Date:
9/16/16
OPDIV:
CMS
TPWA Unique Identifier (UID):
T-4739149-151107
Tool(s) covered by this TPWA:
Twitch Advertising
Is this a new TPWA?
Yes.
If an existing TPWA, please provide the reason for revision:
Not applicable (N/A).
Will the use of a third-party Website or application create a new or modify an existing HHS/OPDIV System of Records Notice (SORN) under the Privacy Act?: No.
If yes, indicate the SORN number (or identify plans to put one in place.):
N/A because CMS is not receiving any personally identifiable information (PII) from Twitch.
Will the use of a third-party Website or application create an information collection subject to OMB clearance under the Paperwork Reduction Act (PRA)?
No.
If yes, indicate the OMB approval number and approval number expiration date (or describe the plans to obtain OMB clearance.)
OMB Approval Number:
N/A.
Expiration Date:
N/A.
Does the third-party Website or application contain Federal Records?
No.
Describe the specific purpose for the OPDIV use of the third-party Website or application:
Twitch is an online video sharing platform that allows consumers to view, upload, and share video content, often related to video gaming. The platform also allows users to broadcast live-streamed content related to video games, such as commentary at video game conventions or announcing at competitive events. The platform facilitates viewers’ engagement with the content through commenting, sharing videos, and engaging in real-time chats during live-streaming. The platform is used by consumers, gamers, video game developers, broadcasters, media outlets, and others.
Advertising on Twitch can include video, display, and native products. Twitch collects consumer information such as name, email address, postal mailing address, home and mobile telephone numbers, and credit card and billing information from registered users of the Twitch platform. This information is collected when users register for a Twitch service, or upload, purchase, view or download certain content from the service, enter contests or sweepstakes, or otherwise use the features and functionality of Twitch. Additionally, Twitch collects behavior information from users as they use the service (for example, when accessing one of the services). Twitch also obtains information, including personal information, from third parties, such as advertisers or social media networks for which consumers have given approval. For example, Twitch users can link their Facebook accounts to Twitch.
Twitch Advertising enables CMS to serve video, display, and native advertising to consumers. The video ads include cross-screen videos, desktop videos, and mobile videos. These can be shown before a consumer views Twitch content (as part of the Twitch video) or on other places on the platform. The consumer has the option of clicking on the ad for more information about the specific CMS program advertised. When the consumer clicks on the advertisement, the user is sent to HealthCare.gov. These ads are used to educate consumers about CMS programs. Display ads include various banner sizes and placements. Native ad products include featured games, newsletters content placement, and Twitch special content. Twitch will provide aggregate reports to CMS showing ad performance. These reports will not contain PII.
Twitch may disclose aggregate non-personal information to third parties to assist these parties in understanding use patterns for certain programs, content, services, advertisements, promotions, or other functionality of Twitch and to help personalize content to consumers who access and use the Twitch services, including advertising content.
Have the third-party privacy policies been reviewed to evaluate any risks and to determine whether the Website or application is appropriate for OPDIV use?
Yes. The review has determined that the Website is appropriate for OPDIV use, taking into account the risks posed by the following: the use of cookies, pixels, and web beacons for targeted advertising based on sensitive information; the ability for other advertisers to improve targeting based on aggregated non-personal information derived from this advertising campaign; and the use of information leading to identification of CMS website visitors.
Describe alternative means by which the public can obtain comparable information or services if they choose not to use the third-party Website or application:
If consumers do not want to interact with advertisements from Twitch, consumers can learn about CMS campaigns through other advertising channels such as TV, radio, CMS websites and in-person assisters and events.
Does the third-party Website or application have appropriate branding to distinguish the OPDIV activities from those of nongovernmental actors?
Yes. Advertisements will be displayed within the Twitch platform, which features prominent Twitch branding.
How does the public navigate to the third party Website or application from the OpDiv?
N/A. There is no link from HealthCare.gov to Twitch’s website or mobile services. CMS uses Twitch Advertising to place digital advertising within Twitch’s platform in order to educate users about HealthCare.gov.
Please describe how the public navigates to the third party website or application:
The public can visit Twitch directly by typing the address www.twitch.tv into their browsers, clicking on a link to this website address, or downloading and opening the Twitch application onto the consumer’s mobile device, gaming console, or TV streaming device.
If the public navigates to the third-party website or application via an external hyperlink, is there an alert to notify the public that they are being directed to a nongovernmental Website?
N/A. There is no link from HealthCare.gov to Twitch’s website or mobile services.
Has the OPDIV Privacy Policy been updated to describe the use of a third-party Website or application?
Yes.
Provide a hyperlink to the OPDIV Privacy Policy:
https://www.healthcare.gov/privacy/
Is an OPDIV Privacy Notice posted on the third-party Website or application?
N/A. CMS ads are embedded into Twitch’s platform.
