| EXECUTIVE
SUMMARY |
 SPAM IS A BUSINESS PROBLEM companies
now must address because of domestic and
international laws. Companies need to
adopt Internet marketing privacy policies
to comply with various privacy and spam
regulations. CPAs can use the AICPA/CICA
Privacy Framework to help organizations
accomplish these goals. THE AICPA/CICA PRIVACY
FRAMEWORK is based on privacy
laws and regulations of jurisdictions
around the world. It includes 10
components and related criteria that are
essential for businesses to properly
protect and manage personal information.
THE FRAMEWORK’S CRITERIA
GIVE COMPANIES guidance in
defining, documenting, communicating and
assigning accountability for its privacy
policies. The privacy notice criteria
advise organizations on giving consumers
notice of its privacy policies and
procedures and explain how it collects,
uses, retains and discloses personal
information.
COMPANIES CAN FIND GUIDANCE to
help them in giving individuals access to
their personal information so they can
review and update it. In the same way,
they can use the quality criteria to help
them maintain accurate, complete and
relevant personal information.
CPAs WILL FIND THEY CAN USE
THE PRIVACY framework to help
clients and employers comply with the
various privacy regulations that are
emerging worldwide as well as with e-mail
and spam laws.
|
| SAGI LEIZEROV, PhD, is a manager
in Ernst & Young LLP’s
technology and security risk services in
McLean, Virginia. He also is a member of
the AICPA/CICA privacy task force that
created the framework. His e-mail address
is sagi.leizerov@ey.com. |
ompanies that market their products and services
through e-mail face a new challenge—the need
to comply with privacy and spam (often defined as
unsolicited bulk e-mail) regulations. Those that
invest in building and preserving consumer trust
cannot afford to ignore these laws for two
primary reasons: the possibility of consumer
alienation and the risk of breaking privacy laws,
thus incurring penalties. This article explains
how CPAs can help implement e-mail programs that
reduce compliance risks by using the privacy
framework developed jointly by the AICPA and the
Canadian Institute of Chartered Accountants
(CICA).
The AICPA/CICA Privacy
Framework provides criteria for protecting the
privacy of consumer information. It incorporates
concepts from significant domestic and
international privacy laws, regulations and
guidelines. In this article CPAs will learn how
to apply the framework to create privacy- and
compliance-based e-mail programs.
Spam
Spreads
Data from a national survey
of consumers suggested spam is beginning
to undermine the integrity of e-mail and
to degrade the online experience.
 Some 25% of e-mail users said
the ever-increasing volume of spam has
reduced their overall use of e-mail.
With the increasing use of
filtering devices, 23% were concerned the
e-mails they send may be blocked.
A significant number of
e-mail users—80%—were bothered
by the deceptive or dishonest content of
spam, with 76% bothered by its offensive
or obscene material.
Some 62% said their employers
used filters to block spam from their
work e-mail accounts.
Source: Pew Internet &
American Life Project, Washington, D.C., www.pewinternet.org, 2004.
|
NEW COMPLIANCE RULES
The emergence of
spam-related regulations—the U.S.
Controlling the Assault of Non-Solicited
Pornography and Marketing (CAN-SPAM) Act of 2003
and the Electronic Directive on Privacy and
Electronic Communication implemented (with
country-specific variations) in the 25 European
Union (EU) countries—has cast a wide net of
compliance over the use of e-mail for commercial
purposes. The rules affect any company that
advertises its products or services in any e-mail
message. In other words they apply whether you
are a spammer sending thousands of e-mails to
complete strangers with attractive propositions
for remortgaging their home or a firm contacting
a long-time client about a new service. CPAs
should be clear on one important point: Although
spam often is associated with mass distribution,
unscrupulously obtained lists and shady offers,
the scope of the regulations companies now face
in the United States and the EU covers even a
single e-mail a legitimate company sends to a
single business acquaintance or customer.
THE
FRAMEWORK CAN HELP
To avoid incurring
regulatory penalties companies must apply
specific and elaborate privacy controls to the
commercial distribution of e-mail. The AICPA/CICA
Privacy Framework is a tool CPAs can use to help
entities effectively meet this challenge.
Accountants in both industry
and public practice can use the framework to
guide organizations in developing their e-mail
privacy policies. They are in a unique position
to provide services that will help companies
design, implement, maintain and evaluate their
e-mail privacy programs. Such programs will help
organizations to
Mitigate privacy-related
risks such as those raised by spam.
