• Text Resize A A A
  • Print Print
  • Share Share on facebook Share on twitter Share

Third Party Websites and Applications Privacy Impact Assessment - Rocket Fuel

Date:
09/15/2016

OPDIV:
CMS

TPWA Unique Identifier (UID):
T-8576744-722595

Tool(s) covered by this TPWA:
Rocket Fuel

Is this a new TPWA?
No.

If an existing TPWA, please provide the reason for revision:
Revised to include updates from Rocket Fuel and to reflect changes in services provided by Rocket Fuel.

Will the use of a third-party Website or application create a new or modify an existing HHS/OPDIV System of Records Notice (SORN) under the Privacy Act? No.

If yes, indicate the SORN number (or identify plans to put one in place.):
Not applicable (N/A) because CMS is not receiving personally identifiable information (PII) from Rocket Fuel.

Will the use of a third-party Website or application create an information collection subject to OMB clearance under the Paperwork Reduction Act (PRA)?
No.

If yes, indicate the OMB approval number and approval number expiration date (or describe the plans to obtain OMB clearance.)
OMB Approval Number:
Not applicable.

Expiration Date:
Not applicable.

Does the third-party Website or application contain Federal Records?
No.

Describe the specific purpose for the OPDIV use of the third-party Website or application:
CMS will use Rocket Fuel to deliver behaviorally targeted digital advertising on third party websites to encourage consumers to visit HealthCare.gov. In addition, Rocket Fuel will also deliver retargeted advertising to consumers who previously visited HealthCare.gov to encourage them to return to HealthCare.gov. Behavioral targeting is a technique used to determine relevant recipients for ads, by inferring a consumer’s interests based on information collected about that particular consumer’s online web browsing behaviors, on various websites, over time. Behavioral targeting may also use data about consumers, such as demographic data, from third parties to supplement web browsing information.  Retargeting is a form of behavioral targeting used by online advertisers to present ads to consumers who have previously visited a particular CMS website. Rocket Fuel will use cookies and/or web beacons (also called pixels) placed on HealthCare.gov for retargeting and conversion tracking. Conversion tracking allows Rocket Fuel to measure the activity of a consumer who reached a CMS website by clicking on a digital advertisement (e.g., what webpages within the website they clicked on, whether they completed a transaction). Rocket Fuel will provide aggregate reports to CMS showing ad performance by measuring activity and web browsing behavior. Rocket Fuel collects no PII in the course of delivering advertisements or tracking conversions.

Have the third-party privacy policies been reviewed to evaluate any risks and to determine whether the Website or application is appropriate for OPDIV use?
Yes, and the review has determined that the application is appropriate for OPDIV use, taking into account the risks posed by the following: the use of cookies and web beacons for targeted advertising based on sensitive information including health-related segments and targeting, retargeting and conversion tracking and the ability for other advertisers to improve targeting using information from this advertising campaign.

Describe alternative means by which the public can obtain comparable information or services if they choose not to use the third-party Website or application.
If consumers do not want to interact with advertisements from Rocket Fuel, consumers can learn about CMS campaigns through other advertising channels such as TV, radio, CMS websites and in-person assisters and events.

Does the third-party Website or application have appropriate branding to distinguish the OPDIV activities from those of nongovernmental actors?
N/A. Rocket Fuel serves CMS-branded ads on third party websites.

How does the public navigate to the third party Website or application from the OPDIV? N/A. The CMS websites do not link to Rocket Fuel. Rocket Fuel is a tool used to place and track advertising on third-party sites.

Please describe how the public navigates to the third party Website or application:
N/A. 

If the public navigates to the third-party Website or application via an external hyperlink, is there an alert to notify the public that they are being directed to a nongovernmental Website?
N/A. The CMS websites do not link to Rocket Fuel. Rocket Fuel is a tool used to place and track advertising on third-party sites.

Has the OPDIV Privacy Policy been updated to describe the use of a third-party Website or application?
Yes.

