• Text Resize A A A
  • Print Print
  • Share Share on facebook Share on twitter Share

Third Party Websites and Applications Privacy Impact Assessment - Google Advertising Services

Date:
10/17/2016

OPDIV:
CMS

TPWA Unique Identifier (UID):
T-5775483-419703

Tool(s) covered by this TPWA:
Google Advertising Services (consisting of Google advertising services DoubleClick, AdWords, and AdMob). This TPWA does not include Google Analytics or Google+.

Is this a new TPWA?
No.

If an existing TPWA, please provide the reason for revision:
Revised to include updates from Google and to reflect changes in services provided by Google advertising services. This TPWA is intended to replace the 2015 TPWA for Google Ads. This TPWA does not include Google Analytics or Google+.

Will the use of a third-party Website or application create a new or modify an existing HHS/OPDIV System of Records Notice (SORN) under the Privacy Act?
No.

If yes, indicate the SORN number (or identify plans to put one in place.):
Not applicable (N/A) because CMS is not collecting or storing any personally identifiable information (PII).

If not published:
N/A.

Will the use of a third-party Website or application create an information collection subject to OMB clearance under the Paperwork Reduction Act (PRA)?
No.

Indicate the OMB approval number and approval number expiration date (or describe the plans to obtain OMB clearance.) OMB Approval Number:
N/A.

Expiration Date:
N/A.

Does the third-party Website or application contain Federal Records?
No.

Describe the specific purpose for the OPDIV use of the third-party Website or application:
Google advertising services, including DoubleClick, AdWords, and AdMob deliver digital advertising on third-party websites in order to reach new users and provide information to previous visitors to HealthCare.gov. This outreach helps inform consumers about the variety of services CMS offers.

Google advertising services consists of the following:

  • DoubleClick collects information about consumer behavior on websites across the Internet including HealthCare.gov, using technology such as cookies to deliver HealthCare.gov advertisements on third-party websites to consumers that may find them relevant. Cookies capture data such as date and time of web browsing, IP address, browser type, and operating system type, tracked by an alphanumeric identifier.
  • AdWords (along with DoubleClick) places advertisements on Google search results when a consumer searches for specific words or phrases that CMS chooses.
  • AdMob is similar to Google’s DoubleClick service, but delivers HealthCare.gov advertisements on mobile applications to consumers that may find them relevant.

For all products, relevant audiences for advertising may be determined by the use of behavioral targeting, where audiences are determined by tracking user online activities across various websites, across time. Google does not share PII with CMS. Advertising targeting may be supplemented with third party data, such as demographic data. Google does not collect PII in the course of these advertising activities.

All of these Google advertising services provide CMS with conversion tracking reports to allow CMS to determine the effectiveness of advertising campaigns.  Conversion tracking provides information about users’ activities regarding ads, including whether an ad is clicked on or a transaction is completed. 

Have the third-party privacy policies been reviewed to evaluate any risks and to determine whether the Website or application is appropriate for OPDIV use?
Yes, and the review has determined that the application is appropriate for OPDIV use, taking into account the risks posed by the following:  use of persistent cookies and web beacons for targeted advertising based on sensitive information; 3rd party data targeting, retargeting, and conversion tracking based on information from this advertising campaign; and Google account information leading to identification of users.

Describe alternative means by which the public can obtain comparable information or services if they choose not to use the third-party Website or application:
If consumers do not want to click on ads served by Google, consumers can learn about CMS campaigns through other advertising channels such as TV, radio, and local partners’/counseling entities and events.

Does the third-party Website or application have appropriate branding to distinguish the OPDIV activities from those of nongovernmental actors?
N/A because Google advertising services are not separate sites or applications where branding could be placed; but are rather used to deliver advertising on third-party websites or on the Google search page.

How does the public navigate to the third party Website or application from the OpDiv?
N/A.  The CMS websites do not link to Google advertising services. Google advertising services are tools used to place and track advertising on third-party sites.

Please describe how the public navigate to the third party website or application:
N/A.

If the public navigate to the third-party website or application via an external hyperlink, is there an alert to notify the public that they are being directed to a nongovernmental Website?
N/A. The CMS websites do not link to Google advertising services. Google advertising services are tools used to place and track advertising on third-party sites.

Has the OPDIV Privacy Policy been updated to describe the use of a third-party Website or application?
Yes.

Provide a hyperlink to the OPDIV Privacy Policy:
https://www.healthcare.gov/privacy/

Is an OPDIV Privacy Notice posted on the third-party Website or application? 
N/A.  Google advertising services serve CMS-branded ads on third party websites.

Confirm that the Privacy Notice contains all of the following elements: (i) An explanation that the Website or application is not government-owned or government-operated; (ii) An indication of whether and how the OPDIV will maintain, use, or share PII that becomes available; (iii) An explanation that by using the third-party Website or application to communicate with the OPDIV, individuals may be providing nongovernmental third-parties with access to PII; (iv) A link to the official OPDIV Website; and (v) A link to the OPDIV Privacy Policy:
N/A.