Protect valuable business assets.
Preserve brand and reputation.
Maintain customer loyalty.
The framework contains 10
components that are essential to the proper
protection and management of customers’
personal information. In addition to helping
provide companies guidance in implementing
privacy programs, the framework also can be
viewed more narrowly as a foundation for managing
the commercial use of e-mail. The components are
based on internationally known fair-information
practices included in the privacy laws and
regulations of jurisdictions around the world and
in common privacy practices. They are
Management.
Notice.
Choice and consent.
Collection.
Use and retention.
Access.
Disclosure to third parties.
Security.
Quality.
Monitoring and enforcement.
For each component the
framework provides relevant, objective, complete
and measurable criteria CPAs can use to evaluate
and provide value-added services to an
entity’s privacy policies, communications,
procedures and controls.
LAWS
ON E-MAIL USE
In recent years governments worldwide have passed
regulations in an attempt to curb, if not
completely eliminate, spam. CPAs can use each of
the framework’s components and their
criteria to help entities create privacy policies
and specific details for managing and
implementing controls. We’ll explain each
component below and show how its criteria can be
applied to the related privacy challenge in using
e-mail.
Management. Privacy
management is critical for commercial e-mail
communications. Companies executing online
marketing campaigns must implement controls over
a variety of aspects, from identifying the
appropriate target audience in their databases to
complying with regulatory requirements such as
subject-line guidelines and related statements in
the body of an e-mail message, to ensuring that
tracking systems used to monitor the campaign are
in line with the company’s privacy policy
and regulatory requirements and effectively
implementing consumer requests for exclusion from
future messages. Both U.S. and EU regulations
stress the importance of this last point. Using
the framework’s management criteria, CPAs
can provide companies with the means to define,
document, communicate and assign accountability
for their privacy policies and procedures.
Notice.
At a time when spam is rampant, the
transparency provided by a clear notice of
practices is instrumental in building trust with
customers. On the Web, where many consumers first
sign up to receive e-mail messages, posting both
a complete privacy policy and a short statement
about the company’s practices can go a long
way toward reassuring consumers. The law requires
that a privacy statement about the choices
available to a recipient be imbedded in the
e-mail message along with clear identification
and contact information. CPAs can suggest
companies augment this with a link to their
complete privacy policy. The notice
component’s criteria provide guidance on
creating transparency about privacy policies and
procedures and identifying the purposes for which
a company collects, uses, retains and discloses
personal information.
Choice and consent.
Choice is the key criterion. An important
distinction between the EU and U.S. rules is that
in Europe individuals must expressly request to
receive e-mails (referred to as “opt
in”) while in the United States they must
express their desire to be dropped from an e-mail
list (referred to as “opt out”). CPAs
need to make a company aware of the distinctions
between the two approaches so it can successfully
respond to consumer wishes and purge the e-mail
addresses of individuals who opt out. Although
U.S. mailing lists are based on an opt-out model,
best practices call for the expressed consent
(opt-in) approach for commercial communications.
CPAs should help companies put appropriate
controls in place to ensure they properly execute
consumer instructions. The criteria attached to
this component help a CPA explain the choices
available to the individual and how companies can
obtain implicit or explicit consent concerning
the collection, use, retention and disclosure of
personal information.
Collection. The
data a company collects about individuals serve
an important marketing function in successfully
targeting its messages to customers. However,
companies must balance commercial opportunities
with regulatory compliance. When purchasing
mailing lists, for example, they should verify
that vendors’ assertions about the choices
offered to the customer coincide with company
policies. When adding names to a database,
companies should provide consumers clear notice
and give them the opportunity to limit future
communications. The collection component’s
criteria present guidelines for ensuring an
entity collects personal information only for the
purposes identified in the notice.
 |
PRACTICAL
TIPS TO REMEMBER |
|
 CPAs in
both industry and public practice
can use the AICPA/CICA Privacy
Framework to help organizations
design and implement programs to
protect personal client
information and enable companies
to protect themselves against
accusations of
“spamming.”
To augment
the privacy statement the law
requires senders to imbed in an
e-mail message, CPAs should
recommend companies include in
its messages a link to its
complete privacy policy.
|
U.S. rules
require that individuals
“opt out” before
companies must remove them from
e-mail lists; CPAs should
recommend companies follow best
practices and use an
“opt-in” approach for
commercial communications.
