Optimizely

The Centers for Medicare & Medicaid Services (CMS) uses Optimizely to support CMS’ websites, including CMS.gov, Medicare.gov, MyMedicare.gov, HealthCare.gov, CuidadoDeSalud.gov, Medicaid.gov, InsureKidsNow.gov, and various subdomains of the above top-level domains (TLDs). These TLDs are hereafter referred to as “CMS’ websites.” Optimizely is a technology platform that supports customer experience optimization. Optimizely provides the ability to conduct A/B or split screen testing, multipage and multivariate testing and is used for making data-driven decisions. The CMS staff analyze and report using the collected data from Optimizely. The reports are available only to CMS managers, teams who implement CMS represented on CMS’ websites, members of the CMS communications and web teams, and other designated federal staff and contractors who need this information to perform their duties.

CMS uses this information to determine what types of changes need to be made to CMS’ websites to improve the user experience for visitors by delivering different user interfaces to consumers and observing which allows consumers to perform a task easier.

No

CMS will use Optimizely in a manner that protects the privacy of consumers who visit
CMS’ websites and respects the intent of visitors. CMS will conduct periodic reviews of Optimizely's privacy practices to ensure its policies continue to align with agency objectives and privacy policies and do not present unreasonable or unmitigated risks to consumer privacy. Optimizely is employed solely for the purposes of improving CMS’ services and activities online related to operating CMS’ websites. Information collected by Optimizely is created and maintained by Optimizely.

Potential Risk :
Optimizely's tools use persistent cookies on CMS’ websites and can be stored on a user’s local system. The maximum length of time that Optimizely cookies exist on a user's local system is two years. This timeframe helps CMS to evaluate year to year and target tests to audiences based on actions taken in a prior year's open enrollment period.

Mitigation:
Users can opt-out of Optimizely by using the Tealium iQ Privacy Manager on each CMS website’s privacy page. Alternatively, a consumer can disable their cookies, if they do not want their information to be collected. Optimizely's privacy policies, notices from CMS websites and
Optimizely informing consumers of its privacy policies, and the ability of consumers to opt out of providing their information to Optimizely, mitigate risks to consumer privacy.
For consumers that do not opt out, CMS has configured its use of Optimizely to mask IP addresses before being stored to add additional safeguards to ensure that this data cannot be connected with other data.

CMS will not deploy the Optimizely tool if the website is not using Tealium iQ.  

Potential Risk :
In addition to using persistent cookies, Optimizely uses local object storage such as HTML5.

Mitigation:
Local object storage, can store data within the user's browser. Local object storage is more secure, and large amounts of data can be stored locally, without affecting website performance. Unlike cookies, the storage limit is far larger and information is never transferred to the server. Users can opt-out of Optimizely by using the Tealium iQ Privacy Manager on each CMS website’s privacy page. Alternatively, users have the ability to block this functionality in the browsers Flash player settings manager, Global Privacy Settings panel.

Potential Risk:
CMS also recognizes that if Optimizely is not implemented correctly in relation to CMS’ websites, personal information could be collected about visitors.

Mitigation:
To mitigate this risk, CMS only allows a limited number of trained and credentialed staff or contractors to implement Optimizely.