The EU-US Safe Harbor framework was developed to facilitate the cross-border transmission of information, as well as ensure high standards of privacy protection. This article explores the implementation of these principles in context of the Children’s Advertising Review Unit (CARU) Safe Harbor Program.
Safe Harbor in a nutshell
During October 1998, the European Commission’s Directive on Data Protection was enacted, prohibiting the transfer of personal data from European Union (EU) member states to non-EU nations that did not meet the privacy protection standard. In order to facilitate the transfer of information between EU-based organizations and US-based organizations, the Safe Harbor framework was developed.
US-based organizations may qualify for Safe Harbor statues in two different ways. They may join self-regulatory privacy programs following the requirements of Safe Harbor. Alternatively, they may choose to develop organization-specific self-regulatory privacy policies, in line with the requirements of Safe Harbor.
What is CARU?
In 1974, the Children’s Advertising Review Unit (CARU) was created in order to promote responsible advertising to children. CARU was developed as a component of a strategic alliance amongst the major US advertising trade associations, including the American Association of Advertising Agencies (AAAA), American Advertising Federation (AAF), Association of National Advertisers (ANA) and the Council of Better Business Bureaus (CBBB).
CARU is in charge of children’s advertising issues within the advertising industry’s self-regulation program. It assesses the truthfulness, accuracy and consistency of child-directed advertising and assists advertisers in dealing with child audiences responsibly. CARU does so by advancing compliance with its Self-Regulatory Guidelines for Children’s Advertising, the Children’s Online Privacy Protection Act of 2000 (COPPA) and other relevant laws.
The CARU Safe Harbor Program
As of January 2001, the CARU self-regulatory program was approved as Safe Harbor-compliant, under the Children’s Online Privacy Protection Act (COPPA). It was also the first such program to the FTC-approved. Organizations that comply with CARU Guidelines are also in compliance with the COPPA, thus insulated from FTC enforcement action.
Compliance with CARU’s Safe Harbor Program is dependent on the following elements:
• Adhering to the requirements in the CARU Safe Harbor Compliance Checklist
• Compliance with the CARU Self-Regulatory Guidelines for Children’s Advertising
• Review by CARU staff of the web site’s information practices; completion of Initial Website Review & Seeding form
• Continuous monitoring of web site by CARU staff to ensure compliance with the Safe Harbor framework
• Completion of CARU Self-Assessment Form and Attestation by Safe Harbor participant
CARU Safe Harbor Compliance Checklist
This checklist makes up a critical component of the Safe Harbor compliance, as discussed above. The checklist includes the Safe Harbor principles and is specific to web sites advertising to child audiences. The following elements are on the CARU Safe Harbor Compliance Checklist:
1. Provide notice
2. Obtain verifiable parental consent
3. Limit collection, use and disclosure of personal information collected from children
4. Provide access upon verification of parental identity
5. Maintain reasonable security
The elements of the checklist are explored in greater detail below:
1. Provide Notice
In accordance with the Safe Harbor principles, privacy notices should be clearly written and easily understandable. They should not contain irrelevant, confusing or contradictory statements. There are two different types of notices that are required of CARU Safe Harbor participants: a Notice of Information Practices and a Direct Notice to Parents.
• Name, address, phone number and email of the operators responsible for the collection and maintenance of personal information collected from children through the site.
• Types of personal information that is collected from children.
• Identification of the means of collection of the information (i.e. directly or passively).
• How the personal information is being used, or will be used.
• If the personal information will be disclosed to third parties. If this is being done, then the notice must state the types of businesses in which third parties are engaged; the purpose of such personal information; and if the third parties are committed to maintaining the security and confidentiality of the information collected.
• An option for the parent to agree to the collection and use of the child’s information, that is not dependent on consent for disclosing information to third parties.
• The child cannot be required to disclose more information than reasonable necessary to participate in the web site activities.
• The parent has the right to review the child’s personal information, request that it be deleted, and prevent any further collection or use of the personal information.