It’s also important make
certain organizations have
appropriate controls in place to
properly execute consumer
requests to be excluded.
To limit
regulatory compliance exposure,
CPAs should encourage companies
to implement monitoring and
enforcement policies for all
commercial e-mail communications.
This type of policy also will
mitigate the risk of having the
message blocked or filtered.
|
|
Use
and retention. The regulations have
set limits on how businesses can use
consumers’ contact information and how long
they can retain it (retention periods vary by
country). Accurately establishing the target
market group is key to avoiding regulatory
compliance risks. CPAs should remember that
companies are not shielded from responsibility if
they outsource their communication services to
third parties. Using the criteria in this
component of the framework enables a company to
limit the use of personal information to the
purposes identified in its privacy
notice—for which the individual has provided
consent—and for only as long as necessary to
fulfill the stated purposes.
Access. Regulations
require senders to include a mechanism for
stopping further communications in the body of an
e-mail. However, that device might not enable
consumers to communicate in detail the
limitations they want on a firm’s e-mails to
them (for example, to limit these to only certain
messages), nor change their e-mail addresses.
U.S. best practices call for companies to give
consumers reasonable access to their information;
this requirement is much broader—and not
optional—in the EU. The access criteria set
standards for allowing individuals to review and
update their personal information, an important
foundation for maintaining quality data.
Disclosure.
CPAs should encourage companies to carefully
scrutinize policies on sharing consumer lists
with affiliates and third parties and put
appropriate controls in place to ensure they do
not take advantage of consumer consents by
sharing personal information excessively to
capitalize on short-term business opportunities.
Companies shouldn’t ruin the trust their
customers have in them by making a quick profit
selling or distributing personal information to
third parties. If a company inappropriately
discloses mailing lists—such as users of a
certain medication or those interested in a
“sensitive” product or service—it
may be subject to significant penalties—and
embarrassment. The criteria detail how to
disclose personal information to third parties
only for purposes identified in the notice and
with the consumer’s implicit or explicit
consent. The essential element is to disclose any
proposed actions to consumers before sharing
their personal information.
Security. In
today’s environment of computer viruses and
hackers, protecting mailing lists and contact
information is critical. An e-mail address is
identifiable information, as it often can include
a person’s name. CPAs should urge companies
to create policies and controls to protect their
consumer information against unauthorized access.
The security criteria provide the basis for
entities to do that.
Quality. The
heightened sensitivity around e-mail
communication underscores the need for
high-quality data. Companies open themselves to
regulatory compliance risks unless they closely
monitor requests to delete names from mailing
lists and pay attention to customer preferences.
Data quality is of utmost
importance—inaccurately and partially
recorded information from consumers can lead to
miscommunications and missed commercial
opportunities, and expose the company to
significant financial risks. The quality criteria
are a guide to maintaining accurate, complete and
relevant personal information for the purposes
identified in the privacy notice.
Monitoring and
enforcement. CPAs should encourage
companies to implement monitoring and enforcement
policies and controls throughout the
communication cycle to limit regulatory
compliance exposure as well as to mitigate the
risk of blocking or filtering their messages by
Internet service providers. Such controls should
cover not only the compilation of mailing lists,
the frequency of messages and the implementation
of tracking mechanisms, but also processes
related to consumer requests to opt out, the
removal of personal information from company
records and the handling of consumer complaints.
Providing an effective channel for resolving
complaints about e-mail communications is a
practical and favorable alternative to facing
legal action (which the authorities now can take
in the EU and in the United States). CPAs should
advise companies to properly handle every single
complaint before it becomes a bigger problem. The
framework’s criteria here help CPAs guide an
entity in monitoring compliance with privacy
policies and procedures and in addressing related
complaints and disputes.
CPAs
CAN CAN SPAM
The challenges
raised by junk e-mail and the legislation
designed to stop it won’t go away any time
soon. CPAs can help clients and employers make
use of the AICPA/CICA Privacy Framework to
establish a broad privacy program throughout
their organizations or apply it more specifically
to a high-risk area such as commercial e-mail.
The framework also can serve as the basis for a
spam-control program that meets the requirements
of the different regulations now existing
worldwide. Using the framework as the basis for
an organization-wide privacy program which
includes spam and e-marketing is an effective
long-term approach clients and employers can
adopt to manage the risks associated with privacy
and data protection.
|
| HOME | ARCHIVE | CONTACT | ADVERTISE | SUBSCRIBE | AICPA 