Dated Signed: September 4, 2018
OPDIV: CMS
TPWA-PIA Unique Identifier (UID): T-9827715348512
TPWA Name: Integral Ad Science (IAS)
Is this a new TPWA-PIA? No.
If an existing TPWA-PIA, please provide the reason for revision:
Revised to include all CMS websites that occasionally deliver digital advertising on third-party websites in order to reach new users and provide information to previous visitors. These additional CMS web properties include; www.CMS.gov, www.Medicare.gov, www.MyMedicare.gov, www.Medicaid.gov, www.InsureKidsNow.gov, HealthCare.gov, CuidadoDeSalud.gov.
Will the use of a third-party Website or application create an information collection subject to OMB clearance under the Paperwork Reduction Act (PRA)? No.
If yes, indicate the SORN number (or identify plans to put one in place.): Not applicable because CMS is not collecting or storing any personally identifiable information (PII).
If not published:
N/A.
Will the use of a third-party Website or application create an information collection subject to OMB clearance under the Paperwork Reduction Act (PRA)? No.
Indicate the OMB approval number and approval number expiration date (or describe the plans to obtain OMB clearance.)
OMB Approval Number: Not applicable.
Expiration Date: Not applicable.
Does the third-party Website or application contain Federal Records? No.
Describe the specific purpose for the OPDIV use of the third-party Website or application: Integral Ad Science is a tool that ensures CMS’ ads are shown only to real persons and not shown to robotic computer programs, or next to violent or other inappropriate material.
Have the third-party privacy policies been reviewed to evaluate any risks and to determine whether the Website or application is appropriate for OPDIV use? Yes.
Describe alternative means by which the public can obtain comparable information or services if they choose not to use the third-party Website or application: This is not applicable as IAS does not provide information, but rather protects CMS ads from appearing in inappropriate places.
Does the third-party Website or application have appropriate branding to distinguish the OPDIV activities from those of nongovernmental actors? Not applicable because Integral Ad Science is not a separate site or application where branding could be placed.
How does the public navigate to the third party Website or application from the OPDIV? Not applicable because Integral Ad Science is not a separate site or application to which the public can navigate.
Please describe how the public navigate to the third party website or application: Not applicable because Integral Ad Science is not a separate site or application to which the public can navigate.
If the public navigate to the third-party website or application via an external hyperlink, is there an alert to notify the public that they are being directed to a nongovernmental Website? Not Applicable
Has the OPDIV Privacy Policy been updated to describe the use of a third-party Website or application? Yes.
Provide a hyperlink to the OPDIV Privacy Policy:
https://www.cms.gov/privacy/ (Is the privacy policy for all CMS websites unless a separate one is noted below).
https://www.healthcare.gov/privacy/
https://www.medicare.gov/privacy-policy/index.html
Is an OPDIV Privacy Notice posted on the third-party Website or application? Not applicable because Integral Ad Science is not a separate site or application where a Privacy Notice could be placed.
Confirm that the Privacy Notice contains all of the following elements: (i) An explanation that the Website or application is not government-owned or government-operated; (ii) An indication of whether and how the OPDIV will maintain, use, or share PII that becomes available; (iii) An explanation that by using the third-party Website or application to communicate with the OPDIV, individuals may be providing nongovernmental third-parties with access to PII; (iv) A link to the official OPDIV Website; and (v) A link to the OPDIV Privacy Policy: Not applicable because there is no additional Privacy Notice.
Is the OPDIV's Privacy Notice prominently displayed at all locations on the third- party Website or application where the public might make PII available? Not applicable because there is no additional Privacy Notice.
Is PII collected by the OPDIV from the third-party Website or application? No.
Will the third-party Website or application make PII available to the OPDIV? No.
Describe the PII that will be collected by the OPDIV from the third-party Website or application and/or the PII which the public could make available to the OPDIV through the use of the third-party Website or application and the intended or expected use of the PII: Not applicable. CMS does not collect any PII through the use of Integral Ad Science.
Describe the type of PII from the third-party Website or application that will be shared, with whom the PII will be shared, and the purpose of the information sharing: Not Applicable. PII is not stored or shared.
If PII is shared, how are the risks of sharing PII mitigated? Not Applicable. No PII is shared by IAS.
Will the PII from the third-party Website or application be maintained by the OPDIV? No.
If PII will be maintained, indicate how long the PII will be maintained: Not Applicable.
Describe how PII that is used or maintained will be secured: Not Applicable.
What other privacy risks exist and how will they be mitigated?
CMS uses IAS to ensure retargeting ads are appropriately placed and not placed next to inappropriate content. Similarly, it supports the conversion tracking of CMS’ ads by making sure ads are not shown to robotic computer programs and then charge those ads back to CMS.
Potential Risk:
The use of cookies, pixels, and web beacons generally presents the risk that an application could collect information about a user’s activity on the Internet for purposes that the user did not intend. The unintended purposes include providing users with behaviorally targeted advertising, based on information the individual user may consider to be sensitive.
Additional Background:
Cookies, pixels, and web beacons allow Integral Ad Science to measure the performance of CMS advertisements and to report the ad performance to CMS. Persistent cookies will be stored on the user’s computer, unless removed by the user.
Mitigation:
CMS websites and IAS provide consumers with information about the use of persistent cookies and related technologies, what data is collected, and the data gathering choices included in CMS and IAS website privacy policies, including choices related to behaviorally targeted advertising.
Tealium iQ Privacy Manager offers the ability to opt out of persistent cookies. The settings can be accessed via the privacy policy on CMS websites. CMS will not implement IAS pixels or web beacons, which enable behavioral targeting and place persistent cookies on a browser, if Tealium iQ is not available on a CMS website.
IAS offers users the ability to opt-out of having IAS advertising services related to CMS websites on its own website.
CMS observes the “Do Not Track” browser setting for digital advertising that uses retargeting. To learn more, visit http://donottrack.us/. Users can also click on the
“AdChoices” icon in the corner of HealthCare.gov ads delivered outside of HealthCare.gov to opt-out of ad targeting.
Potential Risk:
IAS tracks users across multiple sites and the resulting combined information could reveal patterns in behavior that the user may consider to be sensitive.
Additional Information:
IAS targets consumers based on information collected through cookies and pixels. Behavioral targeting deploys ads to consumers whose on-site actions (e.g., clicks or sharing of various types of content) match specific attributes considered desirable. IAS will also use conversion tracking, which allows advertisers to measure the impact of their advertisements by tracking whether users who view or interact with an ad later visit a particular site or perform desired actions on the site.
Mitigation
IAS only collects aggregated level “interaction” data to identify consumers that are most likely to interact with an ad for the purposes of improving the ability for advertisers to reach consumers who are more likely to find that ad relevant. IAS does not allow for the targeting of consumers who have specifically interacted with an ad from CMS.
CMS does not receive any PII from Integral Ad Science (IAS). IAS provides information on the types of information collected about users in its privacy policy, as well as choices with respect to such information collection or how it is used. Users can review, update, control, and adjust the types of information tied to, saved, and utilized by IAS including an opt-out feature.
