By Angelique Carson, CIPP/US

Today, it would be remiss to say that the privacy profession is anything but flourishing. Companies are increasingly hiring privacy officers and even elevating them to C-suite positions; the European Commission has proposed a statute in its amended data protection framework that would require data protection officers at certain organizations, and, at the IAPP, membership recently hit 10,000 worldwide.

But it's only in recent years that the need for privacy professionals has gained mainstream recognition. About a decade ago, privacy professional Jules Polonetsky, CIPP/US, recalls, one news publication--jabbing at the job titles dot-com's were coming up with--compared the title of "chief privacy officer" to "chief ninja."

"I remember the sarcasm," Polonetsky says. "They poked fun at what they thought would be an ethereal title."

But a firestorm surrounding one company's data collection practices put a spotlight on both privacy and the professionals tasked with protecting it, and out of that came a team of seasoned privacy pros who lived to tell the story.

Just over 10 years ago, Internet advertising agency DoubleClick announced that it would acquire direct marketing services company Abacus. The announcement incited criticism from privacy advocates and resulted in investigations by multiple federal and state agencies and litigators. Critics claimed the merger violated consumer privacy since it would allow for the combination of DoubleClick's data on users' online browsing habits with Abacus's database of consumers' offline personally identifiable information, such as names, addresses, ages and shopping habits.

One of those critics was the Electronic Privacy Information Center (EPIC), which filed a complaint with the Federal Trade Commission (FTC) in February 2000 alleging that DoubleClick engaged in "unfair and deceptive trade practices." EPIC called for the company to delete data it had collected from Internet users without their permission. DoubleClick's privacy policy at the time of the Abacus merger stated that it would not link the online and offline information, but a revised privacy policy soon retracted that claim.

In the heat of the firestorm, DoubleClick took action, hiring Polonetsky as its chief privacy officer and establishing a privacy advisory board. Polonetsky came to DoubleClick from his post as commissioner at New York City's Department of Consumer Affairs. He remembers the time period as one of both rapid change and success.

DoubleClick, Polonetsky says, believed it was truly providing value in helping pioneer Internet advertising, allowing websites to support cost-free content and helping advertisers transition into the digital age.

But the backlash that followed was unprecedented. It prompted a new look at privacy and the ways companies handled customer data.

It also carved out some career paths.

In fact, the team members Polonetsky assembled would become among the first and most high-profile privacy pros in the country as the media descended on the DoubleClick controversy and prodded for interviews with those on the front lines.

One of them was Nuala O'Connor Kelly, CIPP/US, CIPP/G, now chief privacy leader at GE, who came to DoubleClick in December of 2000 to serve as its first privacy counsel and then on Polonetsky's team. Elise Berkower would soon follow Polonetsky's path from the New York City Department of Consumer Affairs, where she worked as director of adjudication, to DoubleClick as a compliance officer.

Berkower says working in the privacy field at that time meant you were in a pretty small category and often circling around the same people. In fact, she calls DoubleClick the Kevin Bacon of companies--in reference to the small-world phenomenon that any Hollywood actor can be linked to Kevin Bacon within six degrees.

"You either worked there or you know someone who did," Berkower says.

Berkower arrived at DoubleClick shortly after O'Connor Kelly and was charged with checking all websites involved with online behavioral advertising and creating nonidentifiable profiles in order to retarget ads to them. She was also responsible for ensuring that websites' privacy policies complied. Brooks Dobbs would join as the company's technologist.

"There was a lot of pressure because we had to be ready for the audit, which was three or four months away," Berkower says. The first review was conducted by PricewaterhouseCoopers. Two additional audits were conducted by KPMG and two by Ernst and Young.

Dobbs was tasked with mapping personal identity information to the DoubleClick cookie and understanding who saw which ads. He'd been working in the online advertising business since 1994 and says, then, "we never considered that privacy would be an issue."

Arriving at DoubleClick, he says, he realized that the company had landed itself in the middle of a big issue.

"Once I got in there, I realized there's still sort of a dearth of understanding of where policy intersects with technical realities," he says.

For this early crew, it was a nerve-wracking time to blaze a trail.

During O'Connor Kelly's first three weeks at the company, she says, the FTC began an investigation, 21 class actions were filed and 12 attorney general investigations were launched.

"It was definitely the cutting-edge privacy and technology issue at that time," she says of the DoubleClick/Abacus investigation.

Adding to the intensity of the multiple investigations was the fact the case was unprecedented. There was no case law on the books or FTC decisions on privacy to turn to for guidance, O'Connor Kelly says. In fact, DoubleClick is listed as the first one.

"And it was a really pivotal time for Internet and e-commerce and privacy issues in particular--one that kind of brought privacy and data usage and handling into a much wider audience," she says. "I will be really candid when I say we were making some of this up as we went along. To a certain extent, in the really early days, privacy officers were flying by the seats of our pants."

 "These certainly were regulatory novel issues and new technological ideas that continued to be challenging to try to figure out how to deal with in a responsible way," Polonetsky agrees. "I certainly didn't know a great deal about privacy or data protection."

Berkower says, "The learning curve was very steep and the time was very short."

"We lived every day with an unexpected privacy scandal that someone was alleging or accusing," Polonetsky says. "From front-page stories about the White House being accused of having DoubleClick cookies tied to a campaign related to teaching teens about drugs to 60 Minutes stories to new class actions and lawsuits."

But the payoff for any privacy professional engaged in front-line issues like his team at DoubleClick faced, he says, is that "it can be a huge opportunity for a savvy CPO to get what he needs done accomplished."

"I think it was a crisis opportunity, and taking advantage of a crisis to really get the policies and people in place is how we were able to assemble a good team of people, and I think that's some of the lesson for other crises. Individuals dealing with the response need to strike while the iron is hot, whereas in non-crises situations, it can take time and convincing to get the right policies and people in place," Polonetsky says.

The FTC eventually would close its DoubleClick investigation, ruling that the company had not violated its privacy policy.

"I remember when we got the letter that the case had been closed," O'Connor Kelly says. "What an exciting time."

And in the meantime, she adds, a new profession was born.

"I think the takeaway for me is that it helped me be a part of a team that built the structure of privacy, which is something I've replicated almost everywhere I've been."

What's next?

Dobbs says it will be interesting to see where the issue at the heart of the DoubleClick controversy ends up.

"We're 10 years into it, but as a business model, it's sort of ancient," he says. "We haven't figured out how to make money doing this, and there's this battle on the one side to create an advertising mechanism that generates enough utility to pay for expensive content, and on the other side, there's this growing unease about the data that's being collected. And those are pushing in opposite directions."

He says the question will become "do you, consumer, want to start giving up more data about yourself and get content for free? Or, alternatively, are you going to be part of the tragedy of the commons and exert your right to not permit data collection, and eventually run the pumps dry?"

Polonetsky says that over the years, his opinions on privacy have continued to evolve, but they've always centered around one core principle.

"Are you treating people fairly here? Because it's about treating people really well," he says. "If you want to make money doing things for people, treat them really well."


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities. Early Bird ends TODAY.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»