Third Party Websites and Applications Privacy Impact Assessment

Dated Signed: September 4, 2018


TPWA Unique Identifier: T-3317214-427329

Name: Facebook

Is this a new TPWA? No

Please provide the reason for revision:

Revised to include all CMS web properties that maintains an educational presence on Facebook in the form of a CMS website branded page. These additional CMS web properties include;,,,,,,

Will the use of a third-party Website or application create a new or modify an existing HHS/OPDIV

System of Records Notice (SORN) under the Privacy Act? No

Indicate the SORN number: N/A because CMS is not collecting or storing personally identifiable information (PII).

Will the use of a third-party Website or application create an information collection subject to OMB clearance under the Paperwork Reduction Act (PRA)? No

Indicate the OMB approval number and approval number expiration date (or describe the plans to obtain OMB clearance.): Not Applicable

Does the third-party Website or application contain Federal Records? No

Describe the specific purpose for the OPDIV use of the third-party Website or application:

CMS websites have created and maintains an educational presence on Facebook in the form of branded pages. These pages allow for a direct connection with end users to provide broad educational opportunities and limited opportunities to address consumer questions and concerns. Facebook is a popular platform where users can consume and interact (like, share, comment) with content related to their friends, and personal interests. CMS websites have created branded pages on Facebook to provide educational content in a space where many potential end users of CMS services are already spending their time online. The primary purpose of having a branded page on Facebook is to promote information related to CMS websites and to provide resources to consumers who may not be regular visitors to specific CMS websites website; occasionally we will leverage the innate social sharing capacity of this platform by asking fans of our branded pages to share CMS content with their friends on the platform for the purpose of disseminating a particular message as it relates to an initiative or information related to a CMS website.

Have the third-party privacy policies been reviewed to evaluate any risks and to determine whether the Website or application is appropriate for OPDIV use? Yes

Describe alternative means by which the public can obtain comparable information or services if they choose not to use the third-party Website or application:

If consumers do not want to go to Facebook, consumers can learn about CMS campaigns through other advertising channels such as TV, radio, and local partners’/counseling entities and events. Additionally, information is available through other 3rd party digital properties such as YouTube and Twitter.

Does the third-party Website or application have appropriate branding to distinguish the OPDIV activities from those of nongovernmental actors? Yes

How does the public navigate to the third party Website or application from the OPIDIV?

An external hyperlink from an HHS Website or Website operated on behalf of HHS

Please describe how the public navigate to the third party website or application:

Directly through, via a connect icon on the CMS website, using a web search or via a web-based URL to content hosted on

If the public navigate to the third-party website or application via an external hyperlink, is there an alert to notify the public that they are being directed to a nongovernmental Website? Yes

Has the OPDIV Privacy Policy been updated to describe the use of a third-party Website or application? Yes

Provide a hyperlink to the OPDIV Privacy Policy:

Is an OPDIV Privacy Notice posted on the third-part website or application? Yes

Confirm that the Privacy Notice contains all of the following elements: (i) An explanation that the Website or application is not government-owned or government-operated; (ii) An indication of whether and how the OPDIV will maintain, use, or share PII that becomes available; (iii) An explanation that by using the third-party Website or application to communicate with the OPDIV, individuals may be providing nongovernmental third-parties with access to PII; (iv) A link to the official OPDIV Website; and (v) A link to the OPDIV Privacy Policy: Not Applicable

Is the OPDIV's Privacy Notice prominently displayed at all locations on the third- party Website or application where the public might make PII available? Not Applicable

Is PII collected by the OPDIV from the third-party Website or application? No

Will the third-party Website or application make PII available to the OPDIV? Yes

Describe the PII that will be collected by the OPDIV from the third-party Website or application

and/or the PII which the public could make available to the OPDIV through the use of the third party

Website or application and the intended or expected use of the PII:

Not Applicable. CMS does not collect any PII through its use of Facebook. Individual users who register with Facebook are required to provide a first name, last name, valid email address, password, sex, and date of birth to create a personal Facebook profile.

Once registered, users have the option to provide a wealth of additional information about themselves such as telephone number, employment, interests, etc. which may be displayed on the individual user’s personal Facebook profile page or otherwise maintained or used by Facebook (see for review of their data policy, and how they may use the provided information).

