Update to United States Mint Ecommerce Order Management System II Privacy Impact Assessment: U.S. Mint Product Sales on Amazon.com (October 2019)

Adapted PIA for sales by the United States Mint’s Ecommerce Contractor through Amazon as required by OMB Memorandum M-10-23

1. The specific purpose of the agency’s use of the third-party website or application:

The United States Mint (sometimes referred to as “the Mint”) wishes to expand visibility and distribution of products it sells beyond its current channels, which now include a contractor-operated ecommerce site and related mobile application, along with over-the-counter sales at its Washington, DC and contractor-operated Philadelphia and Denver store locations, and at sales conventions and other events where it conducts sales directly. A presence on Amazon.com managed by the Mint’s ecommerce contractor Priority Fulfillment Services, Inc. (“PFS”) through which the Mint would offer a selection of its products could allow the Mint to reach consumers who already shop through Amazon’s websites but have not visited the Mint’s ecommerce site or simply prefer to make purchases through Amazon.

Amazon considers people who purchase products the Mint offers via Amazon (“Mint/Amazon Product(s)”) to be Amazon customers rather than Mint customers for purposes of their Mint/Amazon Product transactions (including any personally identifiable information (PII) they give to Amazon to complete transactions on Amazon). In accordance with PFS’ agreement with Amazon, in most cases PFS will respond to questions posted on the United States Mint Amazon storefront and will otherwise communicate with Mint/Amazon Product customers using Amazon’s proprietary customer communications system rather than through customer email. PFS will fulfill Mint/Amazon Product purchases through PFS’ contract with the Mint.

2. Any PII1 that is likely to become available to the agency through public use of the third-party website or application:

For any unit of Mint/Amazon Products purchased, the information that will become available to PFS (“Mint/Amazon Information”) includes the following PII collected from purchasers by Amazon via its standard web form: the purchaser name, recipient name (if different), recipient shipping address, order number, recipient phone number, optional purchaser email (if provided), recipient email address, and customer-specified delivery instructions. Amazon (not PFS or the Mint) processes financial transactions for purchases of Amazon Products, and Amazon will not make any consumer financial transaction information such as credit card numbers or other payment information available to PFS or the United States Mint. The extent to which Mint/Amazon Information (including PII) may be shared with Mint personnel or others is discussed in Section 4 below.

Mint/Amazon Information will additionally include quantity of units to be shipped, SKUs (stock keeping units-alphanumeric characters that uniquely identify a product), purchase date, and shipping method. PFS will also have access to non-identifying aggregate data in Amazon’s platform, such as how often a product’s page is viewed (product views), aggregate sales for various time periods, and information on search terms and results that helps to improve product descriptions (site search information).

3. The agency’s intended or expected use of PII:

Applicable Policies: Websites not owned by the United States Mint are referred to here and in our online privacy policy statement as ‘third-party websites.’ People who visit a third-party website are subject to that site’s security and privacy policies, including those relating to use of PII. The Mint encourages people who wish to visit third-party websites like Amazon.com for browsing or shopping to review such sites’ privacy policies and understand how they use visitor and purchaser information. Amazon.com’s privacy policy can be found here. United States Mint privacy policies, including United States federal privacy laws, apply to persons who shop on the Mint’s own ecommerce site catalog.usmint.gov, and to data in United States Mint Privacy Act systems of records.

Fulfillment and Communications: PFS, the United States Mint’s ecommerce contractor, will use Mint/Amazon Information to fulfill orders for Mint/Amazon Products sold on Amazon’s website. To comply with Amazon’s seller-customer communication requirements, PFS will use Mint/Amazon Information (including PII) to communicate within Amazon’s proprietary system with purchasers and recipients about Amazon purchases. PFS will also use Mint/Amazon Information to communicate directly with shipping providers in connection with fulfilling orders, and to discuss transaction–related issues with Amazon itself.

Analytics: The reports of analytics PFS will receive from Amazon and provide to the Mint (on product views, aggregate sales for various time periods, site search, or other analytics Amazon collects from the Mint’s advertising on Amazon) will contain data solely in aggregate form without PII.

Marketing: PFS and the United States Mint will not use Mint/Amazon Information to promote the Mint’s services and products or to target people for promotions solely as a result of their purchases of Amazon Products on Amazon through PFS.

Effect of Amazon Shopping on Mint Ecommerce Site Browsing: As described in the Mint’s privacy policy, the Mint’s ecommerce site uses technology2 to collect and use certain information (including Mint ecommerce site tracking) from people who have opted in to such actions by purchasing directly from the Mint’s own ecommerce site, subscribing to Mint email newsletters, or creating a Mint ecommerce site customer account. Some people whose names appear in Mint/Amazon Information may have separately visited the United States Mint’s ecommerce site and engaged in these opting-in activities. Neither PFS nor the United States Mint will use Mint/Amazon Information or the sole fact that a person purchases or receives Mint/Amazon Products to trigger these Mint data collections and uses if the person simply visits the Mint’s ecommerce site without engaging in an opting-in activity.

People who browse or shop on Amazon.com are subject to Amazon’s data collection and use policies, which are different from those applicable to the federal government. For people who prefer to buy Mint-distributed products offline, the United States Mint also offers phone sales at 1-800-USA-MINT and over-the-counter retail sales at its Washington DC headquarters, Denver and Philadelphia field sites, and at events and conferences.

