Attach 6_ChallengegovPrivacyPrimer

CHALLENGE.GOV: GUARDING USERS’ PRIVACY
Challenge.gov Protects Citizens’
Personal Information.
Challenge.gov provides all agencies with an easy way to launch and publicize challenges
while effectively safeguarding the personal information of users and complying with
current privacy laws and policies.
The policy framework that guides Challenge.gov’s privacy strategy is OMB Memorandum
10-23, Guidance for Agency Use of Third-Party Websites and Applications. The guidance
emphasizes that agencies operating third-party services should rigorously assess the
service’s privacy practices, and point users to the underlying service’s privacy policy. In
using Challenge.gov, your agency meets both of these standards by operating,
respectively, under our global Privacy Impact Assessment and Privacy Statement.
Challenge.gov is classified as a a third-party service for privacy purposes, since the PII
submitted during registration is collected and maintained by ChallengePost and is not
available to the U.S. Government. Therefore, Challenge.gov is not a privacy act system of
record, and does not require a System of Records Notice (SORN). This fact is made
transparent to all Challenge.gov users by:
Placing the ChallengePost logo on the site’s “Log In/Sign Up” button;
Placing the ChallengePost logo at the top of the site’s registration form;
Including on the registration form the prompt, “Log in securely to Challenge.gov
with your ChallengePost account”; and
Clearly stating this fact in the site’s global privacy statement and the associated
Privacy Impact Assessment.
The one instance in which Challenge.gov solicits personally-identifiable information, or
PII, is during the registration process. The site asks users to submit their first and last
name and e-mail address, along with a username and optional “location” (actually an
unverified free-form text field).
Challenge.gov makes use of persistent cookies for customization and measurement
purposes. These cookies do not collect any PII and are therefore Tier 2 under the
classification scheme contained in OMB Memorandum 10-22, Guidance for Online Use of
Web Measurement and Customization Technologies. The use of persistent cookies on the
site, and instructions for opting out of them if desired, are spelled out clearly in the site’s
privacy policy.
Some individual agency contests may require agencies to solicit PII from winning entrants
in order to award prizes. This is not covered under Challenge.gov’s overarching PIA, but
agencies should check with Financial or Privacy officials to see if another pre-existing PIA
covers the collection of PII for the purpose of making payments to individuals.
Challenge.gov also seeks to protect children’s privacy, in accordance with the Children’s
Online Privacy Protection Act of 1998, or COPPA. The site is not aimed at and does not
knowingly accept registrations from children under the age of 13, and includes an age
filtering mechanism at registration. Contests aimed at children under age 13 must have a
parent or guardian submit entries on their child’s behalf. The Challenge.gov privacy
statement provides clear instructions for both children and adults on how to use
Challenge.gov responsibly.

FACTS AT A GLANCE
Your agency can use
Challenge.gov without
completing a PIA and Privacy
Policy; GSA has already
completed one that extends
to all agencies’ use of the
platform.
Challenge.gov uses an
authentication system
operated by ChallengePost.
This fact is made transparent
to users of the site in several
different ways.
PII collected at registration is
not available to the U.S.
Government, and therefore
Challenge.gov is not a Privacy
Act System of Record and
does not require a SORN.
Challenge.gov uses persistent
cookies for customization and
analytics. These do not
collect PII, and clear opt-out
instructions are contained in
the site’s Privacy Policy.
You may need to collect
additional PII to award the
prize for a challenge. That is
not covered by the standard
PIA for Challenge.gov.
However, your agency may
already have an existing PIA
that covers it.

Additional questions? E-mail us!
[email protected]