E-Mail and the Law

How to manage privacy issues using the AICPA/CICA framework.

SPAM IS A BUSINESS PROBLEM companies now must address because of domestic and international laws. Companies need to adopt Internet marketing privacy policies to comply with various privacy and spam regulations. CPAs can use the AICPA/CICA Privacy Framework to help organizations accomplish these goals.

THE AICPA/CICA PRIVACY FRAMEWORK is based on privacy laws and regulations of jurisdictions around the world. It includes 10 components and related criteria that are essential for businesses to properly protect and manage personal information.

THE FRAMEWORK’S CRITERIA GIVE COMPANIES guidance in defining, documenting, communicating and assigning accountability for its privacy policies. The privacy notice criteria advise organizations on giving consumers notice of its privacy policies and procedures and explain how it collects, uses, retains and discloses personal information.

COMPANIES CAN FIND GUIDANCE to help them in giving individuals access to their personal information so they can review and update it. In the same way, they can use the quality criteria to help them maintain accurate, complete and relevant personal information.

CPAs WILL FIND THEY CAN USE THE PRIVACY framework to help clients and employers comply with the various privacy regulations that are emerging worldwide as well as with e-mail and spam laws.

SAGI LEIZEROV, PhD, is a manager in Ernst & Young LLP’s technology and security risk services in McLean, Virginia. He also is a member of the AICPA/CICA privacy task force that created the framework. His e-mail address is sagi.leizerov@ey.com .

ompanies that market their products and services through e-mail face a new challenge—the need to comply with privacy and spam (often defined as unsolicited bulk e-mail) regulations. Those that invest in building and preserving consumer trust cannot afford to ignore these laws for two primary reasons: the possibility of consumer alienation and the risk of breaking privacy laws, thus incurring penalties. This article explains how CPAs can help implement e-mail programs that reduce compliance risks by using the privacy framework developed jointly by the AICPA and the Canadian Institute of Chartered Accountants (CICA).

The AICPA/CICA Privacy Framework provides criteria for protecting the privacy of consumer information. It incorporates concepts from significant domestic and international privacy laws, regulations and guidelines. In this article CPAs will learn how to apply the framework to create privacy- and compliance-based e-mail programs.

Spam Spreads
Data from a national survey of consumers suggested spam is beginning to undermine the integrity of e-mail and to degrade the online experience.

Some 25% of e-mail users said the ever-increasing volume of spam has reduced their overall use of e-mail.

With the increasing use of filtering devices, 23% were concerned the e-mails they send may be blocked.

A significant number of e-mail users—80%—were bothered by the deceptive or dishonest content of spam, with 76% bothered by its offensive or obscene material.

Some 62% said their employers used filters to block spam from their work e-mail accounts.

Source: Pew Internet & American Life Project, Washington, D.C., www.pewinternet.org , 2004.

The emergence of spam-related regulations—the U.S. Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003 and the Electronic Directive on Privacy and Electronic Communication implemented (with country-specific variations) in the 25 European Union (EU) countries—has cast a wide net of compliance over the use of e-mail for commercial purposes. The rules affect any company that advertises its products or services in any e-mail message. In other words they apply whether you are a spammer sending thousands of e-mails to complete strangers with attractive propositions for remortgaging their home or a firm contacting a long-time client about a new service. CPAs should be clear on one important point: Although spam often is associated with mass distribution, unscrupulously obtained lists and shady offers, the scope of the regulations companies now face in the United States and the EU covers even a single e-mail a legitimate company sends to a single business acquaintance or customer.

To avoid incurring regulatory penalties companies must apply specific and elaborate privacy controls to the commercial distribution of e-mail. The AICPA/CICA Privacy Framework is a tool CPAs can use to help entities effectively meet this challenge.

Accountants in both industry and public practice can use the framework to guide organizations in developing their e-mail privacy policies. They are in a unique position to provide services that will help companies design, implement, maintain and evaluate their e-mail privacy programs. Such programs will help organizations to

Mitigate privacy-related risks such as those raised by spam.
Protect valuable business assets.
Preserve brand and reputation.
Maintain customer loyalty.

The framework contains 10 components that are essential to the proper protection and management of customers’ personal information. In addition to helping provide companies guidance in implementing privacy programs, the framework also can be viewed more narrowly as a foundation for managing the commercial use of e-mail. The components are based on internationally known fair-information practices included in the privacy laws and regulations of jurisdictions around the world and in common privacy practices. They are

Choice and consent.
Use and retention.
Disclosure to third parties.
Monitoring and enforcement.

