E-Mail and the Law: How to Manage Privacy Issues Using the AICPA/CICA Framework

Article excerpt

Companies that market their products and services through e-mail face a new challenge the need to comply with privacy and spare (often defined as unsolicited bulk e-mail) regulations. Those that invest in building and preserving consumer trust cannot afford to ignore these laws for two primary reasons: the possibility of consumer alienation and the risk of breaking privacy laws, thus incurring penalties. This article explains how CPAs can help implement e-mail programs that reduce compliance risks by using the privacy framework developed jointly by the AICPA and the Canadian Institute of Chartered Accountants (CICA).

The AICPA/CICA Privacy Framework provides criteria for protecting the privacy of consumer information. It incorporates concepts from significant domestic and international privacy laws, regulations and guidelines. In this article CPAs will learn how to apply the framework to create privacy-and compliance-based e-mail programs.

NEW COMPLIANCE RULES

The emergence of spam-related regulations--the U.S. Controlling the Assault of N on-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003 and the Electronic Directive on Privacy and Electronic Communication implemented (with country-specific variations) in the 25 European Union (EU) countries--has cast a wide net of compliance over the use of e-mail for commercial purposes. The rules affect any company that advertises its products or services in any e-mail message, in other words they apply whether you are a spammer sending thousands of e-mails to complete strangers with attractive propositions for remortgaging their home or a firm contacting a long-time client about a new service. CPAs should be clear on one important point: Although spam often is associated with mass distribution, unscrupulously obtained lists and shady offers, the scope of the regulations companies now face in the United States and the EU covers even a single e-mail a legitimate company sends to a single business acquaintance or customer.

THE FRAMEWORK CAN HELP

To avoid incurring regulatory penalties companies must apply specific and elaborate privacy controls to the commercial distribution ore-mail. The AICPA/CICA Privacy Framework is a tool CPAs can use to help entities effectively meet this challenge.

Accountants in both industry and public practice can use the framework to guide organizations in developing their email privacy policies. They are in a unique position to provide services that will help companies design, implement, maintain and evaluate their e-mail privacy programs. Such programs will help organizations to

* Mitigate privacy-related risks such as those raised by spam.

* Protect valuable business assets.

* Preserve brand and reputation.

* Maintain customer loyalty.

The framework contains 10 components that are essential to the proper protection and management of customers' personal information. In addition to helping provide companies guidance in implementing privacy programs, the framework also can be viewed more narrowly as a foundation for managing the commercial use of e-mail. The components are based on internationally known fair-information practices included in the privacy laws and regulations of jurisdictions around the world and in common privacy practices. They are

* Management.

* Notice.

* Choice and consent.

* Collection.

* Use and retention.

* Access.

* Disclosure to third parties.

* Security.

* Quality.

* Monitoring and enforcement.

For each component the framework provides relevant, objective, complete and measurable criteria CPAs can use to evaluate and provide value-added services to an entity's privacy policies, communications, procedures and controls.

LAWS ON E-MAIL USE

In recent years governments worldwide have passed regulations in an attempt to curb, if not completely eliminate, span. …