Safe Harbor in a nutshell
During October 1998, the European Commission’s Directive on Data Protection was enacted, prohibiting the transfer of personal data from European Union (EU) member states to non-EU nations that did not meet the privacy protection standard. In order to facilitate the transfer of information between EU-based organizations and US-based organizations, the Safe Harbor framework was developed.

US-based organizations may qualify for Safe Harbor statues in two different ways. They may join self-regulatory privacy programs following the requirements of Safe Harbor. Alternatively, they may choose to develop organization-specific self-regulatory privacy policies, in line with the requirements of Safe Harbor.

What is CARU?
In 1974, the Children’s Advertising Review Unit (CARU) was created in order to promote responsible advertising to children. CARU was developed as a component of a strategic alliance amongst the major US advertising trade associations, including the American Association of Advertising Agencies (AAAA), American Advertising Federation (AAF), Association of National Advertisers (ANA) and the Council of Better Business Bureaus (CBBB).

CARU is in charge of children’s advertising issues within the advertising industry’s self-regulation program. It assesses the truthfulness, accuracy and consistency of child-directed advertising and assists advertisers in dealing with child audiences responsibly. CARU does so by advancing compliance with its Self-Regulatory Guidelines for Children’s Advertising, the Children’s Online Privacy Protection Act of 2000 (COPPA) and other relevant laws.

The CARU Safe Harbor Program
As of January 2001, the CARU self-regulatory program was approved as Safe Harbor-compliant, under the Children’s Online Privacy Protection Act (COPPA). It was also the first such program to the FTC-approved. Organizations that comply with CARU Guidelines are also in compliance with the COPPA, thus insulated from FTC enforcement action.

Compliance with CARU’s Safe Harbor Program is dependent on the following elements:
• Adhering to the requirements in the CARU Safe Harbor Compliance Checklist
• Compliance with the CARU Self-Regulatory Guidelines for Children’s Advertising
• Review by CARU staff of the web site’s information practices; completion of Initial Website Review & Seeding form
• Continuous monitoring of web site by CARU staff to ensure compliance with the Safe Harbor framework
• Completion of CARU Self-Assessment Form and Attestation by Safe Harbor participant

CARU Safe Harbor Compliance Checklist
This checklist makes up a critical component of the Safe Harbor compliance, as discussed above. The checklist includes the Safe Harbor principles and is specific to web sites advertising to child audiences. The following elements are on the CARU Safe Harbor Compliance Checklist:
1. Provide notice
2. Obtain verifiable parental consent
3. Limit collection, use and disclosure of personal information collected from children
4. Provide access upon verification of parental identity
5. Maintain reasonable security

The elements of the checklist are explored in greater detail below:

1. Provide Notice
In accordance with the Safe Harbor principles, privacy notices should be clearly written and easily understandable. They should not contain irrelevant, confusing or contradictory statements. There are two different types of notices that are required of CARU Safe Harbor participants: a Notice of Information Practices and a Direct Notice to Parents.

The Notice of Information Practices is also referred to as the “Web Site Notice,” or “Children’s Privacy Policy.” Such a notice requires a prominent link on the site’s home page and in each area where personal information is collected from children. This notice must state all of the following information:
• Name, address, phone number and email of the operators responsible for the collection and maintenance of personal information collected from children through the site.
• Types of personal information that is collected from children.
• Identification of the means of collection of the information (i.e. directly or passively).
• How the personal information is being used, or will be used.
• If the personal information will be disclosed to third parties. If this is being done, then the notice must state the types of businesses in which third parties are engaged; the purpose of such personal information; and if the third parties are committed to maintaining the security and confidentiality of the information collected.
• An option for the parent to agree to the collection and use of the child’s information, that is not dependent on consent for disclosing information to third parties.
• The child cannot be required to disclose more information than reasonable necessary to participate in the web site activities.
• The parent has the right to review the child’s personal information, request that it be deleted, and prevent any further collection or use of the personal information.
• Procedures for the parent to review or delete their child’s personal information and prevent ongoing use or disclosure.

