The Emergence of the Chief Privacy Officer

by Eva Marer

Joan Russo, IT security planner for the state of Delaware, is at the
forefront of a new trend. Her position was created only last year, but
she’s already working with the chief IT architect to set statewide privacy
policies and ensure that the state’s 34,000 employees adhere to them.

Currently, there are only about 50 to 75 chief privacy officers (CPOs)
nationwide, estimates Alan Westin, founder of Privacy & American Business,
a nonprofit think tank in Hackensack, N.J. Indeed, in a recent CIN poll,
only 4% of members acknowledged having such a position within their own
organizations.

Yet Westin expects that number to increase dramatically within the next
few years. “Within a short time, every sensible company will have a CPO
on its management team,” he says. As privacy becomes a top-tier issue
for consumers, he says, companies will recognize the competitive advantage
of institutionalizing the CPO position.

An Emerging Role

“I get a call – at least one call a week – from companies looking for
referrals to staff a new CPO position,” says Jules Polonetsky, CPO for
DoubleClick Inc., a New York-based Internet firm that provides advertising
solutions for Web publishers and advertisers. Polonetsky, the former consumer
affairs commissioner for the city of New York, was just hired in March.
“It’s clear that this is becoming an increasing priority for companies.”

No matter what their primary business, Internet companies are in many
ways data companies, says Polonetsky. As they become aware of that role,
they are moving beyond the mechanics of data exchange to focus on ethical
implications and privacy protection.

“We’ve had a lot more inquiries from agencies and concern about privacy
in the last year,” says Russo. That’s partly because some new laws have
been implemented, she says. But the concern also arises in direct proportion
to the number of consumer services offered via the Web.

“We
have a new online program where people can pay their taxes online,” she
says. “We’ve also started planning a new system where parents can view
their children’s report cards on the Web. They love the convenience but
are concerned about issues like credit card security and protecting their
children’s confidentiality.”

As companies go Web enabled, Russo says, people fear everything from
hackers and viruses to misuse of personal information. “This is not like
the old mainframe days where you’ve got one box and a limited number of
people who can access it.” Also, she says, any entity receiving federal
funding must document its compliance with federal privacy standards, especially
in areas pertaining to medical, legal, and Freedom of Information Act
requests.

In addition, consumers seem to be asking companies to police themselves
more. For example, a survey of more than 2,000 Americans published by
the Pew Internet and American Life Project showed that 86% of respondents
favored the adoption of “opt-in” policies, whereby Internet companies
would request permission from users before disclosing personal information.
In an “opt-out” situation, Web sites have the right to track users who
do not explicitly request to be excluded.

This problem is not really new, argues Polonetsky. He points out that,
even in the offline world, consumers must opt out of telemarketing lists
and direct mail databases. And some online c