On Thursday, Amazon.com unveiled its new lineup of Kindle e-readers and tablets to much tech-world oohing and ahhing. But the company revealed another big addition last week: its first in-house head of privacy, Nuala OConnor. She steps in as associate general counsel for compliance and privacy, having served in lead privacy roles at General Electric and the U.S. Department of Homeland Security.
As the Wall Street Journal was quick to point out, Amazons hire is somewhat of a late arrival to the privacy club among major tech companies. Google named a global privacy counsel more than five years ago. Last year, Apple plucked Googles Jane Horvath (a U.S. Department of Justice alum) to lead its privacy efforts. And Facebook split its top privacy position into two chief privacy officer roles, after reaching a settlement with the Federal Trade Commission last November.
Theyre not the only ones, of course. With more companies collecting and using more consumer data has come more legal and public scrutiny over privacyand more chief privacy officers and privacy counsel joining companies large and small.
The core questions are, can I use consumer data in this manner, and what are the implications and what are the opportunities?, says Jules Polonetsky, director and co-chair of Future of Privacy, a think tank in Washington D.C.
But on such shifting terrain, answers are harder and harder to come by, says Trevor Hughes, who heads up the International Association of Privacy Professionals. The best approach for dealing with the resulting risk and unpredictability, he says, is for smart people to mitigate it as efficiently as possible.
Polonetsky and Hughes have witnessed the fields evolution since its infancy. Both attorneys started in chief privacy officer positions at rival digital advertising companies in January 2000Polonetsky at DoubleClick (where Nuala OConnor worked for him, by the by) and Hughes at Engage.
They recall how titles like chief privacy officer earned jeers from the press, scoffing that these would surely become a fad that passed, according to Polonetsky.
Today, obviously, it is a very different field of play. Membership in the International Association of Privacy Professionals, for example, has more than doubled in the past three yearsfrom 5,000 in January 2009 to 11,200 today. And Hughes hastens to point out that much of that growth occurred during the worst of the economic downturn, underscoring how corporate privacy risks outweighed hiring freezes.
The Association of Corporate Counsel has also noticed the upswing. In the associations 2006 census of in-house counsel, the survey didnt even ask about whether attorneys were dedicated to privacy issues, says ACC general counsel Jim Merklinger. But in its 2011 survey, 11 percent of the 5,640 respondents noted privacy as a primary discipline for their in-house role.
Steven John, a managing director at the recruiting firm Major, Lindsey & Africa, has observed this trend across positions within the legal function. Not only has demand for chief privacy officers and privacy counsel gone up, he says, but job descriptions for general counsel also list privacy issues. It has become a skill set in which companies hiring a chief legal officer or general counsel expect some expertise.
That goes for GCs who are looking to hire deputy or associate general counsel, too. Even in the absence of having a chief privacy counsel, theyre trying to augment by hiring legal professionals who have experience with privacy matters, says John.
Legal and compliance departments are natural homes for a corporations top privacy professionals. IAPPs 2012 Privacy Professionals Role, Function, and Salary Survey showed that 30 percent of respondents worked in legal and 29 percent worked in compliance. Privacy is a law-driven field, says Hughes, adding, I think the role of privacy will always be proximate to, or within, law and compliance.
But, as both Polonetsky and Hughes point out, the issues involved often go beyond the letter of the law.
Regulation in this area is so turbulent, Polonetsky notes. In addition to myriad state and federal laws that govern data protection, companies are held to what their own privacy policies statenot to mention factors like media criticism, class action lawsuits, and letters from Congressional representatives requiring explanations and reviews of a companys action (as seen, for example, in the letter Amazon received from Representative Ed Markey [D-Massachusetts]).
In other words, a savvy company has to consider what is and isnt acceptable to the public. The boundaries arent black and white yet, says Polonetsky.
Privacy leaders also, increasingly, have to incorporate business-management skills into their roles and think about the organization as a whole. Privacy has to be baked into both new products and new ways of handling employee and consumer data, says Hughes. If we created a privacy risk map of an enterprise, it would glow red wherever data is being managed in a significant way, he saysi.e., everywhere in todays corporate world.
As data becomes the life-blood of more business sectorsand privacy issues continue to bedevil more companiesit appears that CPO will soon be a common title across the corporate landscape.