Provide a hyperlink to the OPDIV Privacy Policy:  https://www.healthcare.gov/privacy/

Is an OPDIV Privacy Notice posted on the third-party Website or application?
N/A. Rocket Fuel serves CMS-branded ads on third party websites. Consumers who see these ads do not have to visit the Rocket Fuel website.

Confirm that the Privacy Notice contains all of the following elements: (i) An explanation that the Website or application is not government-owned or government-operated; (ii) An indication of whether and how the OPDIV will maintain, use, or share PII that becomes available; (iii) An explanation that by using the third-party Website or application to communicate with the OPDIV, individuals may be providing nongovernmental third-parties with access to PII; (iv) A link to the official OPDIV Website; and (v) A link to the OPDIV Privacy Policy:
N/A. 

Is the OPDIV's Privacy Notice prominently displayed at all locations on the third-party Website or application where the public might make PII available?
N/A. 

Is PII collected by the OPDIV from the third-party Website or application?
No. Rocket Fuel collects no PII in the course of delivering advertisements.

Will the third-party Website or application make PII available to the OPDIV?
N/A.  Rocket Fuel collects no PII in the course of delivering advertisements.

Describe the PII that will be collected by the OPDIV from the third-party Website or application and/or the PII which the public could make available to the OPDIV through the use of the third-party Website or application and the intended or expected use of the PII:
N/A. Rocket Fuel collects no PII in the course of delivering advertisements, and thus, does not pass PII to CMS.

Describe the type of PII from the third-party Website or application that will be shared, with whom the PII will be shared, and the purpose of the information sharing:
N/A. Rocket Fuel collects no PII in the course of delivering advertisements, and thus, does not pass PII to CMS.

If PII is shared, how are the risks of sharing PII mitigated?
N/A.

Will the PII from the third-party Website or application be maintained by the OPDIV?
N/A. Rocket Fuel collects no PII in the course of delivering advertisements, and thus, does not pass PII to CMS.

If PII will be maintained, indicate how long the PII will be maintained:
N/A.

Describe how PII that is used or maintained will be secured:
N/A. Rocket Fuel collects no PII in the course of delivering advertisements, and thus, does not pass PII to CMS.

What other privacy risks exist and how will they be mitigated?
CMS will conduct periodic reviews of Rocket Fuel’s privacy policy to ensure its policies continue to align with agency objectives and privacy policies and do not present unreasonable or unmitigated risks to user’s privacy interests. CMS uses Rocket Fuel solely for the purposes of improving consumer engagement with HealthCare.gov by directing consumers to HealthCare.gov through the use of targeted advertising.

Use of Cookies and Web Beacons for Targeted Advertising Based on Sensitive Information

Potential Risk:
The use of cookies, pixels, and web beacons generally presents the risk that an application could collect information about a user’s activity on the Internet for purposes that the users did not intend. The unintended purposes include providing users with behaviorally targeted advertising, based on information the individual user may consider to be sensitive.  In addition, Rocket Fuel uses data segments to profile users for advertising purposes, including health-related segments such as “disabled / handicapped consumers,” “personal mobility,” and “weight loss.”  Use of these segments to deliver CMS advertising to these populations may be considered by some individuals to be delivering advertising based on sensitive criteria. 

Additional Background:
Rocket Fuel collects non-personally identifiable information by placing a cookie or pixel (also known as a web beacon) on HealthCare.gov and on advertisements sponsored by CMS on third party websites. A pixel (or web beacon) is a transparent graphic image (usually 1 pixel x 1 pixel) that is placed on a web page that allows Rocket Fuel to collect information regarding the use of the web page. A cookie is a small text file stored on a website visitor’s computer that allows the site to recognize the user and keep track of preferences. These technologies provide information about when a visitor clicks on or views an advertisement. Rocket Fuel uses that information to judge which advertisements are more appealing to users and which result in greater conversions, such as transactions with HealthCare.gov.

Content created by Assistant Secretary for Public Affairs (ASPA)
Content last reviewed on October 20, 2016