Privacy Policy

The Office of Management and Budget Memo M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies allows Federal agencies to use session and persistent cookies. When visiting CMS websites, a small text file called a "cookie" may be placed on a user's computer. This allows CMS to collect non-PII (personally identifiable information) data while the user is navigating through the website. CMS uses two types of cookies on its websites:

  • Session cookies are temporary text files that expire when a user leaves CMS websites. When cookies expire, they are automatically deleted from a user's computer.
  • Persistent cookies are multi-session cookies that are stored on a user's computer and expire 2 years after a user's last visit to CMS websites. After no more than 2 years, they are automatically deleted from a user's computer. CMS uses persistent cookies to collect non-PII data about users who frequently visit our websites, and to test variations of our site design and content to optimize our webpages. In the Office of Management and Budget (OMB) Memo 10-22 Guidance, our use of persistent cookies is defined as "Usage Tier 2 - Multi-session without Personally Identifiable Information (PII)," which "encompasses any use of multi-session Web measurement and customization technologies when no PII is collected."

If a user does not want cookies placed on their computer, they can set their browser to block them. Blocking these cookies from their computer will not affect a user's access to the content and tools on CMS websites. Instructions to opt out are available on Please note that by following the instructions to opt-out of cookies, you will disable cookies from all web sources, not just those from CMS websites.

When a user browses through any CMS website, information about their visit can be collected. CMS automatically collects and temporarily stores the following information about a user's visit:

  • the name of the domain a user uses to access the Internet (for example,, if they are using an American Online account, or, if they are connecting from Stanford University's domain);
  • the date and time of a user's visit;
  • the pages a user visited; and
  • the address of the website a user came from when they came to visit a CMS website.

CMS uses internal and third party data analytics tools, such as Google Analytics, to collect and aggregate this information to create reports and analyses, which are used to help CMS make our websites more useful to visitors. These data sets and reports are only available to web managers and other designated staff who require this information to perform their duties. CMS retains the data from these tools as long as needed to support CMS' mission. Again, there is no PII included in this data.

Users to CMS websites do not have to provide personal information to visit CMS web sites. If a user chooses to provide CMS with additional information about them through an e-mail message, form, survey, etc., CMS will only retain the information as long as needed to respond to the user's question or to fulfill the stated purpose of the communication.

However, note that all communications addressed to CMS are maintained, as required by law, for historical purposes. All of these communications are archived on a monthly basis. All communications addressed to CMS are protected by the Privacy Act which restricts our use of them, yet permits certain disclosures.

If CMS does store users' personal information in a record system designed to retrieve information about users by personal identifier (name, personal email address, home mailing address, personal or mobile phone number, etc.), so that CMS may contact users, CMS will safeguard the information provided to us in accordance with the Privacy Act of 1974, as amended (5 U.S.C. Section 552a).

If CMS operates a record system designed to retrieve information about users in order to accomplish its mission, a Privacy Act Notification Statement should be prominently and conspicuously displayed on the public-facing website or form which asks users to provide personally identifiable information. The notice must address the following 5 criteria:

  • CMS legal authorization to collect information about users
  • Purpose of the information collection
  • Routine uses for disclosure of information outside of CMS
  • Whether the request made of users is voluntary or mandatory under law
  • Effects of non-disclosure if users choose to not provide the requested information

While CMS will make every attempt to protect the personal information that users share with CMS, electronic mail is not secure against interception. If a communication is sensitive in nature, a user is advised to send it by postal mail instead.

The Office of Management and Budget Memo M-10-23 allows Federal agencies to use third-party websites and applications. There may be third-party websites, applications and/or services embedded on CMS websites to improve their functionality. Examples include YouTube, Facebook, Twitter, etc. CMS' integration of these products is intended to provide a seamless user experience and to improve our programs and serve the public (for example, improving our education and outreach materials and activities) but does not constitute endorsement of these products. CMS does not share information provided through third-party websites and does not collect personally identifiable information from third-party websites. Where applicable, privacy policies particular to these applications are provided.

CMS does not disclose, give, sell or transfer any personal information about visitors to CMS websites, unless required for law enforcement or by statute.

CMS websites are maintained by the U.S. Government. It is protected by various provisions of Title 18, U.S. Code. Violations of Title 18 are subject to criminal prosecution in federal court. For site security purposes and to ensure that this service remains available to all users, CMS employs software programs to monitor traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage. In the event of authorized law enforcement investigations, and pursuant to any required legal process, information from these sources may be used to help identify an individual.

Some information originally collected by CMS through traditional paper systems can now be submitted electronically to CMS, i.e., electronic commerce transactions and information updates about eligibility benefits. Electronically submitted information is maintained and destroyed pursuant to the Federal Records Act, and in some cases may be subject to the Privacy Act. If information that a user submits is to be used in a Privacy Act system of records, there will be a Privacy Act Notice provided.