CIPEATone

Consumer Internet Privacy enhancement Act

COPPA for Big People

What Is This Page?

This page is a discussion of CIPEA, the Consumer Internet Privacy enhancement Act and how my site's privacy policies and notices comply with this proposed law.

This page provides the notices required by CIPEA. All of these notices are also provided on my Privacy Statement page. But this CIPEApage presents them in a slightly different order and a slightly different form.

Other Privacy Pages On My Site

General Privacy Page

The general privacy page provides an overview of all of my privacy policies. Although it is lengthy and thorough, I still think it is easy to read. You might even find a bit of humor if you look for it.

It also provides links to my specific privacy pages including:

• My CIPEAdisclosure page
• My COPPA disclosure page
• My OECDdisclosure page

COPPA Cabana

I have created a COPPA Privacy Disclosure page (which I call COPPA Cabana) to provide the notices required by COPPA (Children's Online Privacy Protection Act) related to information practices of this site regarding personal information and privacy of children. This page also provides background and impact information regarding COPPA and links to other articles and resources for COPPA.

OECDPrivacy Statement

A long, long time ago, on 23.Sep.1980, the Organization for economic Co-operation and Development, (OECD), issued Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

(Did you notice that date? 1980!! Privacy issues are not new.)

Recently OECDcreated the OECDPrivacy Statement Generator to help organizations create privacy statements to post on websites.

I have created an OECDPrivacy Disclosure page (which I call OECDPrivacy-D) to stipulate how this site complies with the seven privacy principles.

All of the disclosures on the OECDPrivacy-D page are duplicates of disclosures on my privacy page, but they have been "organized" according to the structure of the OECDPrivacy Principles. This page also provides background and impact information regarding the OECDPrivacy Guidelines links to other resources for the OECDPrivacy Guidelines.

What is CIPEAor the
Consumer Internet Privacy enhancement Act?

On Wednesday, 26.Jul.2000, Senators Spence Abraham, John McCain and John Kerry introduced the Consumer Internet Privacy enhancement Act. This proposed legislation is a long way from a law. However, my site complied on the day this legislation was introduced.

I created and posted this page within a week of the introduction of this new law. I've revised it since, but I like to think it was one of the very first CIPEAcompliance pages on the net.

The article on IDG.net describes the bill:

Under the provisions of the bill, Web sites would have to divulge how they plan to use consumers' personal data collected from Net surfers.

The bill would require companies to describe exactly who is collecting the information, how the information will be used, the types of information collected and whether personal information is required to use the site. The Web sites also would have to take steps to secure the personal information once it's in their databases.

The bill will also require Web sites to provide consumers with a clear opportunity to limit the use and disclosure of personal information for marketing purposes.

Anyone who violates the privacy provisions would face a civil penalty of US$22,000 per violation up to a maximum amount of $500,000.

I call CIPEA, "COPPA for Big People".

When Did CIPEAHappen?

It didn't yet.

The bill was introduced on 26.Jul.2000. As of this writing it is not yet a law.

If It Isn't Yet a Law,
Why Am I Writing About It?

There are several reasons:

1. It helps me to understand the law,
2. It may help others to understand the law,
3. It may help others to see how easy it is to comply, and
4. It helps reinforce my commitment to privacy.

Where Can I See the Text of CIPEA?

This page, on the Thomas site of the Library of Congress, provides the text of the act, as well as a link to the Government Printing Office's PDF version of the bill and the status of the bill. Click here.

What Sites Does CIPEAApply To?

CIPEAapplies to

1. commercial websites
    
2. that collect "personally identifying information".

What Does CIPEARequire?

If CIPEAapplies, the website operator must:

1. post a prominent notice on the website regarding privacy policies
    
2. identify the operator of the website and the identity of any third parties permitted to collect identifiable information from site visitors
    
3. list the types of information collected
    
4. describe the uses of the information
    
5. describe the potential users of the information
    
6. describe the requirements to disclose the information and the consequences of nondisclosure
    
7. describe the steps the operator takes to protect the information
    
8. describe the process to limit use of the information

What Is "Personally Identifiable Information"?

