Thornton A. May: The what and why of CPOs

Five years ago, privacy was a white-hot noun. Global 2,000 organizations were falling all over themselves trying to establish privacy organizations and policies. At that time, security guru Bill Malik, former head of Gartner's security practice, commented, "The chief privacy officer is a trend whose time has come."

Fast-forward to today. We are still waiting for the high-impact, change-my-stock-price and delight-my-customer CPO to show up and make his presence felt organizationally.

In 2006, many futurists believe we may be standing at the beginning of the largest and most life-changing technology expansion since the invention of fire. (Interestingly, it is Sarbanes-Oxley -- initially labeled as an innovation-sucking bit of legislation that would do little more than provide full employment for bureaucrats -- that may be viewed in the end as the great accelerator toward a truly digital society.) Future-focused organizations are getting their information management houses in order and tightening up internal processes in advance of the big takeoff. Among the things most in need of rethinking are privacy management and the chief privacy officer.

It's worthwhile, then, to consider questions regarding what CPOs do and why they're needed.

What Do CPOs Do?

I would appreciate hearing from readers who can answer that question. The fact is that privacy professionals are, for the most part, invisible to corporate, societal and consumer decision-makers. As an anthropologist studying corporate and consumer tribes, one of my tasks is to chronicle the daily routines and experiences of decision-makers. In the course of my fieldwork, I've determined that privacy professionals occupy just about zero mind share. Why is this?

Readers may be surprised to learn that there is a privacy industry. The International Association of Privacy Professionals (IAPP) has 2,800 members in 23 countries. J. Trevor Hughes, the articulate, well-read and very well-traveled executive director of the IAPP, frequently and eloquently comments on the critical role of today's privacy professionals, who he maintains "are guardians of the data that fuel our information economy."

But most privacy tribe observers agree that privacy people pretty much keep to themselves. They are too private. Similar to the Amish, they don't get out much, and when they do, it is to gather in self-selected conclaves. Most privacy events revolve around privacy people speaking to privacy people.

What Is Society's Attitude Toward Privacy?

Part of the problem is that privacy is not front-of-mind for Joe and Jane Bag-o-Donuts. Robert Samuelson, writing in The Washington Post on Sept. 20, contends that the "Internet has unleashed the greatest outburst of mass exhibitionism in human history." A recent poll by the Pew Internet & American Life Project reports that 61% of all 13-to-17-year-olds now have personal profiles on the Web. Katharine Herrup, a cultural and style observer writing in The New York Sun on Sept. 22, said she is convinced that "Americans do want privacy. They just struggle with deciding how much exhibitionism is too much. And they don't seem to know how to set their own privacy meters."

The Demand and Supply for Privacy

We are still a ways off from having an unambiguous take on consumers' demand for privacy. People have not really made up their minds about how private they want to be. The supply of privacy is suspect as well. An RSA Security study found that nearly half of U.S. consumers have "little or no confidence" that organizations are taking sufficient steps to protect their personal data. And when a Ponemon Institute/MSNBC study asked, "Who do you trust more to protect your privacy -- government or private corporations?" a full 88% picked the third option, "neither."

Why Privacy Matters

Seth Godin, entrepreneur and orator extraordinaire, introduced the concept of permission marketing. He describes a spectrum of marketing, ranging from spam (uninvited commercial interruptions) on the bad end to what he calls "intravenous" marketing (initiatives that depend on trust relationships and thus are able to deliver any substance at any price at any time) on the good end. The only way organizations can move away from spam and toward intravenous marketing is to earn consumers' permission to collect personal information. They do this by showing that collecting the information will help them better serve the customer.

This is the sort of big, stock-price-goosing thing that a focus on privacy can produce.

Now go find out where your CPO is hiding and do something about it.

Thornton A. May is a longtime industry observer, management consultant and commentator. Contact him at

Copyright © 2006 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon