IAPP-GDPR Web Banners-300x250-FINAL

By Angelique Carson, CIPP/US

Today, it would be remiss to say that the privacy profession is anything but flourishing. Companies are increasingly hiring privacy officers and even elevating them to C-suite positions; the European Commission has proposed a statute in its amended data protection framework that would require data protection officers at certain organizations, and, at the IAPP, membership recently hit 10,000 worldwide.

But it's only in recent years that the need for privacy professionals has gained mainstream recognition. About a decade ago, privacy professional Jules Polonetsky, CIPP/US, recalls, one news publication--jabbing at the job titles dot-com's were coming up with--compared the title of "chief privacy officer" to "chief ninja."

"I remember the sarcasm," Polonetsky says. "They poked fun at what they thought would be an ethereal title."

But a firestorm surrounding one company's data collection practices put a spotlight on both privacy and the professionals tasked with protecting it, and out of that came a team of seasoned privacy pros who lived to tell the story.

Just over 10 years ago, Internet advertising agency DoubleClick announced that it would acquire direct marketing services company Abacus. The announcement incited criticism from privacy advocates and resulted in investigations by multiple federal and state agencies and litigators. Critics claimed the merger violated consumer privacy since it would allow for the combination of DoubleClick's data on users' online browsing habits with Abacus's database of consumers' offline personally identifiable information, such as names, addresses, ages and shopping habits.

One of those critics was the Electronic Privacy Information Center (EPIC), which filed a complaint with the Federal Trade Commission (FTC) in February 2000 alleging that DoubleClick engaged in "unfair and deceptive trade practices." EPIC called for the company to delete data it had collected from Internet users without their permission. DoubleClick's privacy policy at the time of the Abacus merger stated that it would not link the online and offline information, but a revised privacy policy soon retracted that claim.

In the heat of the firestorm, DoubleClick took action, hiring Polonetsky as its chief privacy officer and establishing a privacy advisory board. Polonetsky came to DoubleClick from his post as commissioner at New York City's Department of Consumer Affairs. He remembers the time period as one of both rapid change and success.

DoubleClick, Polonetsky says, believed it was truly providing value in helping pioneer Internet advertising, allowing websites to support cost-free content and helping advertisers transition into the digital age.

But the backlash that followed was unprecedented. It prompted a new look at privacy and the ways companies handled customer data.

It also carved out some career paths.

In fact, the team members Polonetsky assembled would become among the first and most high-profile privacy pros in the country as the media descended on the DoubleClick controversy and prodded for interviews with those on the front lines.

One of them was Nuala O'Connor Kelly, CIPP/US, CIPP/G, now chief privacy leader at GE, who came to DoubleClick in December of 2000 to serve as its first privacy counsel and then on Polonetsky's team. Elise Berkower would soon follow Polonetsky's path from the New York City Department of Consumer Affairs, where she worked as director of adjudication, to DoubleClick as a compliance officer.

Berkower says working in the privacy field at that time meant you were in a pretty small category and often circling around the same people. In fact, she calls DoubleClick the Kevin Bacon of companies--in reference to the small-world phenomenon that any Hollywood actor can be linked to Kevin Bacon within six degrees.

"You either worked there or you know someone who did," Berkower says.

Berkower arrived at DoubleClick shortly after O'Connor Kelly and was charged with checking all websites involved with online behavioral advertising and creating nonidentifiable profiles in order to retarget ads to them. She was also responsible for ensuring that websites' privacy policies complied. Brooks Dobbs would join as the company's technologist.

"There was a lot of pressure because we had to be ready for the audit, which was three or four months away," Berkower says. The first review was conducted by PricewaterhouseCoopers. Two additional audits were conducted by KPMG and two by Ernst and Young.

Dobbs was tasked with mapping personal identity information to the DoubleClick cookie and understanding who saw which ads. He'd been working in the online advertising business since 1994 and says, then, "we never considered that privacy would be an issue."

Arriving at DoubleClick, he says, he realized that the company had landed itself in the middle of a big issue.

"Once I got in there, I realized there's still sort of a dearth of understanding of where policy intersects with technical realities," he says.

For this early crew, it was a nerve-wracking time to blaze a trail.

During O'Connor Kelly's first three weeks at the company, she says, the FTC began an investigation, 21 class actions were filed and 12 attorney general investigations were launched.

"It was definitely the cutting-edge privacy and technology issue at that time," she says of the DoubleClick/Abacus investigation.

Adding to the intensity of the multiple investigations was the fact the case was unprecedented. There was no case law on the books or FTC decisions on privacy to turn to for guidance, O'Connor Kelly says. In fact, DoubleClick is listed as the first one.

"And it was a really pivotal time for Internet and e-commerce and privacy issues in particular--one that kind of brought privacy and data usage and handling into a much wider audience," she says. "I will be really candid when I say we were making some of this up as we went along. To a certain extent, in the really early days, privacy officers were flying by the seats of our pants."

 "These certainly were regulatory novel issues and new technological ideas that continued to be challenging to try to figure out how to deal with in a responsible way," Polonetsky agrees. "I certainly didn't know a great deal about privacy or data protection."

Berkower says, "The learning curve was very steep and the time was very short."

"We lived every day with an unexpected privacy scandal that someone was alleging or accusing," Polonetsky says. "From front-page stories about the White House being accused of having DoubleClick cookies tied to a campaign related to teaching teens about drugs to 60 Minutes stories to new class actions and lawsuits."

But the payoff for any privacy professional engaged in front-line issues like his team at DoubleClick faced, he says, is that "it can be a huge opportunity for a savvy CPO to get what he needs done accomplished."

"I think it was a crisis opportunity, and taking advantage of a crisis to really get the policies and people in place is how we were able to assemble a good team of people, and I think that's some of the lesson for other crises. Individuals dealing with the response need to strike while the iron is hot, whereas in non-crises situations, it can take time and convincing to get the right policies and people in place," Polonetsky says.

The FTC eventually would close its DoubleClick investigation, ruling that the company had not violated its privacy policy.

"I remember when we got the letter that the case had been closed," O'Connor Kelly says. "What an exciting time."

And in the meantime, she adds, a new profession was born.

"I think the takeaway for me is that it helped me be a part of a team that built the structure of privacy, which is something I've replicated almost everywhere I've been."

What's next?

Dobbs says it will be interesting to see where the issue at the heart of the DoubleClick controversy ends up.

"We're 10 years into it, but as a business model, it's sort of ancient," he says. "We haven't figured out how to make money doing this, and there's this battle on the one side to create an advertising mechanism that generates enough utility to pay for expensive content, and on the other side, there's this growing unease about the data that's being collected. And those are pushing in opposite directions."

He says the question will become "do you, consumer, want to start giving up more data about yourself and get content for free? Or, alternatively, are you going to be part of the tragedy of the commons and exert your right to not permit data collection, and eventually run the pumps dry?"

Polonetsky says that over the years, his opinions on privacy have continued to evolve, but they've always centered around one core principle.

"Are you treating people fairly here? Because it's about treating people really well," he says. "If you want to make money doing things for people, treat them really well."


If you want to comment on this post, you need to login.


Related Posts


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»