Psst! CPOs Are Secret Agents

A string of controversies involving U.S. companies accused of misusing personal information about their customers is fueling the latest trend in corporate hiring: the chief privacy officer.

In August, U.S. Bancorp named a privacy czar to protect its customers’ interests after the Minneapolis-based bank was sued by state regulators for selling confidential financial data to telemarketers.

Internet ad broker DoubleClick made a similar move in March after the company was attacked for its plan--later shelved--to combine information about consumers’ Web-surfing habits with other personal information, and use the data to pitch products to them.

As Americans grow more alarmed about the use of their personal information on the Internet, about 75 U.S. companies have added chief privacy officers, or CPOs, to their corporate rosters, up from a mere handful in the 1990s, according to Alan Westin, head of Privacy & American Business, a research and consulting group in New Jersey.

CPOs are typically charged with developing a corporate privacy policy and ensuring a company’s compliance with the ever-growing number of privacy-related laws and regulations. Among those U.S. companies that now employ CPOs are Microsoft, America Online, American Express, AT&T; and E-Trade.

The CPO is the latest corporate abbreviation to hit the executive suite, joining other tech-spawned posts such as chief information officer, or CIO, and chief technology officer, or CTO.

Some privacy advocates are skeptical of the trend, dismissing the corporate titles as little more than window-dressing and an attempt by companies to appear that they’re serious about protecting customers’ privacy.

“It’s a Band-Aid, not a solution,” said Bonnie Lowell, an online privacy expert and technology consultant.

Lowell is worried that many companies are using CPOs primarily to protect themselves against potential lawsuits or bad press, rather than to reform and enhance their privacy policies. Instead of hiring high-profile CPOs and sending them to meet with customers or testify at government hearings, companies ought to be training workers throughout the company about the proper use of sensitive information they collect about customers, Lowell said. Such information can range from credit card numbers to magazine subscriptions, from bank account balances to Social Security numbers.

The fact that many of the new crop of CPOs are former attorneys suggests that the threat of privacy-related lawsuits remains a top concern of companies. At a privacy conference in Washington last month, experts predicted that U.S. companies will soon face a wave of class-action lawsuits over their failure to abide by the privacy promises they have made to their customers. Frequently such lapses occur by mistake or because no one at the company is enforcing the privacy policy.

“A lot of companies have had trouble living up to their own privacy policies,” said Larry Ponemon, lead partner of the privacy practice at PricewaterhouseCoopers. “They say they do [one thing], but they do less than [that].”

*

By ensuring that companies follow their own policies, CPOs benefit consumers, too, company officials say. Some CPOs say they view their jobs as being an advocate for consumer interests and serving as a bridge between the company and customers.

“One of my roles is to be an ombudsman,” said Jules Polonetsky, a former consumer affairs commissioner of New York who was recently hired to become DoubleClick’s first CPO.

“My job is to be an inside watchdog,” Polonetsky said, noting he reports directly to the board of directors.

But the influence of CPOs can vary within each organization. Some companies have hired seasoned attorneys or privacy experts, who report directly to the chief executive or chairman. Others employ young, tech-savvy representatives who work within the companies’ legal, public affairs or technology divisions.

At American Express, the CPO is its former group general counsel Sally Cowan, who reports to the vice chairman. Cowan has helped shape new products and services for consumers, such as an e-commerce initiative to provide protection to consumers while using credit cards online and a technology that permits users to surf the Internet anonymously.

*

But the job can also be a source of friction within a company.

Microsoft Corporate Privacy Director Richard Purcell said he often butts heads with other departments--particularly the marketing and data management divisions--over their plans for new products or uses for personal information.

“You have to go around and kick butt inside your company on behalf of consumers,” Purcell said. He and other CPOs say they sometimes use their veto power to kill or change new products or services that might infringe customer privacy.

“I’m representing the consumer quite a bit of the time, but I’m also representing the business,” said Tatiana Gau, who oversees privacy issues at AOL. “It’s complex.”

Says Microsoft’s Purcell: “I qualify my job as successful if I upset just about everybody,” he said.

A recent study indicates that consumers are taking notice. A September survey of Internet users found that 58% considered it extremely or very important for companies to have chief privacy officers review their privacy policies, according to Robert Moran, vice president at Fabrizio McLaughlin & Associates, the consulting firm that conducted the study.

*

Openings for CPOs may soon begin appearing on government payrolls as well.

A California bill, SB 129, by state Sen. Steve Peace (D-El Cajon) would create a privacy ombudsman to ensure personal information about California residents is used in compliance with state laws. A similar federal proposal is being backed by Rep. Tom Davis (R-Va.).

“It’s an idea whose time has come,” said Westin, whose group will soon offer an accreditation program for CPOs and helped found a professional trade group, the Assn. of Corporate Privacy Officers.

That said, it might not be a good idea to plan on a long career as a privacy czar. Although some experts see the trend accelerating, others see it as a short-term phenomenon that will fade as privacy protections become more accepted and commonplace within corporations.

“We ought to do everything we can to make sure our role diminishes,” said Microsoft’s Purcell.