The Emergence of the Chief Privacy Officer
by Eva Marer
Joan Russo, IT security planner for the state of Delaware, is at the forefront of a new trend. Her position was created only last year, but she's already working with the chief IT architect to set statewide privacy policies and ensure that the state's 34,000 employees adhere to them.
Currently, there are only about 50 to 75 chief privacy officers (CPOs) nationwide, estimates Alan Westin, founder of Privacy & American Business, a nonprofit think tank in Hackensack, N.J. Indeed, in a recent CIN poll, only 4% of members acknowledged having such a position within their own organizations.
Yet Westin expects that number to increase dramatically within the next few years. "Within a short time, every sensible company will have a CPO on its management team," he says. As privacy becomes a top-tier issue for consumers, he says, companies will recognize the competitive advantage of institutionalizing the CPO position.
An Emerging Role
"I get a call - at least one call a week - from companies looking for referrals to staff a new CPO position," says Jules Polonetsky, CPO for DoubleClick Inc., a New York-based Internet firm that provides advertising solutions for Web publishers and advertisers. Polonetsky, the former consumer affairs commissioner for the city of New York, was just hired in March. "It's clear that this is becoming an increasing priority for companies."
No matter what their primary business, Internet companies are in many ways data companies, says Polonetsky. As they become aware of that role, they are moving beyond the mechanics of data exchange to focus on ethical implications and privacy protection.
"We've had a lot more inquiries from agencies and concern about privacy in the last year," says Russo. That's partly because some new laws have been implemented, she says. But the concern also arises in direct proportion to the number of consumer services offered via the Web.
"We have a new online program where people can pay their taxes online," she says. "We've also started planning a new system where parents can view their children's report cards on the Web. They love the convenience but are concerned about issues like credit card security and protecting their children's confidentiality."
As companies go Web enabled, Russo says, people fear everything from hackers and viruses to misuse of personal information. "This is not like the old mainframe days where you've got one box and a limited number of people who can access it." Also, she says, any entity receiving federal funding must document its compliance with federal privacy standards, especially in areas pertaining to medical, legal, and Freedom of Information Act requests.
In addition, consumers seem to be asking companies to police themselves more. For example, a survey of more than 2,000 Americans published by the Pew Internet and American Life Project showed that 86% of respondents favored the adoption of "opt-in" policies, whereby Internet companies would request permission from users before disclosing personal information. In an "opt-out" situation, Web sites have the right to track users who do not explicitly request to be excluded.
This problem is not really new, argues Polonetsky. He points out that, even in the offline world, consumers must opt out of telemarketing lists and direct mail databases. And some online companies do have stringent opt-in policies regarding confirmed permission to send e-mail and the like. "The real issue is what kind of information you are gathering, how you're gathering it, and what kind of control the consumer has over how that it's used," Polonetsky says. "The key is in making consumers aware of what the terms are." CPOs see their role as doing just that.
In Westin's opinion, almost any company can benefit from hiring a CPO. The companies taking the lead, however, tend to be in industries such as financial services for which federal privacy laws are already on the books and compliance is an important issue. American Express Corp., Dun & Bradstreet, Inc., Nationwide Mutual Insurance Co., PricewaterhouseCoopers, Citigroup Inc., and Mutual of Omaha Insurance Co. all have CPOs and are founding members of the Association of Corporate Privacy Officers (ACPO), the professional organization established by Westin. The organization held its second meeting in Washington, D.C., last month to address the challenges and emerging role of the CPO.
The position is in its infancy and continues to evolve. In general, according to the ACPO Web site, the CPO is responsible for coordinating all corporate activities with privacy implications, as well as monitoring all of a company's products, services, and systems to assure meaningful privacy practices.
For Polonetsky, the role of CPO requires him to juggle numerous responsibilities. In addition to ensuring that his company lives up to its own privacy commitments, he must review and monitor the privacy policies of partners and act as an ombudsman to consumers, government, and the press.
The ACPO has set out guidelines for drafting appropriate CPO responsibilities and lists sample tasks on its Web site. The CPO may do the following tasks:
- Conduct privacy risk assessments and internal privacy audits
- Serve as a key privacy advisor
- Recommend and carry out employee privacy training and education
- Manage a privacy-dispute and verification process
- Speak on behalf of the company to the media and government bodies
- Report to executive officers on how the company is dealing with privacy issues
- Identify areas where the company can improve.
As companies increasingly handle consumer information and make promises about how that information is handled, Polonetsky says, they need to develop their own compliance systems. "Companies that don't live up to their commitments face liability, embarrassment, or even legal action," he says.
Following the European Lead
In terms of privacy issues, the United States lags far behind Europe, where privacy laws have been on the books for years in some cases.
"In Europe, we have the notion that your private data, including your address and photo, belong to you," says German-born Joachim Hunze, IT director for Mapa-Spontex, a household products company based in Paris.
In France, for example, the Commission on Information Technology and Freedom (Commission Nationale de L'Informatique et des Libertis) is charged with writing regulations andtracking security breaches. The Commission's Web site (www.cnil.fr) warns consumers that they are not protected by French law when they give personal information to foreign Web sites.
In Germany, Hunze says, a federal privacy official (Datenschutzbeauftrager der Bundesregierung) is charged with enforcing privacy laws and reports once a year to the government and the people about the situation.
In Denmark, it would be unthinkable for a bank to give or sell consumer lists to other companies, says Karsten Jorgensen, manager of IT strategy for Jyske Bank, a full-service financial institution representing about $14 billion in assets. Besides the fact that it's illegal, says Jorgensen, "being trusted by customers is essential, and disclosure of any privacy leakage would be a considerable competitive disadvantage."