The Direct Notice to Parents must include the following information:
• The same information stated in the Notice of Information Practices (as listed above).
• The web site operator wishes to collect personal information from the child.
• Request for the parent’s consent to collect this personal information. This consent is required for the collection, use and disclosure of personal information.
• Methods for providing parental consent.

2. Obtain Verifiable Parental Consent
Web site operators are obliged to obtain verifiable parental consent before the collection, use or disclosure of children’s personal information. Such consent may be obtained in the following ways:
• When personal information is being collected for internal use only. In this case, email may be used to obtain parental consent. This also requires the additional steps of a follow-up email, letter or phone call to verify the consent. This method was used prior to April 21, 2002.
• When personal information is being made publicly available, such as in a chat room, message board, personal home page, profile, or email account. OR, when personal information is being disclosed to third parties.

In such cases, website operators are obliged to employ a more reliable means of securing parental consent. This may include: (a) A form with a parent’s signature through postal mail or fax; (b) A credit card number in connection with a transaction; (c) A toll-free phone number managed by trained personnel; (d) Email consent in conjunction with a digital signature from a parent; (e) Email consent in conjunction with a PIN or password; (f) Consent through a CARU-approved method. After April 21, 2002, only these methods were acceptable for securing parental consent.

3. Limit Collection, Use and Disclosure of Personal Information Collected from Children
Web site operators are prohibited from conditional a child’s participate on the basis of disclosing more personal information than is reasonably necessary to participate. The collection of personal information from a child ought to be limited to that which is reasonable for participation. For instance, a web site operator cannot offer a prize for greater disclosure of personal information. Parents should also be given the option to consent to the collection and use of their children’s personal information. They should also be permitted to prevent disclosure of such information to third party affiliates.

4. Provide Access upon Verification of Parental Identity
Upon parental request, web site operators are obliged to disclose both the type of information collected from children and the specific information that has been collected. Parents are permitted, at any time, to refuse further use or future collection of personal information from their child. They can also ensure the deletion of their child’s personal information. However, before this happens, operators must verify the identity of the parent in the same methods used for securing parental consent (i.e. those listed in “2. Obtain Verifiable Parental Consent”).

5. Maintain Reasonable Security
Web site operators are obliged to create and implement reasonable mechanisms for protecting the confidentiality, security and integrity of children’s personal information. Examples of such mechanisms include:
• Appropriately destroying unnecessary personal information.
• Limiting employee access to personal information.
• Ensuring physical security of servers.
• Encrypting data during transmission.
• Using firewalls.

Summary
This article looks at the EU-US Safe Harbor framework in light of the CARU Safe Harbor Program, which aims to protect children’s online privacy and meet the requirements of the COPPA (Children’s Online Privacy Protection Act). The CARU program is partially based on the Safe Harbor Compliance Checklist. This checklist is made of the following five elements: (1) Provide Notice; (2) Obtain Verifiable Parental Consent; (3) Limit Collection, Use and Disclosure of Personal Information Collected from Children; (4) Provide Access upon Verification of Parental Identity; and (5) Maintain Reasonable Security.

CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional (CIPP) exam; the Certified Information Privacy Professional/Canada (CIPP/C) exam; the Certification Foundation (Foundations) exam; and the Certified Information Privacy Professional/Government (CIPP/G) exam, a privacy professional should be comfortable with topics related to this post, including:
• E.U. Data Protection Directive (95/46/EC) (Foundations: I.D.a.ii.2.)
• E.U. Data Protection Directive – Safe Harbor Status (CIPP/C; II.A.b.iii.)
• International Data Transfers (CIPP; II.C.e.)
• Multinational Compliance – E.U. Data Protection (CIPP; II.C.f.)
• Regulatory Authorities – U.S. Department of Commerce (CIPP; I.A.c.iii.)
• Children’s Online Privacy Protection Act of 2000; COPPA (CIPP/G; I.B.a.ii.)

