Chief Privacy Officers Shouldn’t Be The Last To Know

CMOvsCPOChief marketing officers and chief privacy officers have very different ways of looking at the world.

“Are there any marketing folks in the room?” asked security professional Aubrey Turner, addressing roughly 50 privacy pros at an International Association of Privacy Professionals conference in Washington, DC, on Tuesday.

No hands went up.

“Good – because I’m going to pick on them for a minute,” said Turner, who serves as director of strategic solutions for identity access management at Optiv Security, a cybersecurity solutions provider.

The tension derives from opposed priorities around data collection, access, management and use.

“I’m not knocking the marketing team – they have to do what they have to do – but they’re building first and thinking about the implications second, and we’re not often part of that conversation,” Turner said. “The information they’re collecting … may be sensitive and they might be sharing it with third parties. The risk to exposure is there and we need to understand it.”

That’s not to say that marketers don’t care about consumer privacy, but CPOs often find that they’re not being consulted about marketing’s decisions, especially around data.

An educational session about online behavioral advertising in financial services called “Wait, Marketing Wants to Do What?” should have been called “Wait, Marketing Did What?” quipped Jamie Rubin, a partner at InfoGroup LLP, which focuses on privacy, data security, ecommerce and information technology.

But data collection, especially for cross-device profile building, has already become inextricably interwoven with the debate around consumer privacy.

While a recently released cybersecurity report from the George Institute of Technology highlights that “businesses are driven to collect more data on consumers to improve operations and lead generation, posing a significant risk to privacy,” the 2015 Edelman Trust Barometer found that 54% of consumers cite “greed” and “money” as the two main motivators behind business innovation.

According to Nielsen’s most recent “Global Trust in Advertising” report, digital advertising brings up the rear in terms of trust, behind television, print, radio, billboards, movie trailers and even product placements in TV shows.

It’s perhaps understandable, considering the origin story of the now famous case of Target knowing a teenage girl was pregnant before her dad did by sending a mailer to her home full of baby-related items like cribs and diapers.

Andrew Pole, the statistician who cracked the code on Target’s pregnancy prediction algorithm, told The New York Times in 2012 that the original motivation came from the marketing department, when two colleagues popped by his desk to ask, “If we wanted to figure out if a customer is pregnant, even if she didn’t want us to know, can you do that?”

The marketing use case for Target’s pregnancy score is clear – sell more stuff and keep customers coming back to the store. But it’s a privacy quagmire.

“Look at the largest enterprises – GE or Walmart, for example – and think about the number of consumer identities they have,” Turner said.

Despite the perception that compliance is tedious or inhibits creativity or innovation in some way, it’s always better than having to mount a defense, said Michelle Cohen, a privacy lawyer at Ifrah Law LLC.

“My goal is to keep the client outside of litigation,” said Cohen, who joked that before being introduced to a client’s new CMO a while back, she was told by her client to “scare him.”

Because litigation is avoidable. “The way to do [it] is to have a fulsome consent policy, even though the marketing folks may not be all that excited about it,” Cohen said.

Although Cohen was referring in that instance to compliance with the Telephone Consumer Protection Act, the federal statute that limits robocalling and the use of autodialers, it’s a sentiment that rings true across the board.

Take it from Kristi Thompson, deputy division chief of the Federal Communication Commission’s Telecommunications Consumers Division enforcement bureau: “Sometimes people think compliance is boring, but the alternative is excitement – and legal excitement is expensive.”

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!


  1. Will Clayton [CIPP/US, CIPT, Marketing MBA]

    Marketers don’t attend IAPP events because we feel un-invited, un-supported, and often unwelcome. For all the good it does, the IAPP is extremely lawyer-heavy, and the focus remains on clean-up – and occasionally bashing marketing – rather than privacy-by-design. It does not have to be this way.

    There are really only three groups of people for whom your data has utility and needs privacy guidance:
    1. Providers: need the data to do their jobs; they are well covered by IAPP materials and programs by vertical and by geography (especially CIPM, CIPP)
    2. Bad Guys: want your data for nefarious purposes and IT must keep them out; this is where data breaches and other truly harmful incidents (direct monetary consequences to consumers) occur; IT is well-supported by IAPP materials and programs (especially CIPT)
    3. Marketers: use the data to responsibly build the business; this is where PR nightmares and other incidents occur; marketers are very poorly supported by IAPP – their resources are scattered through various materials and programs under headings other than ‘marketing’

    When addressing a full room about marketing privacy risks, the complete lack of marketers present should have been the first, main, and only question! I’ve been building privacy-compliant marketing platforms since P3P and DoubleClick-Abacus, using every resource available. I am not the only one.

    IAPP: We need to support marketers. We need to reach out to marketers and include them in the dialog so that this situation can get better. We need a Marketing Advisory Board, or a Marketing Certification, or some other way to acknowledge that, yes, marketing is close to a lot of privacy issues and needs to be involved from the ground up.

    How can I help?