• Text Resize A A A
  • Print Print
  • Share Share on facebook Share on twitter Share

Third Party Websites and Applications Privacy Impact Assessment - Instagram Ad Solutions

Date:
10/27/2016

OPDIV:
CMS

TPWA Unique Identifier (UID):

Tool(s) covered by this TPWA:
Instagram Ad Solutions

Is this a new TPWA?
Yes.

  • If an existing TPWA, please provide the reason for revision:
    Not applicable (N/A).

Will the use of a third-party Website or application create a new or modify an existing HHS/OPDIV System of Records Notice (SORN) under the Privacy Act?
No.

  • If yes, indicate the SORN number (or identify plans to put one in place.):
    N/A because CMS is not collecting or storing any personally identifiable information (PII).

Will the use of a third-party Website or application create an information collection subject to OMB clearance under the Paperwork Reduction Act (PRA)?
No.

  • If yes, indicate the OMB approval number and approval number expiration date (or describe the plans to obtain OMB clearance.)
    OMB Approval Number:
    N/A.
    Expiration Date:
    N/A.

Does the third-party Website or application contain Federal Records?
No.

Describe the specific purpose for the OPDIV use of the third-party Website or application:
CMS will use Instagram Ad Solutions to deploy digital display ads and video ads across the Instagram platform to consumers. Instagram is a free social networking site that allows registered users to create profiles, upload photos and videos, send messages, and keep in touch with the people in their social network. Instagram accountholders provide a username, password, and email address when they register for an account. Users may also link their Facebook account to their Instagram account. CMS also maintains a presence on Instagram in the form of a HealthCare.gov branded page.

Instagram allows CMS to communicate directly with users to provide broad educational opportunities and provide limited opportunities to address consumer questions and concerns, by maintaining an Instagram account. In addition, CMS will disseminate information related to CMS programs and provide resources to consumers who may not be regular visitors to the CMS or HHS websites. CMS will utilize Instagram to deploy digital display ads, video ads, and other messages across the Instagram platform to consumers, including those who are not “following” the CMS account or who have not “liked” CMS posts.

Instagram Ad Solutions places a cookie or pixel (also known as a web beacon) for conversion tracking on certain pages of CMS’s website (e.g. HealthCare.gov). Conversion tracking allows Instagram Ad Solutions to measure the performance of CMS advertisements based on consumer activity and to report the ad performance to CMS.  Conversion tracking reports inform the advertiser whether consumers who view or interact with an ad later visit a particular site or perform desired actions on that site. Instagram Ad Solutions will then provide CMS with summary-level conversion tracking reports that contain no personal information about consumers. These reports will allow CMS to measure how effective Instagram advertisements are to CMS’s digital advertising outreach and education efforts.

To learn more about privacy related to the social networking uses of Instagram and the HealthCare.gov branded page, visit http://www.hhs.gov/pia/index.html#Third-Party.

Have the third-party privacy policies been reviewed to evaluate any risks and to determine whether the Website or application is appropriate for OPDIV use?
Yes, and the review has determined that Instagram is appropriate for OPDIV use, taking into account the risks posed by the following: use of cookies, web beacons, and pixels for targeted advertising based on sensitive information; targeting, retargeting and conversion tracking based on Instagram profile information; and Instagram profile information leading to identification of HealthCare.gov visitors.

Describe alternative means by which the public can obtain comparable information or services if they choose not to use the third-party Website or application:
If consumers do not want to interact with advertisements from Instagram Ad Solutions, consumers can learn about CMS campaigns through other advertising channels such as TV, radio, CMS websites, and in-person assisters and events.

Does the third-party Website or application have appropriate branding to distinguish the OPDIV activities from those of nongovernmental actors?
Yes. Instagram ads appear within the Instagram platform and are accompanied by Instagram branding.

How does the public navigate to the third party Website or application from the OPDIV?
N/A.

  • Please describe how the public navigates to the third party Website or application:
    N/A.

    If the public navigates to the third-party Website or application via an external hyperlink, is there an alert to notify the public that they are being directed to a nongovernmental Website? 
    N/A.

Has the OPDIV Privacy Policy been updated to describe the use of a third-party Website or application?
Yes.

Is an OPDIV Privacy Notice posted on the third-party Website or application?
N/A.

  • Confirm that the Privacy Notice contains all of the following elements: (i) An explanation that the Website or application is not government-owned or government-operated; (ii) An indication of whether and how the OPDIV will maintain, use, or share PII that becomes available; (iii) An explanation that by using the third-party Website or application to communicate with the OPDIV, individuals may be providing nongovernmental third-parties with access to PII; (iv) A link to the official OPDIV Website; and (v) A link to the OPDIV Privacy Policy:
    N/A.

    Is the OPDIV's Privacy Notice prominently displayed at all locations on the third-party Website or application where the public might make PII available? 
    N/A.