For each component the framework provides relevant, objective, complete and measurable criteria CPAs can use to evaluate and provide value-added services to an entity’s privacy policies, communications, procedures and controls.

In recent years governments worldwide have passed regulations in an attempt to curb, if not completely eliminate, spam. CPAs can use each of the framework’s components and their criteria to help entities create privacy policies and specific details for managing and implementing controls. We’ll explain each component below and show how its criteria can be applied to the related privacy challenge in using e-mail.

Management. Privacy management is critical for commercial e-mail communications. Companies executing online marketing campaigns must implement controls over a variety of aspects, from identifying the appropriate target audience in their databases to complying with regulatory requirements such as subject-line guidelines and related statements in the body of an e-mail message, to ensuring that tracking systems used to monitor the campaign are in line with the company’s privacy policy and regulatory requirements and effectively implementing consumer requests for exclusion from future messages. Both U.S. and EU regulations stress the importance of this last point. Using the framework’s management criteria, CPAs can provide companies with the means to define, document, communicate and assign accountability for their privacy policies and procedures.

Notice. At a time when spam is rampant, the transparency provided by a clear notice of practices is instrumental in building trust with customers. On the Web, where many consumers first sign up to receive e-mail messages, posting both a complete privacy policy and a short statement about the company’s practices can go a long way toward reassuring consumers. The law requires that a privacy statement about the choices available to a recipient be imbedded in the e-mail message along with clear identification and contact information. CPAs can suggest companies augment this with a link to their complete privacy policy. The notice component’s criteria provide guidance on creating transparency about privacy policies and procedures and identifying the purposes for which a company collects, uses, retains and discloses personal information.

Choice and consent. Choice is the key criterion. An important distinction between the EU and U.S. rules is that in Europe individuals must expressly request to receive e-mails (referred to as “opt in”) while in the United States they must express their desire to be dropped from an e-mail list (referred to as “opt out”). CPAs need to make a company aware of the distinctions between the two approaches so it can successfully respond to consumer wishes and purge the e-mail addresses of individuals who opt out. Although U.S. mailing lists are based on an opt-out model, best practices call for the expressed consent (opt-in) approach for commercial communications. CPAs should help companies put appropriate controls in place to ensure they properly execute consumer instructions. The criteria attached to this component help a CPA explain the choices available to the individual and how companies can obtain implicit or explicit consent concerning the collection, use, retention and disclosure of personal information.

Collection. The data a company collects about individuals serve an important marketing function in successfully targeting its messages to customers. However, companies must balance commercial opportunities with regulatory compliance. When purchasing mailing lists, for example, they should verify that vendors’ assertions about the choices offered to the customer coincide with company policies. When adding names to a database, companies should provide consumers clear notice and give them the opportunity to limit future communications. The collection component’s criteria present guidelines for ensuring an entity collects personal information only for the purposes identified in the notice.


CPAs in both industry and public practice can use the AICPA/CICA Privacy Framework to help organizations design and implement programs to protect personal client information and enable companies to protect themselves against accusations of “spamming.”

To augment the privacy statement the law requires senders to imbed in an e-mail message, CPAs should recommend companies include in its messages a link to its complete privacy policy.

U.S. rules require that individuals “opt out” before companies must remove them from e-mail lists; CPAs should recommend companies follow best practices and use an “opt-in” approach for commercial communications. It’s also important make certain organizations have appropriate controls in place to properly execute consumer requests to be excluded.

To limit regulatory compliance exposure, CPAs should encourage companies to implement monitoring and enforcement policies for all commercial e-mail communications. This type of policy also will mitigate the risk of having the message blocked or filtered.

Use and retention. The regulations have set limits on how businesses can use consumers’ contact information and how long they can retain it (retention periods vary by country). Accurately establishing the target market group is key to avoiding regulatory compliance risks. CPAs should remember that companies are not shielded from responsibility if they outsource their communication services to third parties. Using the criteria in this component of the framework enables a company to limit the use of personal information to the purposes identified in its privacy notice—for which the individual has provided consent—and for only as long as necessary to fulfill the stated purposes.

Access. Regulations require senders to include a mechanism for stopping further communications in the body of an e-mail. However, that device might not enable consumers to communicate in detail the limitations they want on a firm’s e-mails to them (for example, to limit these to only certain messages), nor change their e-mail addresses. U.S. best practices call for companies to give consumers reasonable access to their information; this requirement is much broader—and not optional—in the EU. The access criteria set standards for allowing individuals to review and update their personal information, an important foundation for maintaining quality data.