Confirm that the Privacy Notice contains all of the following elements: (i) An explanation that the Website or application is not government-owned or government-operated; (ii) An indication of whether and how the OPDIV will maintain, use, or share PII that becomes available; (iii) An explanation that by using the third-party Website or application to communicate with the OPDIV, individuals may be providing nongovernmental third-parties with access to PII; (iv) A link to the official OPDIV Website; and (v) A link to the OPDIV Privacy Policy.
N/A.
Is the OPDIV's Privacy Notice prominently displayed at all locations on the third-party Website or application where the public might make PII available?
N/A.
Is PII collected by the OPDIV from the third-party Website or application?
No. Twitch does not provide PII to CMS.
Will the third-party Website or application make PII available to the OPDIV?
No. Twitch does not provide PII to CMS.
Describe the PII that will be collected by the OPDIV from the third-party Website or application and/or the PII which the public could make available to the OPDIV through the use of the third-party Website or application and the intended or expected use of the PII:
N/A. CMS does not collect any PII through the use of Twitch Advertising.
Describe the type of PII from the third-party Website or application that will be shared, with whom the PII will be shared, and the purpose of the information sharing:
N/A. CMS does not receive any PII through the use of Twitch Advertising.
If PII is shared, how are the risks of sharing PII mitigated?
N/A.
Will the PII from the third-party Website or application be maintained by the OPDIV?
N/A.
If PII will be maintained, indicate how long the PII will be maintained:
N/A.
Describe how PII that is used or maintained will be secured:
N/A. CMS will not receive any PII from Twitch Advertising.
What other privacy risks exist and how will they be mitigated?
CMS will conduct periodic reviews of the Twitch privacy policy to ensure its policies continue to align with agency objectives and privacy policies and do not present unreasonable or unmitigated risks to users’ privacy interests. CMS employs Twitch Advertising solely for the purposes of improving CMS services and activities online.
Use of Cookies and Web Beacons for Targeted Advertising Based on Sensitive Information
Potential Risk:
The use of cookies, web beacons, and pixels generally presents the risk that an application could collect information about a user’s activity on the Internet for purposes that the user did not intend. The unintended purposes include providing users with behaviorally targeted advertising, including advertising that is behaviorally targeted, based on information the individual user may consider to be sensitive.
Additional Information:
Twitch and its service providers collect non-personally identifiable information by placing a cookie or pixel (also known as a web beacon) on HealthCare.gov and on advertisements sponsored by CMS on Twitch. A pixel (or web beacon) is a transparent graphic image (usually 1 pixel x 1 pixel) that is placed on a web page and allows Twitch to collect information regarding the use of the web page. A cookie is a small text file stored on a website visitor’s computer that allows the site to recognize the user and keep track of preferences. These technologies provide information about when a visitor clicks on or views an advertisement. Twitch uses that information to judge which advertisements are more appealing to users and which result in greater conversions. They allow Twitch to target advertising behaviorally, by tracking users across multiple sites and over time, and the resulting combined information could reveal patterns in behavior that the user may not want to disclose to Twitch, because they may include information considered to be sensitive by the user.
CMS advertising displayed through Twitch will carry persistent cookies that enable CMS to display advertising to individuals who have previously visited HealthCare.gov. In this instance, the persistent cookie will be stored on the user’s computer for up to 30 months, unless removed by the user.
Mitigation:
Both HealthCare.gov and Twitch provide users information about the use of targeted advertising, different types of cookies used in the respective websites, the information collected about users, and the data gathering choices they have in their website privacy policies.
Tealium iQ Privacy Manager is a tool that keeps track of users’ preferences in reference to tracking and will prevent web beacons from firing when a user has opted out of tracking for advertising purposes. When a user is routed to HealthCare.gov by clicking on a CMS advertisement displayed on Twitch, and the Tealium iQ Privacy Manager is present on HealthCare.gov, users are able to control which cookies they want to accept from HealthCare.gov. Tealium iQ Privacy Manager can be accessed through information provided on the privacy policy on HealthCare.gov. There is a large green “Modify Privacy Options” button that turns off the sharing of data for advertising purposes that can be accessed through the HealthCare.gov privacy policy.
The ability to control which cookies users want to accept is only valid when Tealium iQ Privacy Manager is installed on the website. Another alternative is for users to disable cookies through their web browser. Separately, CMS includes the Digital Advertising Alliance AdChoices icon on all targeted digital advertising. The AdChoices icon is an industry standard tool that allows users to opt out of being tracked for advertising purposes, like the Tealium iQ Privacy Manager.
Twitch offers users the ability to opt-out of Twitch advertising cookies through the following processes:
- Opt-out of advertising at: https://www.twitch.tv/p/privacy-policy# by emailing privacy@twitch.tv
- Visiting the “Settings” page once a user has logged into the service
- Click on the “Ad Choices” logo in the corner of an ad served by Twitch, or by clicking on the link provided in AdChoices link in the Twitch privacy policy, which provides consumers with the ability to opt-out of data collection for behavioral advertising by all companies who participate in the Digital Advertising Alliance.