Is PII collected by the OPDIV from the third-party Website or application?
No.

Will the third-party Website or application make PII available to the OPDIV?
No.

Describe the PII that will be collected by the OPDIV from the third-party Website or application and/or the PII which the public could make available to the OPDIV through the use of the third-party Website or application and the intended or expected use of the PII:
CMS does not receive any PII through its use of Instagram Ad Solutions.

Describe the type of PII from the third-party Website or application that will be shared, with whom the PII will be shared, and the purpose of the information sharing:
Instagram Ad Solutions does not share any PII with CMS.

  • If PII is shared, how are the risks of sharing PII mitigated?
    N/A.

Will the PII from the third-party Website or application be maintained by the OPDIV?
N/A.

  • If PII will be maintained, indicate how long the PII will be maintained:
    N/A.

Describe how PII that is used or maintained will be secured:
CMS does not store or maintain any PII received through its Instagram account. Instagram Ad Solutions does not share any PII with CMS.

What other privacy risks exist and how will they be mitigated?
CMS will conduct periodic reviews of Instagram’s privacy policy to ensure its policies continue to align with agency objectives and privacy policies and do not present unreasonable or unmitigated risks to user’s privacy interests. CMS employs Instagram Ad Solutions solely for the purposes of improving CMS services and activities online.

Use of Cookies, Web Beacons, and Pixels for Targeted Advertising Based on Sensitive Information
Potential Risk:
The use of cookies, web beacons, and pixels generally present the risk that an application could collect information about a user’s activity on the Internet that could be used for purposes not intended by the user. These purposes include providing users with targeted advertising based on information the individual user may consider sensitive, including information about the webpages a consumer visited both outside and within the Instagram platform.

Additional Background:
Instagram Ad Solutions collects non-personally identifiable information a cookie or pixel (also known as a web beacon) on CMS’s pages. A web pixel (or web beacon) is a transparent graphic image (usually 1 pixel x 1 pixel) placed on a web page in combination with or separate from, a cookie and allows CMS to collect information regarding the use of the web page that contains these technologies. A cookie is a small text file stored on a user’s computer that allows the site to recognize the user and keep track of preferences. These technologies are used for conversion tracking on certain pages of CMS’s website (e.g. HealthCare.gov). This allows Instagram Ad Solutions to measure the performance of CMS advertisements and to report the ad performance to CMS, for example, by reporting whether consumers who view or interact with an ad later visit a particular site or perform desired actions on that site.  

CMS advertising displayed through the Instagram platform will carry persistent cookies that enable CMS to display advertising to individuals who have previously visited the CMS website. (Persistent cookies are stored on a user’s hard drive for some period of time unless removed by the user.) 

Mitigation:
Both CMS sites and Instagram provide users information about the use of persistent cookies, the information collected about them, and the data gathering choices they have in their website privacy policies.

Cookies and other ad technology such as beacons, pixels, and tags help Instagram serve relevant ads to consumers more effectively. These technologies help provide aggregated auditing, research, and reporting for advertisers, understand and improve Instagram Ad Solutions, and know when content has been shown to a consumer. Because a web browser may request advertisements and beacons directly from ad network servers, these networks can view, edit, or set their own cookies, as if the consumers had requested a web page from their site.

When a user is routed to a CMS site by clicking on a CMS advertisement displayed through Instagram Ad Solutions, and the Tealium iQ Privacy Manager is present on the CMS site, users are able to control which cookies they want to accept from the CMS site. Tealium iQ Privacy Manager is a tool that keeps track of users’ preferences in reference to tracking and will prevent web beacons from firing when a user has opted out of tracking for advertising purposes. Tealium iQ Privacy Manager can be accessed through information provided in the privacy policy on webpages where Tealium iQ Privacy Manager is deployed. Tealium iQ Privacy Manager can also be accessed within the CMS privacy policy by clicking on the large green button “Modify Privacy Options” that turns off the sharing of data for advertising purposes.

The ability to control which cookies users want to accept from a CMS site is only valid when Tealium iQ Privacy Manager is installed on the specific CMS website. For example, when users are routed to CMS sites without Tealium iQ Privacy Manager, and do not wish to have cookies placed on their computers, the user can disable cookies through their web browser. Separately, CMS includes the Digital Advertising Alliance AdChoices icon on all targeted digital advertising. The AdChoices icon is an industry standard tool that, like the Tealium iQ Privacy Manager, allows users to opt out of being tracked for advertising purposes.

Instagram Ad Solutions offers users the ability to opt-out of Instagram advertising cookies through the following processes:

  • Instagram members can choose to adjust their preferences in their Instagram account.
  • Instagram provides a link on all advertising that provides members with an option to opt out of tracking. On all ads, users have the ability to:
    • “Hide this”: If a user chooses this, the user will not see the ad again. This is specific to the ad ID within the campaign only.