4. With whom the agency will share PII:

PFS will receive the Mint/Amazon Information from Amazon, and will have access to the Mint/Amazon Information for customer service, fulfillment, storage and maintenance purposes. The United States Mint expects PFS to share Mint/Amazon Information with shipping service providers in order to fulfill orders. Mint/Amazon Information may also be disclosed to United States Mint employees to internally address order-related issues, and to Mint and other federal employees and contractors in connection with information security matters involving United States Mint systems and databases. Mint/Amazon Information is subject to disclosure as required by applicable law, and may be subject to routine use and other Privacy Act disclosures to the extent that Amazon Information is covered by the Privacy Act. Treasury/ United States Mint – .009 – Order Management System (OMS) covers records contained in the United States Mint OMS system of records.

5. Whether and how the agency will maintain PII, and for how long:

All PII (as defined in footnote one above) included in Mint/Amazon Information that is made available to PFS (or to the United States Mint from PFS) from transactions involving Mint/Amazon Products will be stored by PFS in the OMSII database in a segment dedicated to Amazon transactions. It will be retained by PFS in this dedicated segment of the OMSII database for the same duration as PFS maintains the Mint’s own customer order information. The United States Mint will not establish new, independent customer accounts for Mint/Amazon Product purchasers or recipients solely as a result of Mint/Amazon Product transactions. Mint/Amazon Information (including PII) is not combined with the account information of individuals who have or later establish their own customer accounts as a result of separate relationships with the United States Mint (independent of Amazon) created by purchasing directly from the Mint, subscribing to Mint email newsletters, or creating Mint customer accounts.

Records relating to Mint/Amazon Information contained in the United States Mint – .009 – Order Management System II (OMSII) system of record are retained in accordance with applicable National Archives and Records Administration (NARA) retention schedules. Records relating to orders, fulfillment, shipping, returns, inventory, and call center calls are retained for 6 years after final payment or cancellation, with longer retention authorized if required for business use. Records relating to customer inquiries, complaints and correspondence are retained for one year after resolution or when no longer needed for business use, whichever is appropriate.

6. How the agency will secure PII that it uses or maintains:

The United States Mint will secure Mint/Amazon Information containing PII that is stored in the Amazon customer field in the OMSII database in the same manner as the United States Mint secures its own customer data, as described in the original Privacy Impact Assessment for OMSII. Information is communicated between PFS and Amazon within Amazon’s secured application programming interfaces. All information is transferred between PFS and the Mint using secured channels that are regularly reviewed and monitored by the Mint and the Department of the Treasury. Non-PII data such as sales reports may be transmitted between PFS and the Mint using email or approved file-sharing systems, while data containing PII is required to be transmitted in encrypted form.

7. What other privacy risks exist and how the agency will mitigate those risks:

As noted above, people choosing to make purchases through Amazon are Amazon customers and are subject to Amazon privacy and data use policies (available on Amazon’s sites), which are different from those applicable to the federal government. For customers who prefer to do business with the federal government and be covered by the Mint’s privacy practices and applicable laws, United States Mint-offered products are available for purchase directly from the Mint on its ecommerce web site, at its facility-based stores including those operated by contractors, and through the bureau’s sales at trade shows and conferences it attends. United States Mint’s coins and currency products are also sold by other dealers online and in stores throughout the United States and elsewhere.

A person who purchases Mint/Amazon Products on Amazon.com submits order and recipient information to Amazon. Amazon then provides PFS with the purchaser’s name and email and the shipment recipient’s name and email, along with the order number, SKU, quantity, purchase date, and shipping method. This means that a purchaser who chooses to ship a product to a different recipient will provide the recipient’s name, shipping address and email address to Amazon and to PFS without the recipient’s participation. As indicated above, subject to the limited potential sharing noted in Section 4, PFS will not use recipient information (or any other Mint/Amazon Information) for any purpose other than management and fulfillment of the order.

8. Whether the agency’s activities will create or modify a “system of records” under the Privacy Act:

The United States Mint has an existing system of records, Treasury/ United States Mint – .009 – Order Management System (OMS), for its ecommerce customer database. The Mint’s ecommerce contractor, PFS, will retrieve orders for Mint/Amazon Products from Amazon and will fulfill orders for Mint/Amazon Products. To do so, PFS will store Mint/Amazon Information in a dedicated Amazon customer field in the United States Mint’s ecommerce database that is further organized by the name of the recipient, who may be the Amazon purchaser or a third-party recipient. Information will be retrieved from the Amazon section of the OMSII database by the Amazon field, Amazon order number, and the name of the Amazon recipient or purchaser.

1Personally Identifiable Information (PII) definition from OMB M-17-12: The term “PII,” as defined in OMB Memorandum M-17-12 refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. Because there are many different types of information that can be used to distinguish or trace an individual’s identity, the term PII is necessarily broad. To determine whether information is PII, the agency shall perform an assessment of the specific risk that an individual can be identified using the information with other information that is linked or linkable to the individual. In performing this assessment, it is important to recognize that information that is not PII can become PII whenever additional information becomes available – in any medium or from any source – that would make it possible to identify an individual.

2Tier III multisession technology with PII, for which the Mint has obtained the required permissions under OMB M-10-22.

Content last updated on