A website operator must be concerned with COPPA compliance if:

• The website targets children under the age of 13 through its subject matter, audio/visual content, advertising or use of other child-oriented features.
• The website targets a general audience but has a separate child oriented section.
• The website targets a general audience and children under the age of 13 are known to access the site.
• The website is maintained outside the U.S. but targets children under the age of 13 in the U.S.
• The website is operated by the Federal Government. Under the Office of Management and Budget, the U.S. Federal Government is required to comply with COPPA on all of its websites targeting children

COPPA Compliance

COPPA primarily uses the fair information practice principles of Notice and Consent to protect children’s information.

In order to comply with COPPA, a website operator must:

1.  Provide parents with information about the website’s information collection and privacy practices. A privacy policy must be placed on the home page and on every page where data is collected in order to ensure adequate notice

2.  Obtain verifiable parental consent prior to collecting personal information

3.  Provide parents with a mechanism to access the information on record for their child and the ability to change consent options for future or third party use and disclosure

4.  Participation on the website may not be limited by requiring the collection of information that is not reasonably necessary

A COPPA compliant privacy notice must include:

1. Legitimate contact information for the website operator/data owner
2. The type of information that is collected
3. How the information will be use
4. Notice of any third party disclosure

Verifiable Parental Consent:

Depending on the information that is being collected and its intended use, different levels of parental consent must be obtained.

Prior parental consent is not required to collect a child’s name and email address only if:

• The information is obtained in order to provide notice to the parent or obtain parental consent
• The information is collected to respond once to a specific inquiry by the child and not used for further communications
• The information is used to ensure the safety of a child and is not used for any other purposes
• The information is used to protect the security of the website, protect against liability, participate in a law enforcement investigation or any other matters relating to public safety

In all cases, parental consent should be obtained shortly after the information is collected. If parental consent cannot be obtained, the information may not be used for purposes other than those outlined above and the information must be deleted (with exceptions for ensuring the safety of the child)

Parental Consent for Public Disclosure

If the website publicly links a child’s name or email address with their screen name in chat rooms, message boards, personal home pages, pen pal services or other similar social networking features they must obtain verifiable parental consent of public disclosure. This also applies to site which may disclose personal information to third parties for secondary uses and marketing purposes.

Consent options include:

• A printable form that can be signed then mailed or faxed back to the website operator
• Obtain a parent’s credit card information in connection with a transaction which may include subscription fees, purchases or a credit card processing fee.
• Provide a toll free line staffed by professionals to which parents may call and provide verbal consent
• Obtain consent through an email that contains a digital signature that uses a public key that has been verified by one of the above methods.

Parental Consent for Internal Use

If the website does not publicly disclose the child’s information either through disclosure to third parties or through the posting of information to chat rooms, message boards or similar features then the information will only be used within the site to contact the child.

Consent options include:

• Any of the methods used for public disclosure
• The Email Plus option in which:
  • An initial email is sent containing the privacy notice and asking the parent to respond with a phone, fax or mailing address to confirm consent through one of those methods; or
  • After a reasonable length of time has passed, a second email is sent asking for the parent to confirm consent. The privacy notice should again be included. This email informs the parent that their consent is implicit through their lack of response. The email should provide the the parent with information on how to revoke their consent.

Enforcement of COPPA

COPPA is enforced by the Federal Trade Commission and through the a state’s Attorney General’s Office under SEC. 1305. COPPA allows for the creation of Safe Harbor programs which encourages industry self regulations.

There are several online assurance programs that offer a COPPA compliant Safe Harbor Program including:

• TRUSTe
• The Children’s Advertising Review Unit
• The Entertainment Software Rating Board

Unlike other information privacy laws, the FTC has been diligent in enforcing COPPA. It has a history of investigating privacy complaints and taking action against website and companies violating the rule.

Summary

COPPA protects the privacy of personal information for children. It does not prevent children from accessing mature content. COPPA uses parental notice and consent to prevent the wrongful collection and misuse of children’t personal information. Any website that may be frequented by children under the age of 13, must comply with the COPPA ruling if personal information is collected.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• U.S. Public and Private Sector General Laws including COPPA (I.B.a.ii.)

http://twitter.com/link_click_count?url=http%3A%2F%2Fbit.ly%2F3omd6p&linkType=web&tweetId=3541772256&userId=12798452.