The bill defines "personally identifiable information"

The term "personally identifiable information" means individually identifiable information about an individual collected online, including

(A) a first and last name, whether given at birth or adoption, assumed, or legally changed;

(B) a home or other physical address including street name and name of a city or town;

(C) an email address;

(D) a telephone number;

(e) a Social Security number; or

(F) unique identifying information that an Internet service provider or operator of a commercial website collects and combines with any information described in the preceding subparagraphs of this paragraph.

Interestingly enough, one item of "personally identifiable information" that is not included is the URL of an individual's website! (This was also true of COPPA, both in the law and in the implementing regulations.) It seems that no one considers that site visitors might have their own websites.

In addition to all the information described above, this website considers the URL of a site visitor to also be "personally identifiable information".

Is This Site, The Refrigerator Door, Affected?

That is a good question. And there is no simple answer. As I discussed above, I would only be affected if I fit both of the two criteria:

1. If this is a commercial website, and
    
2. If I collect "personally identifying information".

Is This a "Commercial" Website?

Consider again the language from the law:

The term "operator" of a commercial website (A) means any person who operates a website located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such website or online service, or on whose behalf such information is collected or maintained, where such website or online service is operated for commercial purposes, including any person offering products or services for sale through that website or online service,

I use this site to promote my professional speaking business. I use this site to promote my consulting business. I use this site to host my resume. I use this site to obtain thirty cents of revenue when you sign up for some newsletters on my Links page. I link to booksellers and participate in their affiliate program to receive some revenue if people buy a book.

Although making money is not the primary purpose of this site, I wouldn't want to argue in a court of law that I am not commercial.

And, I am not a not-for-profit organization, so I'm going to presume I am covered.

What Does "Collect" Mean?

The act says:

The term "collect" means the gathering of personally identifiable information about a user of an Internet service, online service, or commercial website by or on behalf of the provider or operator of that service or website by any means, direct or indirect, active or passive, including

(A) an online request for such information by the provider or operator, regardless of how the information is transmitted to the provider or operator;

(B) the use of an online service to gather the information; or

(C) tracking or use of any identifying code linked to a user of such a service or website, including the use of cookies.

What "Personally Identifiable Information" Does This Site Collect?

I offer three opportunities for people visiting my site to give me "personally identifiable information":

1. Anyone can email me and tell me anything they want. Their email would include their email address. And it might include other "personally identifiable information".
    
2. Anyone can sign up for my email/ezine lists (e.g.,  Snippets and TestZine), giving me their email address (which is "personally identifiable information")
    
3. Anyone can sign my Guestbook, telling me anything they want (including "personally identifiable information").

I also collect information through the webserver, but that information is not "personally identifiable information" for the purposes of CIPEA.

Cookies

I don't use cookies. Period.

Children's Data

I don't knowingly collect data from children. I use simple tools to discourage disclosure by children. And, if I discover personal data from children, I delete it. For more information, see my COPPA Cabana page.

What Does CIPEARequire of This Site?

General Requirement 1
I must provide notice on this website of the privacy policies of this site.

General Requirement 2
I must provide an opportunity to limit use and disclosure of "personally identifiable information" that is (a) easy to use, (b) easily accessible, and (c) available online.

In the sections below, I will review each of these requirements and how I comply with these requirements.

General Requirement 1

I must provide notice on this website of the privacy policies of this site.

CIPEArequires that I post a notice. That notice is my Privacy Statement page. Also, this page (CIPEATone) duplicates that notice.

Notice Requirement 1
The notice must be clear, conspicuous, and easily understood.

Notice Requirement 2
I must disclose the identity of the operator of this website and of any third party I knowingly permit to collect "personally identifiable information" from users through the website, including the provision of an electronic means of going to a website operated by any such third party.

Notice Requirement 3
I must list the types of "personally identifiable information" that may be collected online and the categories of information I may collect in connection with the user's visit to the website.

Notice Requirement 4
I must describe how I use such information, including a statement as to whether the information may be sold, distributed, disclosed, or otherwise made available to third parties for marketing purposes.

Notice Requirement 5
I must describe the categories of potential recipients of any such "personally identifiable information".

Notice Requirement 6
I must disclose whether the user is required to provide "personally identifiable information" in order to use the website and any other consequences of failure to provide that information.

