The recent film "Privacy People" provides a retrospective of the privacy profession and the historic emergence of the chief privacy officer role. At one point, the film notes there have been many technologies that came with a pronouncement that "privacy is dead" — and each time they were proven wrong.
We fully agree privacy is not dead and, if anything, is more important than ever in a world of ubiquitous monitoring and data collection.
Last year, following several widely publicized moves to eliminate chief privacy officers at some of the leading technology companies, articles started to appear with titles such as "Privacy Chiefs Vanish From C-Suites as Data Threats Surge" and "Is the Chief Privacy Officer Role Dead?"
We believe the time has come to ask a more provocative question — is the "privacy pro" role dead?
The great convergence
Almost 20 years ago, in 2007, the IAPP ran a contest among its nascent membership to define a "privacy pro" in 75 words or less. The submission from Orrie Dinstein, co-author of this article, won and was memorialized on the back of shirts that were handed out.
It stated a privacy pro is "a leader who understands the technical, legal and operational aspects of gathering, handling, and securing personal data, and who can establish and maintain a comprehensive strategic vision for handling all personal data of employees, customers and suppliers of an organization in a manner that is legal, secure and ethical, from the point of acquisition through the point of disposition, thereby gaining public trust in the organization's role as custodian of such data."
At first blush, this is clearly a role that is still very much needed. And yet, there are growing signs it is under stress. In the cases noted earlier where CPO roles were eliminated, or downgraded, it seems the driver was a decision to merge the privacy program into a broader data-driven program — such as data governance or artificial intelligence — or even into a broader risk or compliance program.
This "digital entropy" trend has been noted by the IAPP, which in 2024 announced a change to its mission statement stating that going forward it will be "to define, promote and improve the professions of privacy, AI governance and digital responsibility globally."
The emergence of AI and the ever-expanding hunger for data to train large language models has made it more clear than ever that data has tremendous value and needs to be tackled holistically, and that personal data cannot be managed on its own given that it doesn't live in isolation from the broader data universe.
AI has also been an interesting development for the privacy profession. Privacy professionals have historically been the closest to the technology teams and the ones best positioned to assess data risks. By working for years to build processes for privacy risk assessments, as required under many privacy laws, privacy pros have the existing pathway to easily expand our remit to assess risks related to broader data uses, including AI.
The title shift
This new focus on data, rather than personal data, and the addition of AI responsibilities to the job of many privacy pros has triggered a rush to add AI to privacy titles. The Organizational Digital Governance Report 2025 highlights this re-titling trend. What it also highlights is a desire to remove the word privacy from titles.
The desire to shift from "privacy" may be driven by a desire to highlight the trendier AI work, perhaps in an effort to appear more relevant to the business. It may also be driven by a fear that being a privacy professional may make one seem obsolete or no longer relevant in a data-driven world where "privacy" is a small part of the puzzle.
This trend is actually discernible in the privacy job marketplace. It seems that it isn't simply a passing title fad, rather it's a pattern emerging clearly in hiring signals and compensation architecture. When you follow job specs, reporting lines, and pay premiums, distinct trends emerge that show how the market is redefining the work.
Market data and the kitchen sink effect
The first trend is clear in both compensation data and role architecture. The JW Michaels 2025 Privacy (Legal) Market Compensation Guide shows that the overwhelming majority of CPO roles have moved beyond traditional privacy compliance to encompass AI governance, data ethics, cybersecurity and product strategy.
The market is rewarding this expansion: roles with broader mandates command 25–30% higher compensation than traditional privacy-focused positions, with that premium reaching 35% or more at large public companies with global scope. Organizationally, CPOs now predominantly report to the general counsel, and in smaller organizations, roles are merging entirely — the general counsel emerging from CPO ranks, or the CPO ascending into the general counsel role.
This isn't a demotion of the privacy function; it's an integration into the highest levels of legal and risk strategy.
The situation creates what some call the "kitchen sink problem." The CPO title has become a catch-all that no longer accurately describes what these professionals actually do, and as a result, companies tack on word salad. There's no consistency in title variations. Every organization creates its own combination of privacy, cybersecurity, data, AI, ethics and governance — and sometimes also things like e-discovery and sourcing — in different configurations.
When a title can mean everything, it effectively means nothing. The market has moved on from "chief privacy officer" even as many organizations cling to the label, creating a disconnect between the title on the business card and the actual scope of strategic responsibility.
This trend extends throughout the privacy career ladder. This year marks the first time "counsel" roles are reporting higher compensation than "privacy counsel" roles — a signal that professionals are being promoted out of privacy-specific positions into broader remits like business unit counsel, commercial counsel, or product counsel, where privacy becomes just one responsibility among several.
The market is clear: broader contribution commands higher compensation.
Mandate shift to data enablement, not just risk mitigation
The second trend is that the day-to-day work of privacy pros has fundamentally changed. Privacy assessments that once focused solely on "can we do this legally?" now evaluate data opportunity cost — what value are we leaving on the table by not using this data, and how do we unlock it responsibly? The function is shifting from gatekeeper to strategic partner, from saying "no" to saying "here's how."
This shift explains why privacy roles are merging into or adding responsibilities akin to chief data officer and vice president of responsible AI positions. These aren't lateral moves — they're recognitions that the professional who can enable data use safely is more valuable than one who simply flags compliance risks. The market has moved from a defensive posture — enterprise-wide risk mitigation — to an offensive one: privacy as the foundation for competitive advantage through responsible innovation.
Speaking board: The business case imperative
The third trend is that candidates for positions at the top of the privacy career ladder must "speak board of directors." Boards don't care about privacy as an abstract principle — they care about concepts such as shareholder value, return on investment, cost of inaction, risk mitigation, and profit and loss impact.
The equation is straightforward: the value your program returns, financial and nonfinancial, must exceed its total cost. Financial returns are direct: avoiding regulatory fines, reducing breach remediation costs, accelerating product launches through proactive privacy design. Nonfinancial returns are equally tangible: brand trust translates to customer acquisition and retention; regulatory resilience means operational continuity when competitors face enforcement; license to operate enables market expansion into privacy-sensitive jurisdictions.
This reframing isn't about abandoning privacy principles, it's about demonstrating that strong privacy creates shareholder value. The professional who can build a business case showing how a USD1 million privacy program generates multiples of value through reduced legal risk, faster innovation cycles, and enhanced customer trust, will thrive. The one who can only cite compliance wins, will not. This means privacy pros who can make this case position themselves as strategic partners in building a more resilient and valuable enterprise. That's the future of the role, regardless of what it's called.
'I'm not dead yet'
What's unresolved is where this ultimately lands. Privacy is here to stay, and there will still be CPOs and privacy pros — at least for a while as this trend plays out. As the market has not yet converged on what the modern privacy role is at this juncture, titles will remain inconsistent and responsibilities will continue to sprawl. There's clearly a reality on the ground that is creating new facts, and there's a perception of that reality which may create yet another set of facts.
Perhaps just as importantly, do privacy pros need to be called such in order to engage in protecting privacy? Or can they be an AI, data governance, risk or compliance pro who is charged with a variety of data-related responsibilities — privacy being one of them — to be just as effective in assuming the responsibility for protecting privacy?
The sooner we can answer these questions and find a way to define the role of the modern privacy pro, the better it will be for the profession. Perhaps it's time for a new IAPP contest.
Orrie Dinstein, CIPP/US, is the global chief privacy officer of Marsh, formerly known as Marsh McLennan.
Lawrence Brown is senior vice president, legal, at JW Michaels & Co.