If you look at this link, it turns out that twitter is redirecting to bit.ly.  Apparently, these links previously were completely handled by bit.ly.  bit.ly is a “simple link shortener”, that “offers URL redirection service with real-time link tracking”.  In addition, it includes a complete history of links shortened. Why would Twitter look to track links when they have a perfectly working relationship with their URL redirection provider?

At 140 characters, tweets don’t provide much past commentary.  While you may update your location or time of arrival in such a small space, you won’t be writing War and Peace or unveiling details of the latest scientific finding.  You do use it to add a bit of social commentary to a YouTube video – “check this out, it’s funny”, or “shhh, don’t tell wifey” while sending a picture.

Tracking links fits in to the company’s long term goals, where Twitter will provide business services including market research and customer prospecting.   Information analysis only works when you hold the data. In order to provide some of the analytical services, such as which marketing tweets are promoting customer interest, Twitter will need to pull the bit.ly services in house.

Is collecting this information, and better still providing it to a third party outside a violation of a customer’s privacy?  We are not going to have the agreement between Twitter and bit.ly – they simply don’t publish those things.  However, we can examine selected passages from Twitter’s privacy policy to glean the types and uses of information they collect, and a bit of what they may transfer to 3rd parties including bit.ly.

Let’s delve a little deeper into Twitter’s privacy policy…

Selections from Twitter’s privacy policy

By using our Site you are consenting to our processing of your information as set forth in this Privacy Policy now and as amended by us. “Processing” means using cookies on a computer or using or touching information in any way, including, but not limited to, collecting, storing, deleting, using, combining and disclosing information,

Twitter may slice, dice and distribute any information you put into their system to anyone, anywhere.

all of which activities will take place in the United States. If you reside outside the U.S. your personally identifiable information will be transferred to the U.S., and processed and stored there under U.S. privacy standards. By visiting our Site and providing information to us, you consent to such transfer to, and processing in, the US.

Twitter is very clear that all information collected and processed occurs in the United States.  This allows citizens of the European Union and other like minded countries notice that they are opting in to monitoring and marketing – the protections afforded by local EU Data Protection Directive style laws will not apply.

Information Collection and Use

Our primary goals in collecting personally identifiable information are to provide you with the product and services made available through the Site, including, but not limited, to the Service, to communicate with you, and to manage your registered user account, if you have one.

“The Service” is quite broad, and likely includes provisions for third party tracking and marketing (i.e. bit.ly).  Obviously, when Twitter introduces their own business services, this will extend “the Service” definition.

Information Collected Upon Registration. If you desire to have access to certain restricted sections of the Site, you will be required to become a registered user, and to submit certain personally identifiable information to Twitter. This happens in a number of instances, such as when you sign up for the Service, or if you desire to receive marketing materials and information. Personally identifiable information that we may collect in such instances may include your IP address, full user name, password, email address, city, time zone, telephone number, and other information that you decide to provide us with, or that you decide to include in your public profile.

This section does imply that you must opt-in to receive marketing materials.  Obviously, anything placed on a public profile is not longer private, but apparently information it will not be disclosed.  Your user ID is not considered PII.

Additional Information Your full user name and your photo, if you decide to upload one … you may provide additional information in the profile section, including but not limited to your bio, your location, as well as your personal web site, if you have one. Providing additional information beyond what is required at registration is entirely optional, but enables you to better identify yourself and find new friends and opportunities in the Twitter system. If you activate the mobile phone options per the Terms of Service at www.twitter.com/tos, we will collect your cellular phone number account information. … If you contact us by email through the Site, we may keep a record of your contact information and correspondence, and may use your email address, and any information that you provide to us in your message, to respond to you.

Again, anything provided past the required registration username is optional, but will be recorded and associated with the non-identifiable information Twitter collects.

