Perhaps there is no better person to discuss the evolution of the privacy profession than Jennifer Barrett Glasgow (left). That's because she is widely considered to be the first-ever CPO and on the front lines today of an ongoing debate over internet privacy issues.
Two decades ago, Glasgow was tapped to create a privacy program at the marketing services firm Acxiom. At the time, Acxiom had just acquired a data company called InfoBase, which maintained a repository of customer intelligence that was gathered from public records and surveys for marketing purposes. Now in the market to sell data, company leaders quickly realized they had to learn how to do so appropriately, while also generating revenue.
“It was in 1991 that I was asked to look at this thing called privacy and what it meant to the company,” Glasgow recalls. “I started out thinking it would be a 12- to 18-month project to figure out what we should be doing. And here I am 20 years later, though it's a very different scope and scale.”
Many of the regulations with which the company must currently comply didn't exist even five years ago, she says. For a global firm, navigating the changing regulatory landscape requires a dedicated team of personnel and constant monitoring.
These days, the organization has a global privacy team of about 15 employees, organized geographically by region, focusing on the Americas, Europe, Asia-Pacific and Northern Africa. The group establishes policies based on regulations, recommendations and industry best practices. It also helps to roll out the policies across its individual lines of business, which are ultimately responsible for maintaining compliance.
The privacy department also functions as an internal auditor, conducting periodic compliance reviews, Glasgow explains. As the company considers acquiring new products, the team conducts impact assessments to ensure compliance with company policy can be achieved.
Besides the growth in federal and state regulations, one of the changes impacting Acxiom's privacy program is the surge of so-called passive data collection, Glasgow says.
When browsing the web for products or services, a cookie, or small data file, may be placed on a user's computer to allow advertising firms to silently track the URLs that user visits, as well as the date, time and duration of each visit. This data collection helps advertisers increase the effectiveness of their campaigns by serving consumers ads based on their preferences.
But, it has sparked an intense privacy debate that is currently playing out in Congress. A “do-not-track” bill, introduced in the U.S. Senate in May, would offer web users the option to prevent advertising and marketing companies from collecting information about their web-browsing activities.
The Do-Not-Track Online Act of 2011, introduced by Sen. Jay Rockefeller, D-W. Va., is widely supported by a number of U.S. privacy groups, including the American Civil Liberties Union and Electronic Frontier Foundation. Members of the online advertising community, however, argue that such a law would hamper innovation and say the industry's self-regulation of such advertising has been effective to date.
Ultimately, advertising firms, like all companies that collect sensitive information, are obligated to protect consumers' data and consider privacy issues in any new products and services they offer, Glasgow says. One of the questions privacy professionals must ask themselves is how much data stored on their networks is too much.
“There's no-one-size-fits-all answer, but you need to be thinking about that,” she says.