Tealium

• SORN Number: Not applicable
• If not published: Not applicable

• OMB Approval Number: Not applicable
• Expiration Date: Not applicable
• Explanation: Not applicable

Many of the third-party tools used in connection with the Centers for Medicare & Medicaid Services’ (CMS’) websites, including CMS.gov, Medicare.gov, MyMedicare.gov, HealthCare.gov, CuidadoDeSalud.gov, Medicaid.gov, InsureKidsNow.gov, and various subdomains of the above top- level domains (TLDs), rely on cookies or web beacons to perform their functions.

These TLDs are hereafter referred to as “CMS’ websites.” CMS uses Tealium includes Tealium as a solution for CMS staff to manage these cookies and web beacons from a single interface. Specifically, Tealium allows CMS to control, which cookies or web beacons are enabled/disabled, and thus which third-party tools are enabled/disabled. Tealium adds, removes and modifies code across CMS’ websites. Many of the tools CMS uses to gather data on visitors’ onsite behavior and interactions  and monitor the health of HealthCare.gov CMS Websites are deployed using Tealium. Tealium gives CMS and its staff and contractors an easy way to manage all of these tools.

Tealium also includes the iQ Privacy Manager which offers opt-in or opt-out choices to site visitors and gives site visitors control over which tags or cookies you want to accept while you visit the site. The Tealium Universal Data Hub also allows CMS to define custom attributes and audiences for the purpose of audience discovery, and to syndicate enriched data or trigger action directives via 3rd party applications.

CMS will use Tealium in a manner that protects the privacy of consumers who visit
CMS’ websites and respects the intent of visitors. CMS will conduct periodic reviews of Tealium’s privacy practices to ensure its policies continue to align with agency objectives and privacy policies and do not present unreasonable or unmitigated risks to consumer privacy. Tealium is employed solely for the purposes of improving CMS' services and activities online related to operating CMS’ websites. Information collected by Tealium is created and maintained by Tealium.

Potential Risk: 
Persistent cookies are used by third party Tealium’s tools on CMS’ websites to collect user’s information such as IP address, host name, operating system, browser, screen resolution, timestamp, etc. These cookies are stored on a user’s local browser. Persistent cookies remain in your browser after you close your browser or turn off your computer. With the exception of the Tealium "Privacy Manager" cookie discussed below, Tealium cookies remain on users’ browsers for one year.

The Tealium "Privacy Manager" feature creates a cookie that and has a lifespan of 3 years. This cookie only stores information about consumer's privacy settings to ensure their preferences are saved. Because the Privacy Manager works using a cookie that is installed on a site visitor's browser, the opt-in and opt-out choices made through the Privacy Manager will only be effective on the device through which a user makes opt-in or opt-out choices using the Privacy Manager, and a user's choices will expire after 3 years when the Privacy Manager cookie expires. Thereafter, users must revisit the Privacy Manager to renew their opt-in and opt-out choices.

Mitigation: 
Tealium’s privacy policies, notices from CMS’ websites, information published by Tealium about its privacy policies, and the ability for consumers to disable cookies and opt out of providing their information to Tealium maximizes consumers ability to protect their information and mitigates risks to their privacy.

Potential Risk: 
CMS also recognizes that if Tealium is not implemented correctly in relation to CMS’ websites, personal information could be collected about visitors.

Mitigation: 
Therefore, to mitigate this risk, CMS only allows a limited number of trained and credentialed staff or contractors to implement Tealium.