Use of Contact Information In addition, we may use your contact information to market to you, and provide you with information about, our products and services, including but not limited to our Service. If you decide at any time that you no longer wish to receive such information or communications from us, please follow the unsubscribe instructions provided in any of the communications.

This suggests an opt-out for marketing and additional product information.  This seems like it may be in conflict with the earlier opt-in statement.

Log Data When you visit the Site, our servers automatically record information that your browser sends whenever you visit a website (“Log Data” ). This Log Data may include information such as your IP address, browser type or the domain from which you are visiting, the web-pages you visit, the search terms you use, and any advertisements on which you click. For most users accessing the Internet from an Internet service provider the IP address will be different every time you log on. We use Log Data to monitor the use of the Site and of our Service, and for the Site”™s technical administration. We do not associate your IP address with any other personally identifiable information to identify you personally, except in case of violation of the Terms of Service

Here’s the part directly affecting bit.ly and the new click redirect service.  You do not own the clicks – Twitter will record your Log Data, and although not directly associated with your PII, your IP address could be put together with your user ID, which does not constitute PII.

Cookies

Like many websites, we also use “cookie” technology to collect additional website usage data and to improve the Site and our service…

Google recently faced scrutiny regarding their behavioral advertising using cookies, and Facebook’s Beacon program, which used a more nefarious technique, caused quite a stir late in 2008.

Information Sharing and Disclosure

Service Providers We engage certain trusted third parties to perform functions and provide services to us, including, without limitation, hosting and maintenance, customer relationship, database storage and management, and direct marketing campaigns. We will share your personally identifiable information with these third parties, but only to the extent necessary to perform these functions and provide such services, and only pursuant to binding contractual obligations requiring such third parties to maintain the privacy and security of your data.

This is where bit.ly (for now) comes in.   PII will be transferred, and the information updates will likely flow down to these third parties.  It does not mention anything regarding third parties updating Twitter’s information.

Business Transfers Twitter may sell, transfer or otherwise share some or all of its assets, including your personally identifiable information, in connection with a merger, acquisition, reorganization or sale of assets or in the event of bankruptcy. You will have the opportunity to opt out of any such transfer if the new entity’s planned processing of your information differs materially from that set forth in this Privacy Policy.

This is a big one.  The registered traveler program that allowed people to move through a special, faster line at the airports, hosted by the company Clear, went bankrupt. They want to sell the information they collected on users to the original parent company, Verified Identity Pass, or possibly a third party.  They are being fought tooth and nail by the users, for the simple fact that this is not just a user name, password and IP address or phone number.  Clear collected information such as Social Security Numbers, and even biometric info, like fingerprints and iris scans.  These data allowed Clear to perform such risk mitigation strategies as background investigations, criminal history checks and government watch list comparisons.  It is unclear what will happen to the data for users of Clear, but according to their privacy policy, the information may only be used for a similar registered traveler program.

Our Policy Towards Children

The Site is not directed to persons under 13. If a parent or guardian becomes aware that his or her child has provided us with personally identifiable information without their consent, he or she should contact us at privacy at twitter dot com. We do not knowingly collect personally identifiable information from children under 13. If we become aware that a child under 13 has provided us with personal identifiable Information, we will delete such information from our files.

Twitter, as well as any other online business, must follow the Federal Trade Commission’s COPPA, the Children’s Online Privacy Protection Act.  The idea being children will easily share much more information than necessary, potentially placing themselves in danger.

In all, Twitter’s well within their privacy policy and terms of service when sharing information.  Now, it’s just a question of how many people actually read it, or just skip it because it’s cool to be on Twitter.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

• Introduction to Privacy:  Privacy as a factor in business risk management (Foundations: I.C.a.i.2),  Elements of Effective Privacy Management (Foundations: I.G.b.i) and Threats & Vulnerabilities
• Online Privacy:  Cookies (III.B.g.i) and Web Beacons (III.B.g.ii)

A website operator must be concerned with COPPA compliance if:

• The website targets children under the age of 13 through its subject matter, audio/visual content, advertising or use of other child-oriented features.
• The website targets a general audience but has a separate child oriented section.
• The website targets a general audience and children under the age of 13 are known to access the site.
• The website is maintained outside the U.S. but targets children under the age of 13 in the U.S.
• The website is operated by the Federal Government. Under the Office of Management and Budget, the U.S. Federal Government is required to comply with COPPA on all of its websites targeting children

COPPA Compliance

COPPA primarily uses the fair information practice principles of Notice and Consent to protect children’s information.