• Procedures for the parent to review or delete their child’s personal information and prevent ongoing use or disclosure.
The Direct Notice to Parents must include the following information:
• The same information stated in the Notice of Information Practices (as listed above).
• The web site operator wishes to collect personal information from the child.
• Request for the parent’s consent to collect this personal information. This consent is required for the collection, use and disclosure of personal information.
• Methods for providing parental consent.
2. Obtain Verifiable Parental Consent
Web site operators are obliged to obtain verifiable parental consent before the collection, use or disclosure of children’s personal information. Such consent may be obtained in the following ways:
• When personal information is being collected for internal use only. In this case, email may be used to obtain parental consent. This also requires the additional steps of a follow-up email, letter or phone call to verify the consent. This method was used prior to April 21, 2002.
• When personal information is being made publicly available, such as in a chat room, message board, personal home page, profile, or email account. OR, when personal information is being disclosed to third parties.
In such cases, website operators are obliged to employ a more reliable means of securing parental consent. This may include: (a) A form with a parent’s signature through postal mail or fax; (b) A credit card number in connection with a transaction; (c) A toll-free phone number managed by trained personnel; (d) Email consent in conjunction with a digital signature from a parent; (e) Email consent in conjunction with a PIN or password; (f) Consent through a CARU-approved method. After April 21, 2002, only these methods were acceptable for securing parental consent.
3. Limit Collection, Use and Disclosure of Personal Information Collected from Children
Web site operators are prohibited from conditional a child’s participate on the basis of disclosing more personal information than is reasonably necessary to participate. The collection of personal information from a child ought to be limited to that which is reasonable for participation. For instance, a web site operator cannot offer a prize for greater disclosure of personal information. Parents should also be given the option to consent to the collection and use of their children’s personal information. They should also be permitted to prevent disclosure of such information to third party affiliates.
4. Provide Access upon Verification of Parental Identity
Upon parental request, web site operators are obliged to disclose both the type of information collected from children and the specific information that has been collected. Parents are permitted, at any time, to refuse further use or future collection of personal information from their child. They can also ensure the deletion of their child’s personal information. However, before this happens, operators must verify the identity of the parent in the same methods used for securing parental consent (i.e. those listed in “2. Obtain Verifiable Parental Consent”).
5. Maintain Reasonable Security
Web site operators are obliged to create and implement reasonable mechanisms for protecting the confidentiality, security and integrity of children’s personal information. Examples of such mechanisms include:
• Appropriately destroying unnecessary personal information.
• Limiting employee access to personal information.
• Ensuring physical security of servers.
• Encrypting data during transmission.
• Using firewalls.
This article looks at the EU-US Safe Harbor framework in light of the CARU Safe Harbor Program, which aims to protect children’s online privacy and meet the requirements of the COPPA (Children’s Online Privacy Protection Act). The CARU program is partially based on the Safe Harbor Compliance Checklist. This checklist is made of the following five elements: (1) Provide Notice; (2) Obtain Verifiable Parental Consent; (3) Limit Collection, Use and Disclosure of Personal Information Collected from Children; (4) Provide Access upon Verification of Parental Identity; and (5) Maintain Reasonable Security.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional (CIPP) exam; the Certified Information Privacy Professional/Canada (CIPP/C) exam; the Certification Foundation (Foundations) exam; and the Certified Information Privacy Professional/Government (CIPP/G) exam, a privacy professional should be comfortable with topics related to this post, including:
• E.U. Data Protection Directive (95/46/EC) (Foundations: I.D.a.ii.2.)
• E.U. Data Protection Directive – Safe Harbor Status (CIPP/C; II.A.b.iii.)
• International Data Transfers (CIPP; II.C.e.)
• Multinational Compliance – E.U. Data Protection (CIPP; II.C.f.)
• Regulatory Authorities – U.S. Department of Commerce (CIPP; I.A.c.iii.)
• Children’s Online Privacy Protection Act of 2000; COPPA (CIPP/G; I.B.a.ii.)