Initially I did not see a privacy issue with t.co But, having thought more about Twitter forcing us to use the t.co link as the first-hop destination, I believe there are some potential privacy issues that need to be clarified.
1) Normally you need to specify in your service or product's privacy policy that you are doing click tracking and other individual or aggregate data collection. How does t.co affect your privacy policy when you knowingly divert a user to an intermediary service (Twitter) that collects data, without the user knowing about the collection or having an opportunity to read and agree to the privacy policy of Twitter? Many clicks will come from people who do not use Twitter or do not have a Twitter account. 2) When you display anchor text of http://cnn.com but send the user to http://t.co/xxxxxx when they click the anchor text, isn't that deceptive? The user expects to be sent directly to CNN.com, as inferred by the anchor text, and not to an intermediary service that the user has no knowledge of what that service is going to do or collect. This goes hand in hand with 1) above.