In order to comply with COPPA, a website operator must:

1.  Provide parents with information about the website’s information collection and privacy practices. A privacy policy must be placed on the home page and on every page where data is collected in order to ensure adequate notice

2.  Obtain verifiable parental consent prior to collecting personal information

3.  Provide parents with a mechanism to access the information on record for their child and the ability to change consent options for future or third party use and disclosure

4.  Participation on the website may not be limited by requiring the collection of information that is not reasonably necessary

A COPPA compliant privacy notice must include:

1. Legitimate contact information for the website operator/data owner
2. The type of information that is collected
3. How the information will be use
4. Notice of any third party disclosure

Verifiable Parental Consent:

Depending on the information that is being collected and its intended use, different levels of parental consent must be obtained.

Prior parental consent is not required to collect a child’s name and email address only if:

• The information is obtained in order to provide notice to the parent or obtain parental consent
• The information is collected to respond once to a specific inquiry by the child and not used for further communications
• The information is used to ensure the safety of a child and is not used for any other purposes
• The information is used to protect the security of the website, protect against liability, participate in a law enforcement investigation or any other matters relating to public safety

In all cases, parental consent should be obtained shortly after the information is collected. If parental consent cannot be obtained, the information may not be used for purposes other than those outlined above and the information must be deleted (with exceptions for ensuring the safety of the child)

Parental Consent for Public Disclosure

If the website publicly links a child’s name or email address with their screen name in chat rooms, message boards, personal home pages, pen pal services or other similar social networking features they must obtain verifiable parental consent of public disclosure. This also applies to site which may disclose personal information to third parties for secondary uses and marketing purposes.

Consent options include:

• A printable form that can be signed then mailed or faxed back to the website operator
• Obtain a parent’s credit card information in connection with a transaction which may include subscription fees, purchases or a credit card processing fee.
• Provide a toll free line staffed by professionals to which parents may call and provide verbal consent
• Obtain consent through an email that contains a digital signature that uses a public key that has been verified by one of the above methods.

Parental Consent for Internal Use

If the website does not publicly disclose the child’s information either through disclosure to third parties or through the posting of information to chat rooms, message boards or similar features then the information will only be used within the site to contact the child.

Consent options include:

• Any of the methods used for public disclosure
• The Email Plus option in which:
  • An initial email is sent containing the privacy notice and asking the parent to respond with a phone, fax or mailing address to confirm consent through one of those methods; or
  • After a reasonable length of time has passed, a second email is sent asking for the parent to confirm consent. The privacy notice should again be included. This email informs the parent that their consent is implicit through their lack of response. The email should provide the the parent with information on how to revoke their consent.

Enforcement of COPPA

COPPA is enforced by the Federal Trade Commission and through the a state’s Attorney General’s Office under SEC. 1305. COPPA allows for the creation of Safe Harbor programs which encourages industry self regulations.

There are several online assurance programs that offer a COPPA compliant Safe Harbor Program including:

• TRUSTe
• The Children’s Advertising Review Unit
• The Entertainment Software Rating Board

Unlike other information privacy laws, the FTC has been diligent in enforcing COPPA. It has a history of investigating privacy complaints and taking action against website and companies violating the rule.

Conclusion:

COPPA protects the privacy of personal information for children. It does not prevent children from accessing mature content. COPPA uses parental notice and consent to prevent the wrongful collection and misuse of children’t personal information. Any website that may be frequented by children under the age of 13, must comply with the COPPA ruling if personal information is collected.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• U.S. Public and Private Sector General Laws including COPPA (I.B.a.ii.)