Targeting, Retargeting and Conversion Tracking and the Ability for Other Advertisers to Improve Targeting Based on Information from this Advertising Campaign
Potential Risk:
Twitch Advertising targets consumers based on information provided by or collected from users. Twitch uses data derived from automatically collected information and cookie information aggregated by Twitch, combined with information about a user’s behavior across multiple sites and over time. Twitch may also combine this data with PII, provided to Twitch by its users. The consumer may consider their web behavior to be sensitive. These patterns in behavior could also enable and improve targeting by other advertisers who are Twitch customers, who may wish to target consumers for purposes related to the health insurance sector.
Additional Background:
Third party data targeting through vendors such as Twitch allows for the deployment of ads to consumers whose on-site actions, such as clicks or sharing of various types of content, match specific attributes an online advertiser is looking to target. Behavioral targeting deploys ads to consumers whose on-site actions match specific attributes considered desirable by online advertisers. Retargeting is a form of behavioral targeting used by online advertisers to present ads to users who have previously visited a particular site. Conversion tracking allows advertisers to measure the impact of their advertisements by tracking whether users who view or interact with an ad later visit a particular site or perform desired actions on such site, such as signing up for a program or requesting further information. CMS will engage Twitch Advertising to use these advertising techniques to deliver CMS digital advertising to persons who are more likely to be interested in CMS advertising content. However, Twitch will not share any PII with CMS from the utilization of these tactics.
Behavioral targeting, retargeting, and conversion tracking enables CMS to improve the performance of ads by delivering them to persons most likely to be interested in the ad content. It will also enable CMS to provide further information to consumers who have previously visited a CMS website, such as deadlines, new developments, or reminders to complete a survey.
Mitigation:
Twitch does not collect or share data that is specific to a CMS campaign for the purposes of creating or refining audience targeting. Instead, Twitch Advertising collects aggregate level “interaction” data to identify consumers that are most likely to interact with an ad from a specific industry (e.g., health insurance) for the purposes of improving the ability of advertisers to reach consumers who are more likely to interact with their advertising. Twitch Advertising does not allow for the targeting of consumers who have specifically interacted with an ad from CMS.
When a user is routed to HealthCare.gov by clicking on a CMS advertisement displayed through Twitch, and the Tealium iQ Privacy Manager is present on HealthCare.gov, users are able to control which cookies they want to accept from HealthCare.gov. Tealium iQ Privacy Manager can be accessed through information provided on the privacy policy on HealthCare.gov. There is a large green “Modify Privacy Options” button that turns off the sharing of data for advertising purposes that can be accessed through the HealthCare.gov privacy policy.
The ability to control which cookies users want to accept is only valid when Tealium iQ Privacy Manager is installed on the website. Another alternative is for users to disable cookies through their web browser. Separately, CMS includes the Digital Advertising Alliance AdChoices icon on all targeted digital advertising. The AdChoices icon is an industry standard tool that allows users to opt out of being tracked for advertising purposes, like the Tealium iQ Privacy Manager.
Twitch offers users the ability to opt-out of Twitch advertising cookies through the following processes:
- Opt-out of advertising at: https://www.twitch.tv/p/privacy-policy# or by emailing privacy@twitch.tv
- Visiting the “Settings” page once a user has logged into the service
- Click on the “Ad Choices” logo in the corner of an ad served by Twitch, or by clicking on the link provided in AdChoices link in the Twitch privacy policy, which provides consumers with the ability to opt-out of data collection for behavioral advertising by all companies who participate in the Digital Advertising Alliance.
Twitch Profiling Leading To Identification of CMS Website Visitors
Potential Risk:
Twitch’s access to both personally identifiable and non-personally identifiable data about registered Twitch users presents the risk that CMS site visitors who are also registered Twitch users could be identified, and that data about these users could be misused by Twitch.
Mitigation:
CMS does not receive any personally identifiable information from Twitch Advertising. CMS receives aggregated performance data in the form of statistical reports, including reports on clicks, views, and impressions (exposure to an advertisement) of CMS digital advertising, that are made available to CMS managers who implement CMS programs, members of the CMS communications and web teams, and other designated federal staff and contractors who need this information to perform their duties. In addition, Twitch publicly states that if they combine or associate information from other sources with personal information that they collect through the Twitch Service, they will treat the combined information as personal information in accordance with their Privacy Policy.
Twitch Advertising provides information on the types of information collected about users in its privacy policy, as well as choices with respect to such information collection or how it is used. Users can opt-out of this tracking through the processes listed above under the “Persistent Cookies & Web Beacon” section.