Notice Requirement 7
I must generally describe what steps I take to protect the security of "personally identifiable information" collected online.

Notice Requirement 8
I must describe the means by which a user may elect not to have the user's "personally identifiable information" used by the operator for marketing purposes or sold, distributed, disclosed, or otherwise made available to a third party.

Notice Requirement 9
I must disclose the address or telephone number at which the user may contact the me about my information practices and also an electronic means of contacting me.

Notice Requirement 1

The notice must be clear, conspicuous, and easily understood.

I have had the notice reviewed by colleagues to confirm that it is clear and understandable. I have worked to ensure that it is complete, and in compliance with both the letter and the spirit of the (proposed) law. (If there are ever implementing rules, I'll make sure it complies with those as well.) I have even included additional explanatory and supplementary material related to CIPEA.

As far as conspicuous, the link to my Privacy Statement page appears at the bottom of (almost) every page of this site and is clearly labeled as a privacy notice.

And, once you get to my Privacy Statement page, the link to this CIPEATone page is prominent. (So is the link to my COPPA Cabana page.)

Notice Requirement 2

I must disclose the identity of the operator of this website and of any third party I knowingly permit to collect "personally identifiable information" from users through the website, including the provision of an electronic means of going to a website operated by any such third party.

I am the only operator.

The information required by the notice is: 

James S. Huggins
Attn: Privacy Mail Stop 9912
1814 Plumbwood Way, Suite 1824
Houston, Texas 77058-2327

281 . 488 . 0552

I also have a specific email for CIPEArelated inquiries

This same information is fully disclosed on my Privacy Statement page.

Notice Requirement 3

I must list the types of "personally identifiable information" that may be collected online and the categories of information I may collect in connection with the user's visit to the website.

Now, my first question is

what is the difference between types and categories?

I'm certain I don't know the difference. But I do disclose exactly what I collect from people.

I collect "personally identifiable information" in three ways:

• My email/ezine lists (e.g.,  Snippets and TestZine),
   
• This site's Guestbook, and
   
• Anything you disclose in an email to me

In addition, I collect information that is not "personally identifiable information" in one additional way:

• My webserver 

even though the webserver information is not considered "personally identifiable information" I discuss it on this page for completeness.

(And, I disclose all this same information on my Privacy Statement page.)

Information Collected By the Webserver

If you visit this site, the webserver will automatically collect:

• your current TCP/IP address
   
• The URL of the page that referred you to my site (this is called "referrer information")

Information Collected for My email/ezine Lists

When you join any of my email/ezine lists (e.g., Snippets and TestZine), I keep your email address (because it really wouldn't make much sense to have an email/ezine list if I didn't keep your email address).

And I keep information necessary to provide an audit trail in order to comply with the CAN-SPAM Act of 2003.

Here is a list of Subscription Information that I keep for all email/ezine lists I host on my site using my Gammadyne Mailer system:

Personal and Status Information

• Subscriber ID
  (your unique code assigned by the system)
• Subscriber Status
  (whether you are subscribed or not; when you unsubscribe I mark you as unsubscribed, but keep you in the system to show history)
• Subscriber Name
  (if you give me your name, I keep it; otherwise I have only your email address)
• email address
• Date/Time of the subscription request

Current Issue Information

• Sent status
  (whether the current issue has been sent yet)

Subscription Process Information

• Date/time of the original subscribe request
• Date/time of the last subscribe date/time
• email address used for the subscription request
• IP Address used for the subscription request
• Whether the subscription came via web or email
• Date/time of the subscription confirmation
• Email Addressused to confirm subscription
• IP Address used to confirm the subscription

Unsubscription Process Information

• Date/Time of an unsubscription request
• email address specified for the unsubscription
• Whether the unsubscription came via web or email
• Date/Time of the unsubscription confirmation
• Email Addressused to confirm unsubscription
• IP Address used to confirm the unsubscription
• Unsubscribe reason
  (e.g., by your request, because of bounces)

Pending Confirmation Information

• Number of Confirmation Reminders sent
• Date/Time of the Last Confirmation Reminder sent

Miscellaneous Information

• Date/Time of last action on the subscription
• Number of bounces detected
• Administrative notes

NB: I am able to keep this information because the Gammadyne Mailer lets me customize the database and program special functions.

ezinePrivacy.org

I follow the Core Principles of ezine Privacy from ezinePrivacy.org. I defend the privacy of ezine subscribers and never track personal information, like when you open my ezine and whether you forwarded it to a friend.