Is the OPDIV's Privacy Notice prominently displayed at all locations on the third- party Website or application where the public might make PII available?
N/A.

Is PII collected by the OPDIV from the third-party Website or application?
No.

Will the third-party Website or application make PII available to the OPDIV?
No.

Describe the PII that will be collected by the OPDIV from the third-party Website or application and/or the PII which the public could make available to the OPDIV through the use of the third-party Website or application and the intended or expected use of the PII:
N/A.  CMS does not collect any PII through its use of Google advertising services.

Describe the type of PII from the third-party Website or application that will be shared, with whom the PII will be shared, and the purpose of the information sharing:
N/A. Google does not share PII with CMS.

If PII is shared, how are the risks of sharing PII mitigated?
N/A.

Will the PII from the third-party Website or application be maintained by the OPDIV?
N/A.

If PII will be maintained, indicate how long the PII will be maintained: 
N/A.

Describe how PII that is used or maintained will be secured:
N/A.

What other privacy risks exist and how will they be mitigated?
CMS will conduct periodic reviews of Google’s privacy   practices to ensure its policies continue to align with agency objectives and privacy policies and do not present unreasonable or unmitigated risks to users’ privacy interests. CMS uses Google advertising services solely for the purposes of improving consumer engagement with HealthCare.gov by directing consumers to HealthCare.gov through the use of targeted advertising.

Use of Cookies, Web Beacons, and Pixels for Targeted Advertising Based on Sensitive Information

Potential Risk:
The use of cookies, pixels, and web beacons generally presents the risk that an application could collect information about a user’s activity on the Internet for purposes that the user did not intend. The unintended purposes include providing users with behaviorally targeted advertising, based on information the individual user may consider to be sensitive, such as including information about the webpages a consumer visited across the Internet or transactions the user made with various Google services, for example, past search queries.

Additional Background:
Google advertising services collects non-PII information by placing a cookie or pixel (also known as a web beacon) on HealthCare.gov. A pixel (or web beacon) is a transparent graphic image (usually 1 pixel x 1 pixel) placed on a web page that allows Google to collect information regarding the use of the web page. A cookie is a small text file stored on a website visitor’s computer that allows the site to recognize the user and keep track of preferences. These technologies provide information about when a visitor clicks on or views an advertisement. This allows Google advertising services to measure the performance of CMS advertisements and to report the ad performance to CMS, for example, by reporting whether consumers who view or interact with an ad later visit a particular site or perform desired actions on that site.

CMS advertising delivered by Google advertising services will carry persistent cookies that enable CMS to display advertising to individuals who have previously visited HealthCare.gov. (Persistent cookies are stored on a user’s hard drive for some period of time.) In this instance, the persistent cookie will be stored on the user’s computer for up to 90 days, unless removed by the user.

Mitigation:
Both HealthCare.gov and Google advertising services provide consumers with information about the use of persistent cookies and related technologies. This information includes what data is collected, and the data gathering choices included in their website privacy policies, including choices related to behaviorally targeted advertising.

Tealium iQ Privacy Manager is a tool that keeps track of users’ preferences in reference to tracking and will prevent web beacons from firing when a user has opted out of tracking for advertising purposes. When a user is routed to HealthCare.gov by clicking on a CMS advertisement displayed through Google advertising services, and the Tealium iQ Privacy Manager is present on HealthCare.gov, users are able to control which cookies they want to accept from HealthCare.gov. Tealium iQ Privacy Manager can be accessed through information provided on the privacy policy on HealthCare.gov. There is a large green “Modify Privacy Options” button that turns off the sharing of data for advertising purposes that can be accessed through the HealthCare.gov privacy policy.

The ability to control which cookies users want to accept is only valid when Tealium iQ Privacy Manager is installed on the website. Another alternative is for users to disable cookies through their web browser. Separately, CMS includes the Digital Advertising Alliance AdChoices icon on all targeted digital advertising. The AdChoices icon is an industry standard tool that allows users to opt out of being tracked for advertising purposes, like the Tealium iQ Privacy Manager.

Google advertising services offer users the ability to opt out of Google advertising services cookies through the following processes:

  • Google offers the ability to opt out of Google advertising services related to CMS websites on its own website.
  • DoubleClick opt out options on websites of industry self-regulation programs in which Google participates including the Digital Advertising Alliance, offer users notice about the use of persistent cookies and related techniques.

For Google advertising cookies outside of a CMS site, Google offers users the ability to opt-out of having Google advertising services target them using cookies by opting out through:

  • Choices offered at http://www.google.com/settings/ads/; and
  • Google also respects mobile operating system advertising choices, allowing users to opt out of mobile interest based advertising.

Targeting, Retargeting, and Conversion Tracking Based on Information From This Advertising Campaign

Potential Risk:
Google advertising services allow it to target advertising behaviorally, by tracking users across multiple sites and over time, and the resulting combined information could reveal patterns in behavior that the user may not want to disclose to Google. The consumer may consider their web behavior or search history to be sensitive. These patterns in behavior could enable and/or improve targeting by other advertisers who may wish to target customers within the health care sector.