Disclosure. CPAs should encourage companies to carefully scrutinize policies on sharing consumer lists with affiliates and third parties and put appropriate controls in place to ensure they do not take advantage of consumer consents by sharing personal information excessively to capitalize on short-term business opportunities. Companies shouldn’t ruin the trust their customers have in them by making a quick profit selling or distributing personal information to third parties. If a company inappropriately discloses mailing lists—such as users of a certain medication or those interested in a “sensitive” product or service—it may be subject to significant penalties—and embarrassment. The criteria detail how to disclose personal information to third parties only for purposes identified in the notice and with the consumer’s implicit or explicit consent. The essential element is to disclose any proposed actions to consumers before sharing their personal information.

Security. In today’s environment of computer viruses and hackers, protecting mailing lists and contact information is critical. An e-mail address is identifiable information, as it often can include a person’s name. CPAs should urge companies to create policies and controls to protect their consumer information against unauthorized access. The security criteria provide the basis for entities to do that.

Quality. The heightened sensitivity around e-mail communication underscores the need for high-quality data. Companies open themselves to regulatory compliance risks unless they closely monitor requests to delete names from mailing lists and pay attention to customer preferences. Data quality is of utmost importance—inaccurately and partially recorded information from consumers can lead to miscommunications and missed commercial opportunities, and expose the company to significant financial risks. The quality criteria are a guide to maintaining accurate, complete and relevant personal information for the purposes identified in the privacy notice.

Monitoring and enforcement. CPAs should encourage companies to implement monitoring and enforcement policies and controls throughout the communication cycle to limit regulatory compliance exposure as well as to mitigate the risk of blocking or filtering their messages by Internet service providers. Such controls should cover not only the compilation of mailing lists, the frequency of messages and the implementation of tracking mechanisms, but also processes related to consumer requests to opt out, the removal of personal information from company records and the handling of consumer complaints. Providing an effective channel for resolving complaints about e-mail communications is a practical and favorable alternative to facing legal action (which the authorities now can take in the EU and in the United States). CPAs should advise companies to properly handle every single complaint before it becomes a bigger problem. The framework’s criteria here help CPAs guide an entity in monitoring compliance with privacy policies and procedures and in addressing related complaints and disputes.

The challenges raised by junk e-mail and the legislation designed to stop it won’t go away any time soon. CPAs can help clients and employers make use of the AICPA/CICA Privacy Framework to establish a broad privacy program throughout their organizations or apply it more specifically to a high-risk area such as commercial e-mail. The framework also can serve as the basis for a spam-control program that meets the requirements of the different regulations now existing worldwide. Using the framework as the basis for an organization-wide privacy program which includes spam and e-marketing is an effective long-term approach clients and employers can adopt to manage the risks associated with privacy and data protection.


The AICPA/CICA Privacy Framework, www.aicpa.org/privacy .

Privacy Matters: An Introduction to Personal Information Protection (# 056590JA).
Understanding and Implementing Privacy Services: A CPA’s Resource (# 056509JA).

Canning the Spam: Recipes For Controlling Unwanted E-Mail, CD-ROM (# 737176JA).
Privacy Issues for Businesses…Whose Information Is It Anyway, CD-ROM (# 780005JA).
For more information or to place an order, go to www.cpa2biz.com or call the Institute at 888-777-7077.

IdentiRISK for Identity Theft (# 103104).
IdentiRISK for Trust Services Privacy Principles and Criteria (# 103104).
For more information or to place an order, go to www.identirisk.com/x/aicpa or call 866-433-7475.

Other resources
CAN-SPAM Act of 2003, www.spamlaws.com/federal/108s877enrolled.pdf .
Electronic Directive on Privacy and Electronic Communications, http://europa.eu.int/eur-lex/pri/en/oj/dat/2002/l_201/l_20120020731en00370047.pdf .
Mail Abuse Prevention System, www.mail-abuse.com/support/an_listmgntgdlines.html .


Keeping you informed and prepared amid the coronavirus outbreak

We’re gathering the latest news stories along with relevant columns, tips, podcasts, and videos on this page, along with curated items from our archives to help with uncertainty and disruption.


Excel walk-through: Sparklines

Want to liven up your spreadsheets with some color and graphical elements? Kelly L. Williams, CPA, Ph.D., shows how to use Excel sparklines, which illustrate data trends and patterns via small charts that fit in a single Excel cell.