Targeting, Retargeting and Conversion Tracking Based on Instagram Account Information

Potential Risk:
Instagram Ad Solutions targets consumers based on information voluntarily provided within the user’s registered profiles. Instagram Ad Solutions uses data derived from user account information and Facebook profile information (if the consumer links his or her Facebook and Instagram accounts), combined with information about a user’s behavior across multiple sites and over time. The resulting combined information could be viewed by some consumers as revealing patterns in behavior that the user may not want to disclose to Instagram Ad Solutions or its advertising clients. These patterns in behavior could enable and/or improve targeting by other advertisers who may wish to target customers within the health care sector, including targeting based on the type of data that some consumers may consider sensitive.

Additional Background:
Third party data targeting allows for the deployment of ads to consumers whose profiles or on-site actions (e.g., “likes” of specific pages or brand posts) match specific attributes an online advertiser is looking to target. Retargeting is an advertising technique used by online advertisers to present ads to users who have previously visited a particular site. Conversion tracking allows advertisers to measure the impact of their advertisements by tracking whether users who view or interact with an ad later visit a particular site or perform desired actions on such site, such as signing up for a program or requesting further information. CMS will engage Instagram Ad Solutions to use these advertising techniques to deliver CMS digital advertising to persons who are more likely to be interested in CMS advertising content. However, Instagram Ad Solutions will not share any PII with CMS from the utilization of these tactics.

Engaging an ad service like Instagram Ad Solutions that uses third party data targeting, retargeting, and conversion tracking will enable CMS to improve the efficiency of its ads by delivering them to persons most likely to be interested in the ad content. It will also enable CMS to provide further information to consumers who have previously visited HealthCare.gov such as deadlines, new developments, or reminders to complete a survey.

Mitigation:
Although Instagram Ad Solutions will have information on users who visited a CMS web site through the cookies and web beacons placed within CMS digital advertising content, Instagram Ad Solutions will not use the patterns in behavior detected by these tools to enable or improve targeting by other advertisers who may wish to target solely users who visited HealthCare.gov and may be interested in issues surrounding health care or CMS programs. Instead, Instagram Ad Solutions collects aggregate level “interaction” data to identify consumers that are most likely to interact with an ad from a specific industry (e.g., health insurance) for the purposes of improving the ability of advertisers to reach consumers who are more likely to interact with their advertising. Instagram Ad Solutions does not allow for the targeting of only consumers who have specifically interacted with an ad from CMS.  CMS receives an aggregated performance report from Instagram Ad Solutions to optimize its ads.

Both CMS sites and Instagram Ad Solutions provide users information about the use of persistent cookies, the information collected about them, and the data gathering choices they have in their website privacy policies.

When a user is routed to HealthCare.gov by clicking on a CMS advertisement displayed through Instagram Ad Solutions, and the Tealium iQ Privacy Manager is present, users are able to control which cookies they want to accept from the CMS site. Tealium iQ Privacy Manager is a tool that keeps track of users’ preferences in reference to tracking and will prevent web beacons from firing when a user has opted out of tracking for advertising purposes. Tealium IQ Privacy Manager can be accessed through information provided in the privacy policy on webpages where Tealium IQ Privacy Manager is deployed. Tealium IQ Privacy Manager can also be accessed within the CMS privacy policy by clicking on the large green button “Modify Privacy Options” that turns off any sharing of data for advertising.

The ability to control which cookies users want to accept from a CMS site is only valid when Tealium iQ Privacy Manager is installed on the specific CMS website. For example, when users are routed to CMS sites without Tealium iQ Privacy Manager, and do not wish to have cookies placed on their computers, the user can disable cookies through their web browser. 

Instagram Account Information Leading To Identification of HealthCare.gov Visitors

Potential Risk:
Instagram Ad Solutions’s access to both personally identifiable and non-personally identifiable data about registered Instagram users presents the risk that HealthCare.gov visitors who are also registered Instagram users could be identified, and that data about these users could be misused by Instagram.

Mitigation:
CMS does not receive any personally identifiable information from Instagram Ad Solutions. CMS receives aggregated performance data in the form of statistical reports, including reports on clicks, views, and impressions (exposure to an advertisement) of CMS digital advertising, that are made available to CMS managers who implement CMS programs, members of the CMS communications and web teams, and other designated federal staff and contractors who need this information to perform their duties.

Instagram Ad Solutions provides information on the types of information collected about users in its privacy policy, as well as choices with respect to such information collection or how it is used.  Users can opt out of this tracking through the processes listed above under the “Persistent Cookies & Web Beacon” section. 

Content created by Centers for Medicare and Medicaid Services (CMS)
Content last reviewed on November 28, 2016