Adobe Analytics 2022
Date signed: 12/16/2022
| TPWA PIA Questions | TPWA PIA Answers |
|---|---|
| OPDIV: | CMS |
| TPWA Unique Identifier (UID): | T-3853938-342516 |
| Is this a new TPWA? | Yes |
| Please provide the reason for revision | |
| Will the use of a third-party Website or application create a new or modify an existing HHS/OPDIV System of Records Notice (SORN) under the Privacy Act? | No |
| Indicate the SORN number (or identify plans to put one in place.) |
|
| Will the use of a third-party Website or application create an information collection subject to OMB clearance under the Paperwork Reduction Act (PRA)? | No |
| Indicate the OMB approval number and approval number expiration date (or describe the plans to obtain OMB clearance.) |
|
| Does the third-party Website or application contain Federal Records? | No |
| Describe the specific purpose for the OPDIV use of the third-party Website or application: | The Centers for Medicare & Medicaid Services (CMS) uses reports and analysis from Adobe Analytics to measure the number of visitors to CMS’ websites, including CMS.gov, Medicare.gov, MyMedicare.gov, HealthCare.gov, CuidadoDeSalud.gov, Medicaid.gov, InsureKidsNow.gov, and various subdomains of the above top-level domains (TLDs). These TLDs are hereafter referred to as “CMS’ websites.” The analyses and reports help to make CMS’ websites more useful to visitors/consumers. The CMS staff analyze and report using the collected data from Adobe Analytics. The reports are available only to CMS managers, teams who implement CMS programs represented on CMS’ websites, members of the CMS communications and web teams, and other designated federal staff and contractors who need this information to perform their duties. |
| Have the third-party privacy policies been reviewed to evaluate any risks and to determine whether the Website or application is appropriate for OPDIV use? | Yes |
| Describe alternative means by which the public can obtain comparable information or services if they choose not to use the third-party Website or application: | If consumers do not want Adobe Analytics to collect information related to their visits to CMS’ websites, consumers can use other means of interaction without using CMS’ websites, including but not limited to paper applications, call centers, or in-person assisters. In addition to these options, a consumer can use the Tealium IQ Privacy Manager on CMS’ websites privacy page(s) and "opt out" of having data collected about them by Adobe Analytics. Alternatively, a consumer can disable their cookies if they do not want their information to be collected. |
| Does the third-party Website or application have appropriate branding to distinguish the OPDIV activities from those of nongovernmental actors? | No |
| How does the public navigate to the third party Website or application from the OPIDIV? | Incorporated or embedded on HHS Website |
| Please describe how the public navigate to the third-party website or application: | Not applicable. The public does not navigate to Adobe Analytics. Adobe Analytics works in the background. |
| If the public navigate to the third-party website or application via an external hyperlink, is there an alert to notify the public that they are being directed to a nongovernmental Website? | No |
| Has the OPDIV Privacy Policy been updated to describe the use of a third-party Website or application? | Yes |
| Provide a hyperlink to the OPDIV Privacy Policy: | https://www.cms.gov/privacy-policy/ https://www.healthcare.gov/privacy/ https://www.medicare.gov/privacy-policy https://www.medicaid.gov/privacy-policy/index.html https://www.insurekidsnow.gov/privacy-policy/index.html |
| Is an OPDIV Privacy Notice posted on the third-party Website or application? | No |
| Is PII collected by the OPDIV from the third-party Website or application? | No |
| Will the third-party Website or application make PII available to the OPDIV? | No |
| Describe the PII that will be collected by the OPDIV from the third-party Website or application and/or the PII which the public could make available to the OPDIV through the use of the third-party Website or application and the intended or expected use of the PII: | Not Applicable. CMS does not collect any Personal Identifiable Information (PII) through the use of Adobe Analytics. |
| Describe the type of PII from the third-party Website or application that will be shared, with whom the PII will be shared, and the purpose of the information sharing: | Not Applicable. PII is not stored or shared. |
| If PII is shared, how are the risks of sharing PII mitigated? | Not Applicable. PII is not stored or shared. |
| Will the PII from the third-party Website or application be maintained by the OPDIV? | No |
| Describe how PII that is used or maintained will be secured: | Not applicable |
| What other privacy risks exist and how will they be mitigated? | CMS will use Adobe Analytics in a manner that protects the privacy of consumers who visit CMS’ websites and respects the intent of CMS website users. CMS will conduct periodic reviews of Adobe Analytics' privacy practices to ensure its policies continue to align with agency objectives and privacy policies and do not present unreasonable or unmitigated risks to consumer privacy. Adobe Analytics is employed solely for the purposes of improving CMS’ services and activities online related to operating CMS’ websites. Information collected by Adobe Analytics is created and maintained by Adobe. Potential Risk: Persistent cookies are used with Adobe Analytics’ tools on CMS’ websites that are stored on a user’s local browser. Adobe Analytics cookies are stored for two years. Mitigation: Adobe Analytics’ privacy policies, notices from CMS’ websites, information published by Adobe Analytics about its privacy policies, and the ability for consumers to opt out of providing their information to Adobe Analytics through the Tealium iQ Privacy Manager on CMS’ websites maximizes consumers ability to protect their information and mitigate risks to their privacy. Periodic reviews of how Adobe maintains Adobe Analytics on behalf of CMS are conducted to ensure these best practices are being followed. CMS will not deploy the Adobe Analytics tool if the website is not using Tealium iQ. Potential Risk: Adobe Analytics collects hundreds of data elements, including standard data elements and custom data elements. The list of standard data elements are all listed and can be found here: https://experienceleague.adobe.com/docs/analytics/technotes/privacy-overview.html. Data collection from user input into personal data form fields is possible, if configured to do so. For individual users, geographic data is collected, based on the IP address (device location is an approximation), the user’s device, device type, screen resolutions, flash version, browser, browser version, operating system and operating system version are all collected. In addition to the standard data elements collected, custom data is collected via ‘custom dimensions’ and ‘custom metrics’. For example, collecting information how many people download a PDF file by clicking a link. Mitigation: Adobe Analytics is configured to remove IP address, after geographic data is obtained and does not share actual IP address information with CMS as an additional step to safeguard CMS website users’ privacy. Data collection of any personal information form fields is not configured or setup as this data is not appropriate for collection in the Adobe Analytics platform. |
Third-Party Web and Application (TPWA) Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services