Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
Several weeks ago, a series of posts I shared on LinkedIn that mapped six different privacy career paths received inspiring response. The posts drew hundreds of comments and messages, many deeply personal. Some wrote from the very beginning of their journeys and others from mid-career inflection points. Senior leaders reflected on routes they never could have predicted.
Two observations have stayed with me. First, privacy careers rarely move in a straight line. They branch, loop and intersect. Second, clarifying different paths can help. Once people saw the paths named, many wrote they already sensed where they belonged. What they needed was a way to describe it and encouragement to act.
My original posts focused on privacy legal, privacy operations, privacy technology, consulting, leadership and privacy as a springboard to broader roles like artificial intelligence governance. As I reflected further, I realized there were at least two other areas I hadn't clearly named: advocacy and nonprofit roles and regulatory or public service work. Together, the roles form a map of sorts.
The most useful way to read it is not by organizational box but by the primary outcome of the work. Three outcomes explain most privacy careers that directly serve a company: make it defensible, make it durable and make it work in systems.
Privacy legal: Making privacy defensible
Privacy legal work anchors how an organization interprets and applies the rules. Those of us with experience in this area know it is far more than analyzing statutes or drafting clauses. The deep work is helping the company choose a path when the answers are not clear in a way that can withstand scrutiny and allow the business to still move forward.
In-house counsel often carries the broadest tasks. A single week can include reviewing a product launch, negotiating vendor terms, advising on marketing practices, and preparing a response to a regulator. The pace can feel unrelenting. The value lies in knowing when the law leaves room for judgment, when it does not, and how to translate dense requirements into accessible guidance people can use.
Law firm practice has a different cadence and focus. At global firms, for example, privacy lawyers often handle breach response, litigation support, cross-border transfers, or complex advice on emerging rules and regulations. The matters tend to be fast moving.
Boutique firms and solo practices can be much more focused. Many colleagues in this space often work at closer range with clients and have built deep expertise in areas such as advertising technology, children's privacy, or health data.
There is also a public service branch. Lawyers at supervisory authorities, state attorneys general, or agencies such as the U.S. Federal Trade Commission investigate, enforce, publish guidance, and defend remedies in court. Their decisions shape expectations across entire industries.
Who thrives here. People who can hold the tension between the desire to be precise and the need for pragmatism. They are comfortable saying, "The law does not answer this directly, but here are three defensible ways forward." They gain energy from writing that can stand up to scrutiny and from advising leaders when decisions must be made without perfect clarity.
Privacy operations: Making privacy durable
Privacy operations are where commitments are put into practice. Policies and promises must be translated into maintainable business processes, ideally those that can scale.
The work demands an unusual blend. You might read a requirement but then must decide who does what, when it happens, and what record shows it was done. You may find yourself designing procedures to ensure that nothing disappears between legal, IT, and product teams. You know that sustainability depends on ownership and records. The work might not always be glamorous, but it is what makes a program defensible.
Who thrives here. Professionals who take satisfaction in order and reliability. My former boss used to talk about people who had a "high tolerance for tedium." In my experience, these people are gold. They are at ease translating broad rules into repeatable steps and ensuring those steps actually happen. They enjoy working across teams, giving just enough context so colleagues can do their part without being overwhelmed. The reward is seeing a process hold up under pressure with evidence ready when questions arise.
Privacy technology: Making privacy work in systems
When people hear "privacy technology," they often picture endless vendor sales calls or specialists buried in IT tickets. Both miss what makes this path compelling. Technology has become one of the most dynamic and rewarding areas in privacy because it sits where regulatory expectations, business needs, and engineering realities meet.
The work is about evaluating platforms against obligations. Ideally, you integrate them with existing systems and data flows. You translate legal requirements into system behavior. You explain capabilities in plain language to colleagues who will only touch the tool when they must.
Vendor roles have become a powerful route into this outcome. After more than a decade running in-house programs, I joined a vendor and my perspective widened immediately. I saw patterns across industries, learned what actually helped organizations mature, and helped shape products still in use. Vendor work includes product management, customer success, solutions engineering, and strategy. Done well, it can influence how the field itself evolves.
In-house technology roles have a different depth. You become the internal expert who makes the stack work. You are called when a launch needs to be responsible or when regulators require evidence that systems do what the company says they do.
Who thrives here. People who like solving system-level puzzles. They are comfortable bridging regulatory language and engineering detail; they gain energy from making tools work in ways that will withstand real-world use and regulatory inquiry. They tend to enjoy conversations where they plainly explain technology to executives and practically clarify policy requirements to engineers.
Confidently choosing a path
These three outcomes describe much of the day-to-day work that delivers privacy for a company. Many professionals blend elements of all three. A follow-up article will explore outcomes that shape the broader ecosystem: consulting, enterprise leadership, advocacy and nonprofit work, regulatory and public service work, and the cross-cutting rise of AI governance.
The goal is not to put yourself in a box, but to offer a clearer map so you can affirm the path you are on or choose a different one with confidence.
Teresa Troester-Falk, CIPP/US, is the CEO and founder of BlueSky Privacy.
