As legal concerns about electronic privacy are brought to the forefront, the first line of defense for many e-based enterprises will be their Chief Privacy Officer (CPO). "Pressure is escalating for the government to pass privacy-protection legislation, and privacy will be one of the top CRM issues this year," said Scott Nelson, vice president and research director for the GartnerGroup's CRM segment. "A privacy officer will soon be an essential position in companies that are worried about implementing effective privacy standards and communicating those standards to the public and regulatory agencies."
Dozens of privacy bills will be introduced in congress this year, including some that will require companies to post and comply with privacy policies. Others will restrict disclosure of personal information without the express consent of the consumer and require sites to post an understandable disclosure of what information is being gathered and how it will be used prominently, says Andrew Shen of the Electronic Privacy Information Center (EPIC).
Enter the CPO
Political analysts say that many of these pending privacy bills will be passed. "Privacy is a nonpartisan issue," says Jay stanley, an analyst for Internet policy and regulation for Forrester Research. "Privacy initiatives are going to pass this year, and companies need to have someone who is focused on staying up to date in this space, someone who is capable of understanding, interpreting and adhering to the regulations. Companies that can't protect or don't respect their customers' information are going to pay a heavy price."
Enter the CPO--a position that US News listed as one of the top ten "Hot Job Tracks" for 2001 in its Nov. 6, 2000 issue.
According to Alan Westin, founder of the new Association of Corporate Privacy Officers in Hackensack, N.J., roughly 500 companies currently have CPOs, and Westin believes this number will at least double by next year. He predicts that by 2005, most midsize-to-large firms will have a CPO. Companies who already have CPOs include American Express, AT&T, Delta Air Lines, DoubleClick, Microsoft and Mutual of Omaha.
A CPO needs to understand how a company leverages the information it collects, keep current on the legislative front and ensure that customer information is not misused, says Westin. CPOs are sometimes put in place in response to a privacy problem that threatens sales or the company's reputation. DoubleClick, an online advertising firm in New York, announced that it would be hiring a CPO after the FTC and several states launched an investigation of its data-managing practices last winter. Amid complaints that DoubleClick planned to merge records of Web activity to a marketing profile database, the company appointed a CPO to administer its internal privacy policies and communicate them to the public and press.
Better Now Than Later
Some CPOs get to be proactive rather than reactive. Sally Cowan, American Express' CPO, was a major participant in the design of the company's "Private Payments" plan, which offers one-time-only credit-card numbers for online shopping.
IBM recently named Harriet P. Pearson as the company's first CPO. Pearson will steer IBM's privacy policies and practices and lead initiatives across IBM to strengthen consumer privacy protection.
Pearson believes that the hottest privacy issues in 2001 will revolve around how privacy polices are written and implemented. She thinks that many companies have fallen into a practice of posting "dense, complicated and not often updated" privacy policies, something that she personally finds problematic. Pearson predicts such policies will become a major problem for many if, as she believes will happen, legislation is passed requiring companies to adhere strictly to their posted policies. "I want to work with the industry to make privacy statements easier to understand--a clear, concise statement about what is being done with the information that is gathered," Pearson says. "I also plan to spend time talking with our customers about privacy issues, what kind of resources are out there and what they can do to handle privacy concerns in their own businesses."
Stephen Keating, executive director of the Privacy Foundation, says that a CPO is an essential for technology companies and midsize or larger enterprises that do a major amount of their business online. Keating fully expects 2001 to bring forth a "significant surge" of civil lawsuits and congressional action against Internet-based businesses for alleged violations of privacy policies. He also thinks that the CPO position will soon be so mainstream that universities will develop graduate classes and degree programs specifically for CPOs.
IBM's Pearson agrees that CPOs will become a standard corporate position this year. "Increasingly companies are seeing that their ability to manage privacy is a major part of their competitive edge," she says. "And in an organization where everybody is focused on making money, you need someone to speak for your clients."