This information may be available to CMS website Page Administrators in whole or part, based on a user’s privacy settings. CMS websites do not routinely solicit, collect, or maintain any personally identifiable information from individuals who visit, like, comment, or otherwise engage with a CMS website Facebook page. The CMS website Facebook page Administrator may however, read, review, or rely upon information that individuals make available on the CMS website Facebook page in the form of comments for the purposes of responding to a user's question.

CMS website Facebook Page Administrators may delete any comments on the Facebook page that contains unnecessary amounts of PII, as stated in the privacy and comment policy applicable to all CMS website properties’ Facebook sites when Facebook sites have been created:

Describe the type of PII from the third-party Website or application that will be shared, with whom the PII will be shared, and the purpose of the information sharing: This information is not shared beyond CMS website Facebook Administrators. It is not collected outside of Facebook or used for other CMS purposes.

If PII is shared, how are the risks of sharing PII mitigated? This data is kept within the Facebook platform. It is not downloaded into other tools.

Will the PII from the third-party website or application be maintained by the OPDIV? No

Describe how PII that is used or maintained will be secured:

CMS does not keep separate records or accounting of Facebook users or their interaction with the

CMS website Facebook page. CMS does not store or share this information. User information is retained by Facebook as long as a user maintains a Facebook account. See Facebook's privacy policy to see how long user information is retained after an account has been deleted. Facebook users can learn more about how their information is used and maintained by Facebook by visiting Facebook's data policy located at

What other privacy risks exist and how will they be mitigated?

Due to limitations on Facebook, the CMS website Privacy Notice is not posted in all locations on the CMS website Facebook page. It is viewable from any place on the CMS website Facebook page by clicking on the "About" tab and navigating to the "Privacy Notice & Comment Policy".


Facebook is a third-party service that uses persistent tracking technologies.


In an effort to help consumers understand how their information is used by Facebook, the CMS website’s Facebook page includes a privacy notice, which addresses the use of persistent tracking. Per the terms of service agreed to by HHS and Facebook, CMS Facebook accounts do not contain any third-party advertising. This limits any association with additional content that CMS websites have neither reviewed nor endorsed on the CMS website Facebook page. In addition, the CMS Privacy Notice Statement on, and on its Facebook page directs Facebook users to review Facebook's terms of service and privacy policies to understand how Facebook may collect information about users, including what pages the user may visit, and how Facebook may use or share such information for third- party advertising or other purposes.

In addition to the notice on Facebook, consumers are provided notice on the CMS website. A link to our Linking Policy is in the footer of each CMS website. Our Linking Policy includes a privacy notice for social media sites and provides links to CMS website presences on Third Party sites as well as the privacy policies of those social media sites. Additionally, when a consumer places their mouse cursor over a link to a social media site, hover text informs them that they will be "Leaving the CMS website" if they click.

Facebook is created and maintained by Facebook. CMS has reviewed Facebook's privacy practices and has concluded that risks to consumer privacy are sufficiently mitigated through application of Facebook's privacy policies, notices from CMS websites and Facebook informing consumers of these policies, and the ability of consumers to opt-out of providing their information to the CMS website and Facebook. CMS will conduct a periodic review of Facebook's privacy practices to ensure Facebook's policies continue to align with agency objectives and privacy policies and do not present unreasonable or unknown risks to consumer privacy.

Potential Risk:

The use of cookies, pixels (web beacons) generally presents the risk that an application could collect information about a user’s activity on the Internet for purposes the user did not intend.  The unintended purposes include providing users with behaviorally targeted advertising based on information that a user may consider to be sensitive.

Additional Background:

Cookies, pixels and web beacons allow Facebook to display advertising to individuals who have previously visited CMS websites. Persistent cookies will be stored on the user’s computer for up to 90 days, unless removed by the user.


CMS websites and Facebook provide users information about the use of persistent cookies and related technologies, what data is collected, and the data gathering choices, including choices related to behaviorally targeted advertising.

Tealium iQ Privacy Manager offers the ability to opt out of persistent cookies. Tealium settings can be accessed via the CMS privacy policy on CMS websites. CMS will not implement pixels or web beacons, on a browser, if Tealium iQ is not available on a CMS website.

CMS includes the Digital Advertising Alliance AdChoices icon on all targeted digital advertising. The AdChoices icon is an industry standard tool that allows users to opt out of being tracked for advertising purposes. Another alternative is for users to disable cookies through their web browser.

Facebook also offers users the ability to opt-out of having Facebook advertising cookies related to CMS websites on its own website.

Content last reviewed