When most people hear the word “audit,” their thoughts probably go to the Internal Revenue Service and tax returns. However, the IRS is not the only organization tasked with auditing people and organizations – the Federal Trade Commission also has the power to conduct or order audits. For example, the FTC reached a settlement with Google Buzz in 2011 relating to privacy violations. As part of the terms of the agreement, Google’s privacy program will be subjected to independent audits for the next 20 years. Before this, a separate FTC investigation led the agency to impose a $22.5 million fine on Google, the highest the FTC has ever issued.
As these examples suggest, it is in organizations’ best interests to avoid giving the FTC reason to conduct an audit or investigation. Writing for IDG News Service, Jay Cline recently reviewed 100 privacy cases settled by the FTC in recent years. He identified a number of different reasons why the FTC may audit an organization’s privacy program. One of the most significant of these is a failure to achieve CAN-SPAM compliance.
CAN-SPAM compliance
Passed in 2003, the CAN-SPAM Act requires, among other things, that email marketers provide a clear and easy means for subscribers to opt out of receiving future messages. There is a significant degree of contention among industry experts over what methods are sufficiently clear and easy to satisfy the law, but there is no question that organizations must honor opt-out requests within 10 business days, and that every email must contain a means of some sort for the recipient to indicate his or her desire to cease receiving messages.
The FTC is charged with overseeing the enforcement of the CAN-SPAM Act. If it finds that a particular business has violated the law’s guidelines, the FTC has the power to issue fines and other penalties.
As Cline noted, it is not difficult for the FTC to find evidence proving that a company does not make or has not made it easy for subscribers to opt out of receiving future messages. A number of companies have learned this the hard way, Cline pointed out.
Testing is key
Cline recommended that organizations regularly test their opt-out procedures and email list cleansing tools to ensure that the process is as easy and fast as it needs to be. This way, an issue will be identified and solved before it leads to a violation of the CAN-SPAM Act.