HULU
Date signed: 9/27/2019
| TPWA PIA Questions | TPWA PIA Answers |
|---|---|
| OPDIV: | CMS |
| TPWA Unique Identifier (UID): | T-5113050-391060 |
| Is this a new TPWA? | Yes |
| Please provide the reason for revision. | |
| Will the use of a third-party Website or application create a new or modify an existing HHS/OPDIV System of Records Notice (SORN) under the Privacy Act? | No |
| Indicate the SORN number (or identify plans to put one in place.) |
|
| Will the use of a third-party Website or application create an information collection subject to OMB clearance under the Paperwork Reduction Act (PRA)? | No |
| Indicate the OMB approval number and approval number expiration date (or describe the plans to obtain OMB clearance.) |
|
| Does the third-party Website or application contain Federal Records? | No |
| Describe the specific purpose for the OPDIV use of the third-party Website or application: | CMS will use Hulu to deliver behaviorally targeted digital video advertising to relevant audiences by tracking user online activities across various websites over time and by utilizing first party data provided to Hulu at the time of account creation. Hulu does not collect PII in the course of these advertising activities and therefore, does not share PII with CMS. Hulu collects IP address, age, gender, and device ID. Hulu provides CMS with conversion tracking reports to allow CMS to determine the effectiveness of advertising campaigns. Conversion tracking provides information about users’ activities regarding ads, including whether an ad is clicked on or a transaction is completed. The CMS websites which may utilize Hulu are; www.CMS.gov, www.Medicare.gov, www.MyMedicare.gov, www.Medicaid.gov, www.InsureKidsNow.gov, HealthCare.gov, and CuidadoDeSalud.gov. |
| Have the third-party privacy policies been reviewed to evaluate any risks and to determine whether the Website or application is appropriate for OPDIV use? | Yes |
| Describe alternative means by which the public can obtain comparable information or services if they choose not to use the third-party Website or application: | If consumers do not want to interact with advertisements from Hulu, consumers can learn about CMS campaigns through other advertising channels such as TV, radio, CMS websites and in-person events. |
| Does the third-party Website or application have appropriate branding to distinguish the OPDIV activities from those of nongovernmental actors? | No |
| How does the public navigate to the third party Website or application from the OPIDIV? | Other... |
| Please describe how the public navigate to the third-party website or application: | Not Applicable. The CMS websites do not link to Hulu |
| If the public navigate to the third-party website or application via an external hyperlink, is there an alert to notify the public that they are being directed to a nongovernmental Website? | No |
| Has the OPDIV Privacy Policy been updated to describe the use of a third-party Website or application? | Yes |
| Provide a hyperlink to the OPDIV Privacy Policy: | https://www.cms.gov/privacy/ https://www.healthcare.gov/privacy/ https://www.medicare.gov/privacy-policy/index.html |
| Is an OPDIV Privacy Notice posted on the third-party Website or application? | No |
| Is PII collected by the OPDIV from the third-party Website or application? | No |
| Will the third-party Website or application make PII available to the OPDIV? | No |
| Describe the PII that will be collected by the OPDIV from the third-party Website or application and/or the PII which the public could make available to the OPDIV through the use of the third-party Website or application and the intended or expected use of the PII: | Not applicable. CMS does not collect any PII through the use of Hulu. |
| Describe the type of PII from the third-party Website or application that will be shared, with whom the PII will be shared, and the purpose of the information sharing: | Not applicable. Hulu does not collect or share PII on behalf of CMS. If a consumer chooses to connect their Hulu account through a third-party service such as Facebook, Hulu may collect your user ID and user name associated with that service. No information will be shared with CMS and any data collection will be authorized at the point of connection between Hulu and other third-party services. |
| If PII is shared, how are the risks of sharing PII mitigated? | N/A. Neither the OpDiv or the application will be collecting PII. |
| Will the PII from the third-party Website or application be maintained by the OPDIV? | No |
| If PII will be maintained, indicate how long the PII will be maintained: | Not applicable. CMS does not collect any PII through the use of Hulu. |
| Describe how PII that is used or maintained will be secured: | Not applicable. CMS does not collect any PII through the use of Hulu. |
| What other privacy risks exist and how will they be mitigated? | CMS will conduct periodic reviews of Hulu’s privacy policy to ensure its policies continue to align with agency objectives and privacy policies and do not present unreasonable or unmitigated risks to user’s privacy interests. CMS uses Hulu solely for the purposes of improving consumer engagement with CMS services by directing consumers to CMS websites using targeted advertising. Potential Risk: The use of cookies, pixels, and web beacons generally presents the risk that an application could collect information about a user’s activity on the Internet for purposes that the users did not intend. The unintended purposes include providing users with behaviorally targeted advertising, based on information the individual user may consider to be sensitive. In Hulu’s case, the information maintained by Hulu includes sensitive data that users voluntarily provide to Hulu at account creation and their behaviors while using the services, as well as any third-party data that Hulu combines with this information. Use of these segments to deliver CMS advertising to these populations may be considered by some individuals to be delivering advertising based on sensitive criteria. Additional Background: Hulu collects non-personally identifiable information by placing a cookie or pixel (also known as a web beacon) on CMS websites and on advertisements sponsored by CMS on third party websites or in-app. The non-personally identifiable information collected by Hulu may include; IP address, browser types, operating systems, domain names, access dates and times, referring website addresses, online transactions. browsing and search activity, in-app engagement. Mitigation: CMS and Hulu provide consumers with information about the use of persistent cookies and related technologies. Tealium iQ Privacy Manager is a tool that keeps track of users’ preferences in reference to tracking and will prevent web beacons from firing when a user has opted out of tracking for advertising purposes. When a user is routed to CMS websites by clicking on a CMS advertisement displayed through Hulu and the Tealium iQ Privacy Manager is present on CMS websites, users are able to control which cookies they want to accept from CMS websites. Tealium iQ Privacy Manager can be accessed through information provided on the privacy policy on CMS websites. There is a large green “Modify Privacy Options” button that turns off the sharing of data for advertising purposes that can be accessed through the CMS webs |
Third-Party Web and Application (TPWA) Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services