook Ads does not allow for the targeting of only consumers who have specifically interacted with an ad from CMS. CMS receives an aggregated performance report from Facebook Ads to optimize its ads.
Potential Risk:
Facebook’s access to PII and non-PII data about registered Facebook users presents the risk that CMS site visitors who are also registered Facebook users could be identified, and Facebook could misuse that data about these users.
Mitigation:
CMS does not receive any personally identifiable information from Facebook Ads. CMS receives aggregated performance data in the form of statistical reports, including reports on clicks, views, and impressions of CMS digital advertising.