Information Collected Through My Guestbook

If you sign my Guestbook, the Guestbook will show whatever information you leave. If you leave me your email address, it will show your email address. If you leave your name, it will show that. If you leave the URL of your website, it will show that. If you leave your name, your dog's name and your birthday, it will show that.

In addition, it will show the TCP/IP address you use to post as well as information your browser supplies about the browser.

Information Collected Through email to Me

If you send me an email, I will have your email address as well as anything else you tell me.

Notice Requirement 4

I must describe how I use such information, including a statement as to whether the information may be sold, distributed, disclosed, or otherwise made available to third parties for marketing purposes.

I disclose all of this. For example, in Notice Requirement 3 (above) I described how I use all this information.

As far as whether I would give it to third parties, let me quote from my Privacy Statement page:

I don't share information. I keep any information you disclose absolutely private. This does not apply of course to the Guestbook. Information disclosed there is shared with the whole world. But that is the whole point of a Guestbook, isn't it.

Notice Requirement 5

I must describe the categories of potential recipients of any such "personally identifiable information".

The only information I share with third parties is your Guestbook information. I share that with "the whole world". I think that pretty much sums it up.

Notice Requirement 6

I must disclose whether the user is required to provide "personally identifiable information" in order to use the website and any other consequences of failure to provide that information.

I disclose this fully on my Privacy Statement page. I reiterate here, verbatim:

email/ezine List Information

If you don't give me your email address, I won't be able to email you. But there are no other consequences. I do not require disclosure of that information to browse my site.

Guestbook Information

If you don't sign my Guestbook, the whole world won't see your personal information. But there are no other consequences. I do not require disclosure of that information to browse my site.

email Information

If you don't write me an email, nothing bad happens. There are no other consequences. I do not require disclosure of that information to browse my site.

Notice Requirement 7

I must generally describe what steps I take to protect the security of "personally identifiable information" collected online.

Let me again quote my Privacy Statement page:

This site has security measures in place to protect the loss, misuse and alteration of the information under our control.

For example, my Internet Presence Provider provides userid and password access control to all web captured information (TCP/IP address information). Also, I am the only one with access to my email/ezine lists (e.g.,  Snippets and TestZine).

Notice Requirement 8

I must describe the means by which a user may elect not to have the user's "personally identifiable information" used by the operator for marketing purposes or sold, distributed, disclosed, or otherwise made available to a third party.

I completely disclose these on my Privacy Statement page. I reiterate here, in summary:

email/ezine Information

Unsubscribe using any of the disclosed techniques.

Guestbook Information

Write me and I'll remove your entry.

email Information

There aren't options here because I don't use this information for marketing purposes and I don't make it available to third parties.

Notice Requirement 9

I must disclose the address or telephone number at which the user may contact the me about my information practices and also an electronic means of contacting me.

I fully disclose these on my Privacy Statement page and also on this page (CIPEATone) above under Notice Requirement 2.

General Requirement 2

I must provide an opportunity to limit use and disclosure of "personally identifiable information" that is (a) easy to use, (b) easily accessible, and (c) available online.

I do this. The disclosures on my Privacy Statement page and on this page (CIPEATone) clearly disclose all of this. And, the opportunities are easy to use, easily accessible and available online.

This Law Seems Similar to COPPA.
How Similar Is It?

It is very similar. A comparison of the language will reveal substantial similarities.

That's one of the reasons I call CIPEA"COPPA for Big People".

Also, if you compare my COPPA Cabana page to this page, you will see the similarities.

Such similarities should be expected. Both bills were introduced by Senator McCain.

Links On My Site

Privacy Statement: All the privacy disclosures for my site.  ««»»

COPPA Cabana: Information about and disclosures related to the Children's Online Privacy Protection Act (COPPA).  ««»»

OECDPrivacy-D: Information about and disclosures related to the OECDPrivacy Principles.  ««»»

Links Across the Net

Last updated:
13:38, Sat, 12.May.2012