Because privacy is protected by law in Europe, Hunze says, Web sites do not need to post privacy policies to reassure consumers. Though he has never encountered the problem before, he would have to report any abuse of privacy at his own organization to the police. "Even selling mailing lists is illegal," he says, with one advantage being that Europeans receive much less junk mail than Americans.
Europe's strict adherence to privacy guidelines is having some impact in the United States. "When you surf the Web, you travel to lots of countries," Hunze points out, noting that most Europeans do not use e-commerce because they fear for the security of their data outside their own national borders.
As American companies push for more global reach, they may be forced to voluntarily adopt stricter guidelines. At the very least, says Polonetsky, they should have one contact in the company who thoroughly understands the issues.
In addition, many American consumers are getting fed up with what they consider privacy violations. A recent survey by the Internet Policy Institute, a Washington, D.C.-based think tank that examines issues affecting the global development and use of the Internet, found that Americans are becoming more concerned with protecting their privacy. More than three-quarters of New Yorkers surveyed want federal laws to restrict what kind of personal information can be collected online about them. Dearborn, Mich., residents agreed, with 73% in favor of federal laws that would restrict the types of personal information collected online.
American lawmakers seem to be listening. Numerous privacy bills are floating around Congress, including the Consumer Internet Privacy Enhancement Act, sponsored by Senate Commerce Committee Chairman John McCain (R-Ariz.) and Senators John Kerry (D-Mass.), Spencer Abraham (R-Mich.), and Barbara Boxer (D-Calif.). The bill mandates that Web sites spell out their privacy policies and let consumers opt out of having personal information sold to third parties. It also calls for a study of the issue for 12 to 18 months before setting firm standards.
Some firms are going beyond that timetable, however, working with industry trade groups and the government to create privacy guidelines. The Internet Advertising Bureau (IAB), which recently formed the Chief Privacy Officer (CPO) Council, of which Polonetsky is co-chair, has forged an alliance with the Federal Trade Commission to promote responsible advertising on the Web.
Other companies have formed alliances to promote privacy principles of disclosure, choice, access, and security. One such program, TRUSTe, a nonprofit alliance of several hundred Web sites, requires members to adhere to established privacy practices and to comply with published oversight and alternative dispute resolution practices. The TRUSTe privacy seal, or "trustmark," is an online branded seal that indicates compliance with the program and takes users directly to a site's privacy statement. In addition, more sites are giving their privacy statements prominent placement on the homepage and using those statements to direct users to consumer advocacy organizations such as www.netcoalition.com and www.privacyalliance.org.
The IAB's CPO Council seeks to promote privacy standards and expand the role of the CPO (www.iab.net). "Standards are still evolving in the U.S.," says Polonetsky, and companies that take a proactive stance will have more say in shaping those standards.
Staffing the CPO Position
The trend toward hiring CPOs originates in the executive suite and in business units. "Since discretion and trust are crucial for customers' attitudes, business managers are well aware of the importance of the CPO," says Jorgensen.
In Polonetsky's opinion, CPOs do not have to be technologists but may come from marketing, legal, or other backgrounds.
The amount of legal knowledge required by the CPO varies according to the industry, but most agree that a working knowledge of relevant laws and codes is sufficient. The key to making the position function, says Polonetsky, is that the CPO should report directly to the board of directors, as he does, or at least to a senior executive level, such as the CEO or COO.
In Europe, where the whole system is geared to guaranteeing the privacy of data, Hunze says, companies might not see the need for a separate CPO position. "In certain ways, I am the CPO, but it's just considered part of my job, something that is part of the enterprise strategy and required by law." Hunze notes that he received privacy training as part of his overall programming education. "If you do your job right, the privacy issue is just taken care of," he says.
Up to now, privacy issues have been handled by CIOs or IT directors both here and abroad. With increasing complexity, however, the CIO and CPO positions are beginning to branch off.
Steve Rayner, information systems manager at Northland Health Limited, a public health provider in Whangarei (pronounced fung-are-ray), New Zealand, reports that one health organization was rebuked by the New Zealand privacy commissioner's office for assigning privacy responsibilities to its CIO. "It was roundly condemned as a conflict of interest," he says.
According to Rayner, "One of the CIO's strategic objectives was to share patients' health information with all relevant providers of care in order to maximize the potential care benefits. The privacy commissioner considered that the CIO had two conflicting missions - the dissemination of information and the protection of that information. One cannot be a champion for opposite points of view."
Conflicts of interest also arise between competing corporate functions. "Marketing people want to maximize interaction with consumers, whereas the legal department wants to minimize it. The CPO, on the other hand, wants to make sure that interaction is transparent, clear, and fair and that consumers have choices," Polonetsky says. The overriding reason for separating the two positions, however, is a practical one. "Companies may have technologists who understand the underlying infrastructure, lawyers who know the law, and marketing and communications people who can talk to the public, but rarely is there somebody positioned to have a broad sense of how those issues interact," Polonetsky says.
The position of CPO has its own unique set of challenges: maintaining employee awareness of legal and moral obligations, gaining consensus among partners, staying abreast of new technologies and the law, and communicating with the public and the press.
Above all, however, the CPO must be an advocate for the consumer within the company. "A consumer who is surprised, irritated, or annoyed is not going to be a consumer for long," says Polonetsky.
The prospect of losing customers is the ultimate motivator behind the CPO trend. By establishing the position of corporate CPO, companies can gain consumer confidence, establish a competitive edge, and develop a strong voice in the ongoing public debate about privacy.
Eva Marer is a freelance business and technology journalist based in New York City.