Additional Information:
Google advertising services targets consumers based on information collected through technologies such as cookies and pixels. Behavioral targeting deploys ads to consumers whose on-site actions (e.g., clicks or sharing of various types of content) match specific attributes considered desirable. Behavioral targeting is a technique used to determine relevant recipients for ads, by inferring these interested based on information collected about a particular consumer’s online web browsing behaviors, on various websites, over time. Retargeting is a form of behaviorally targeting used by online advertisers to present ads to users who have previously visited a particular site. Google advertising services will also use conversion tracking, which allows advertisers to measure the impact of their advertisements by tracking whether users who view or interact with an ad later visit a particular site or perform desired actions on such site, such as signing up for a program or requesting further information.

Behavioral targeting, retargeting, and conversion tracking enables CMS to improve the performance of ads by delivering them to relevant audiences and measuring their effect. CMS uses retargeting to send advertisements to consumers who have previously visited HealthCare.gov, for example, advertisements reminding consumers of relevant deadlines.

Mitigation:
Although Google advertising services will have information on users who visited a CMS web site through the cookies and web beacons placed within CMS digital advertising content, Google advertising services will not use the patterns in behavior detected by these tools to enable or improve targeting by other advertisers who may wish to target solely users who visited a CMS website. Google does not collect or share data that is specific solely to a CMS campaign for the purposes of creating or refining audience targeting for other advertisers. Google collects aggregated level “interaction” data to identify consumers that are most likely to interact with an ad from a specific industry (for example, health insurance) for the purposes of improving the ability for advertisers to reach consumers who are more likely to find that ad relevant. Google does not allow for the targeting of consumers who have specifically interacted with an ad from CMS.

Both HealthCare.gov and Google provide users information about the use of persistent cookies, the information collected about them, and the data gathering choices they have in their website privacy policies.

When a user is routed to HealthCare.gov by clicking on a CMS advertisement displayed by Google advertising services, and the Tealium iQ Privacy Manager is present on HealthCare.gov, users are able to control which cookies they want to accept from HealthCare.gov. Tealium iQ Privacy Manager can be accessed through information provided on the privacy policy on HealthCare.gov. There is a large green “Modify Privacy Options” button that turns off the sharing of data for advertising purposes that can be accessed through the HealthCare.gov privacy policy.

The ability to control which cookies users want to accept from a CMS site is only valid when Tealium iQ Privacy Manager is installed on the specific CMS website. For example, when users are routed to CMS sites without Tealium iQ Privacy Manager, and do not wish to have cookies placed on their computers, the user can disable cookies through their web browser. Separately, CMS includes the Digital Advertising Alliance AdChoices icon on all targeted digital advertising and advertising that is subject to conversion tracking. The AdChoices icon is an industry standard tool that, like the Tealium iQ Privacy Manager allows users to opt out of being tracked for advertising purposes.

Google offers users the ability to opt-out of Google advertising cookies through the following processes:

  • Opt out of advertising at: http://www.google.com/settings/ads/.
  • Click on the “Ad Choices” icon in the corner of an ad.
  • Opt-out of data collection for behavioral advertising by all companies who participate in the Digital Advertising Alliance (DAA).

Google Account Information Leading To Identification of CMS Website Visitors

Potential Risk:
Some users of Google’s services may create accounts with Google based, in part, on PII. Google’s access to both PII and non-PII about registered Google users presents the risk that CMS site visitors who are also registered Google users could be identified by Google.

Mitigation:
CMS does not receive any PII from Google advertising services. CMS receives aggregated performance data in the form of statistical reports, including reports on clicks, views, and impressions (exposure to an advertisement) of CMS digital advertising, that are made available to CMS managers who implement CMS programs, members of the CMS communications and web teams, and other designated federal staff and contractors who need this information to perform their duties.

Google provides information on the types of information collected about users in its privacy policy, as well as choices with respect to such information collection or how it is used. For example, users can:

  • Review and update their Google activity controls to decide what types of data, such as videos they’ve watched on YouTube or past searches, they would like saved with their account when they use Google services.
  • Review and control certain types of information tied to their Google Account by using Google Dashboard.
  • View and edit their preferences about the Google ads shown to them on Google and across the web, such as which categories might interest them, using Ads Settings. They can also opt out of certain Google advertising services in Google’s Ads Settings.
  • Adjust how the information associated with their Google Account appears to others.
  • Control who they share information with through their Google Account.
  • Take information associated with their Google Account out of many of Google’s services.
  • Choose whether their name and photo appear in shared endorsements that appear in ads.

Users can also opt out of this advertising through the methods described in the “Use of Cookies, Web Beacons, and Pixels for Targeted Advertising Based on Sensitive Information” section above.

Content created by Assistant Secretary for Public Affairs (ASPA)
Content last reviewed on October 25, 2016