The Emergence of the Chief Privacy Officer

ompanies do have stringent
opt-in policies regarding confirmed permission to send e-mail and the
like. “The real issue is what kind of information you are gathering, how
you’re gathering it, and what kind of control the consumer has over how
that it’s used,” Polonetsky says. “The key is in making consumers aware
of what the terms are.” CPOs see their role as doing just that.

In Westin’s opinion, almost any company can benefit from hiring a CPO.
The companies taking the lead, however, tend to be in industries such
as financial services for which federal privacy laws are already on the
books and compliance is an important issue. American Express Corp., Dun
& Bradstreet, Inc., Nationwide Mutual Insurance Co., PricewaterhouseCoopers,
Citigroup Inc., and Mutual of Omaha Insurance Co. all have CPOs and are
founding members of the Association of Corporate Privacy Officers (ACPO),
the professional organization established by Westin. The organization
held its second meeting in Washington, D.C., last month to address the
challenges and emerging role of the CPO.

The position is in its infancy and continues to evolve. In general,
according to the ACPO Web site, the CPO is responsible for coordinating
all corporate activities with privacy implications, as well as monitoring
all of a company’s products, services, and systems to assure meaningful
privacy practices.

For Russo, that means acting as a liaison to security officers at every
agency and school in the state. She is also drafting a statewide privacy
policy that will be reviewed by agency officials and sent to the attorney
general for approval.

For Polonetsky, the role of CPO requires him to juggle numerous responsibilities.
In addition to ensuring that his company lives up to its own privacy commitments,
he must review and monitor the privacy policies of partners and act as
an ombudsman to consumers, government, and the press.

The ACPO has set out guidelines for drafting appropriate CPO responsibilities
and lists sample tasks on its Web site. The CPO may do the following tasks:

  • Conduct privacy risk assessments and internal privacy audits
  • Serve as a key privacy advisor
  • Recommend and carry out employee privacy training and education
  • Manage a privacy-dispute and verification process
  • Speak on behalf of the company to the media and government bodies
  • Report to executive officers on how the company is dealing with privacy
  • Identify areas where the company can improve.

companies increasingly handle consumer information and make promises about
how that information is handled, Polonetsky says, they need to develop
their own compliance systems. “Companies that don’t live up to their commitments
face liability, embarrassment, or even legal action,” he says.

Following the European

In terms of privacy issues, the United States lags far behind Europe,
where privacy laws have been on the books for years in some cases.

“In Europe, we have the notion that your private data, including your
address and photo, belong to you,” says German-born Joachim Hunze, IT
director for Mapa-Spontex, a household products company based in Paris.

In France, for example, the Commission on Information Technology and
Freedom (Commission Nationale de L’Informatique et des Libertis)
is charged with writing regulations and