InformationWeek

here's a new honcho sitting in on executive meetings; it's the chief privacy officer. Ignore the newcomer at your peril.

True, there are CPOs that are little more than window dressing for companies running for cover after public-relations debacles. But at least as often, CPOs are policymakers capable of fouling up production schedules and even killing projects. Think you can sideline the CPO with the usual executive-row politics? In at least one case--online-advertising firm DoubleClick--the CPO reports directly to the board of directors.

Now that we have your attention, let's reintroduce the CPO: By design, he or she is not necessarily a lawyer. The person might be from outside the firm, possibly with a consumer-affairs background. The CPO can be a creative problem solver, but the person can also be an outright privacy cop.

In other words, the CPO is a good person to have on your side, reconciling marketing's dreams, IT's mandate to deliver the goods, and consumers' privacy demands.

Why are CPOs being hired in the first place? Some are being hired to allay consumer worry and thereby raise their company above competitors. But other companies simply want to keep the government from writing ham-fisted laws designed to rein in very real abuses. Financial-service and health care companies are feeling the heat right now, and online-retailers are pretty close to the burner, too.

Privacy concerns hamper buyer-seller relationships. According to Forrester Research, nearly a third of consumers admit to giving false information online because they:

• Don't trust companies with their personal data;
• They wish to remain anonymous; and
• They're trying to avoid unsolicited marketing.

In fact, customers are less likely to shop on a site that doesn't display how personal data is collected and used. Forrester Research estimates that U.S. businesses lost about $12.4 billion last year in online sales because of privacy fears.

But can't the CEO and the general counsel write and enforce privacy policies themselves?

Surprisingly, many top execs know very little about the flow of personal data through their companies, says privacy-policy specialist Brian W. Smith, an attorney with Washington-based Mayer, Brown & Platt. "We find that companies don't know all of their sources of data, because they get data from so many different places and relationships," he says.

A CPO becomes the point person, responsible for knowing from where data is gathered, how it is gathered and how it's used. "In the absence of a chief privacy officer, many people within an organization are held responsible in name only," he says. That won't serve the company should a consumer or even an employee charge that his or her privacy has been violated.

Admittedly, it is early in the age of privacy politics, but it seems that getting the CPO involved at the earliest stages of projects results in a favorable success-to-headache ratio. The consensus is that wiping out privacy problems is easier to do in planning than after execution.

Chris Kelly has been CPO of struggling Internet portal Excite@Home for a year, and meets regularly with IT staff to discuss how various contracts with third-party vendors will be implemented.

"I will ask the network engineers basic questions about how the agreement is reflected in the technology used and the trade of data," Kelly says. Among the developing projects he's influenced are interactive TV and location-based wireless services. "Right now, we're trying to figure out what are the advertising models that will work in wireless," Kelly says. Finding a balance between giving people the services they want and making money without violating customers' privacy is one of the hardest aspects of his job, Kelly adds.

And it's an aspect best not left to the lawyers, says Ray Everett-Church, CEO of consulting firm PrivacyClue.com LLC. Everett-Church, himself the former CPO of now-defunct online-ad firm AllAdvantage.com Inc., says balancing those needs calls for creativity.

"Legal departments aren't there to be creative," he says. "Chief privacy officers can come up with solutions that meet privacy needs and business needs." One of the most vexing challenges Everett-Church says he faced at AllAdvantage, was trying to combine consumer information with marketing plans, "without giving third-party marketers free rein of your information. There were certain marketing projects you couldn't do without using or sharing consumer information."

AllAdvantage enacted strict limits on third-party access to its customer data and used anonymizing features and aggregated content to target ads without revealing identifying information. In some cases, Everett-Church says, the marketing department was prevented from sharing consumer data that otherwise could have been used to sell credit accounts and other products that consumers wanted. Rather than getting hung up on the limitations, he says, AllAdvantage focused on the products it could offer consumers without violating their privacy.

Privacy policies that strong surprise or even shock some execs. In fact, CPOs increasingly have the authority to veto or restructure projects.

At Equifax Inc., says CPO John Ford, "The product developers and marketers are attuned to the need to get the blessing of the privacy officer before presenting a business case." Credit-reporting companies like Equifax still bear the singes of consumer backlash a few years back when they were accused of broadly sharing erroneous personal information.

Developers and marketers, Ford says, "recognize my function not as a compliance officer or privacy police, but as a value-add contributor, because building privacy into our products gives us a competitive advantage."

Equifax, which handles the personal data of 200 million people in the United States, appointed Ford its first CPO about two months ago. The company puts each new product through an internal privacy audit before it is launched.

But whereas Ford is at pains to emphasize cooperation over rigid compliance, Jules Polonetsky, DoubleClick's CPO, has no problem with flashing his badge.

"There needs to be a policeman to make sure that businesspeople, whose motivation is revenue, have a figure looking over their shoulders to make sure they follow the proper path." If Polonetsky sounds like something of a crusader, that's because he is. Prior to joining DoubleClick last year, he was the city of New York's consumer-affairs commissioner. And Polonetsky reports directly to DoubleClick's board.

What impact does the chief privacy officer have on your company's bottom line? Blocks revenue-generating projects Saves the company money on litigation Has little noticeable impact

"I'm not focused on revenue and I don't report to someone who has to meet revenue targets, which gives me a freer conscience to tell the businesspeople they can't do what they want to do unless they jump through hoops," he says. DoubleClick has, in fact, turned down revenue-generating opportunities that he deemed violated the company's privacy policies, he says.

A lot of companies might have smoked someone with Polonetsky's brassy demeanor by now, but it was DoubleClick that a year ago was tied to the whipping post by consumer advocates for a plan to link names to the data it collects about Web-browsing activities in order to deliver more-targeted ads.

DoubleClick ceased to do business with 50 to 60 of its customers last month for having insufficient privacy policies. Polonetsky says he's sure that decision cost DoubleClick some money, but "It's the chief privacy officers' job to help companies make hard decisions that will be good for the company in the long run, even if it is costly in the short term."

(Hiring Polonetsky doesn't get the company out of the doghouse entirely, though. California attorney Ira Rothken is filing a class-action lawsuit against DoubleClick for violating consumer privacy rights. "DoubleClick has a conflict of interest," Rothken says. "Having a chief privacy officer is an appeasement to show they are doing things to protect peoples privacy, but they're still trying to make as much money as they can off of the private information they acquire. The manner in which DoubleClick is operating is inherently flawed.")

Assuming a company has hired a CPO to really root out privacy policies that unnecessarily toy with consumer privacy, it's best to create a tight alliance with that person. The upside of the relationship can be smoother product rollouts with fewer downstream privacy headaches. The alternative, of course, is to fight self-policing and invite Uncle Sam to step in as CPO.