When Karen Zacharia started in the role of chief privacy officer at telecom and internet giant Verizon back in 2011, the job involved dealing with what today might seem like mundane routine issues, such as complying with a newly minted FCC requirement that telecommunications carriers inform customers of “significant account changes,” like password resets in light of a number of cases where pretexters were able to get sensitive consumer information.

If only things were still so straightforward. In recent years, thanks to increasing concern about the amount of consumer personal data being collected and used by companies and the pressure of increasingly stringent government regulation, the Stanford Law School graduate’s job has evolved and expanded dramatically in scope. Zacharia, JD ’84, has to ensure that Verizon employees are trained to comply with the nuances of the California Consumer Privacy Act, a sweeping privacy statute enacted in January 2020 that has set the bar in the U.S. for privacy issues, and to anticipate the potential impact of similar measures under consideration in other states. She is also responsible for Verizon’s compliance with privacy laws around the globe, including the EU’s General Data Protection Regulation (GDPR). An important function of Zacharia’s role is evaluating new products and services under development to determine and address the privacy issues, as well as providing legal advice on cybersecurity measures. 

“The technology keeps changing, which is part of why the job and the way both companies and individuals think about it has to change,” she explains.

Like Zacharia, other Stanford Law graduates who serve as chief privacy officers at major companies are grappling with issues of daunting complexity and growing urgency. While the specific duties and issues they confront vary from company to company and industry to industry, they share a common objective: finding ways to protect consumers and achieve legal compliance while still enabling companies to innovate and grow.

Though companies began hiring CPOs several decades ago, the job has grown in importance since then, according to Jennifer King, director of consumer privacy at Stanford Law School’s Center for Internet and Society.  “When those roles were created, they often would answer to the general counsel or even lower down the food chain,” she explains. Today, in contrast, “in some businesses where data is front and center, they’ve become VPs, answerable to the CEO.”

Increasingly, she notes, CPOs are called upon to supervise “privacy by design,” in which they have early and continual input in the product R&D process, so that potential privacy issues are identified and remedied before they turn into costly problems. While often that means a formal privacy impact assessment, “sometimes, someone will call just to chat about a concept,” says Ruby Zefo, JD ’93, CPO for Uber. “You really want privacy to be baked in at the start, rather than clamped on later. If you integrate and influence along the way, it makes the design more elegant.” In addition to cost savings, she says, building privacy into the design raises consumer appeal, “because who wants a data-leaky product?”

Another challenge for CPOs is crafting corporate privacy notices that consumers can understand, while still meeting legal requirements. “People blame the lawyers for the notices, but don’t bring out the torches and the pitchforks, because we hate writing them as much as they hate reading them,” Zefo says. One solution is to offer a summary in non-legal language to go with the official notice, she explains.

Anna Zeiter, LLM ’14, CPO for eBay, has added challenges in her job because she also serves as the global e-commerce company’s data protection officer, a role mandated by Europe’s GDPR, which took effect in May 2018. In the CPO role, she is responsible for implementing the company’s privacy program and keeping it in compliance with emerging privacy laws in the U.S. and elsewhere across the world. That could involve monitoring legislative developments in states such as California, where a second privacy referendum is under consideration, and Washington, where a proposed privacy statute didn’t gain enough support to pass. She’s also tracking the evolution of privacy regulation in countries ranging from Brazil to China.

Meanwhile, as  DPO in Europe, Zeiter must act as an advocate for consumers’ interests, with the duty of reporting possible privacy law violations to regulators. “During day-to-day work, I mostly act as the CPO, but sometimes, as DPO I have to say ‘this is not in line with privacy requirements and you cannot do it,’ ” she explains.

One advantage of holding both positions is European law requires the DPO to have access to the top levels of corporate leadership. That means that Zeiter regularly briefs the board of eBay’s European operation, which increases her influence as CPO as well. As a result, “privacy has more visibility,” she says. “This is good for users and for the company.”

Governments also gather and maintain sensitive personal data, and some are beginning to appoint chief privacy officers as well. Alex Alben, JD ’84 (BA ’80), who served as Washington state’s first chief privacy officer from 2015 to 2019 (one of the first in the country), developed a modeling application that helped state agencies embed privacy protections into their work. He describes his former post as broadly defined, with responsibility for everything from protecting voluminous amounts of health data and footage from police body cameras to evaluating privacy issues surrounding state use of monitored and autonomous vehicles.

“In the national discussion about privacy, the tendency is to focus upon the federal government,” Alben explains. “But states actually have far more information on people, because of the services they provide, ranging from driver’s licenses to property tax data. This creates a huge data governance issue. The state agencies need personal data to deliver services, but the question is how to keep that data safe and define the rules of how it can be copied, processed, and shared.”

“People blame the lawyers for the notices, but don’t bring out the torches and the pitchforks, because we hate writing them as much as they hate reading them.”

—Ruby Zefo, JD ’93, Chief Privacy Officer, Uber

In the U.S., the California Consumer Privacy Act is expected to exert a powerful influence, since companies that want to do business in the nation’s biggest market will have to comply—regardless of the company’s actual location. It thus raises the bar for the whole country. The new law gives the state’s consumers the right to know what information about them is being collected, used, and sold and guarantees them the right to delete personal information and direct a company not to sell it.

King says that California’s new law has “really forced companies to assess their privacy practice and account for what they’re doing with people’s data.” But compliance is a work in progress, with considerable variation in how companies respond to consumer requests for the data that’s been collected about them. “One person got back a spreadsheet with 90,000 page turns on Kindle,” she notes. “How does that give you knowledge that you can act upon?” Additionally, the law leaves it up to consumers to figure out whether companies have their data and to make a do-not-sell request. Eventually, she believes, privacy laws will need to evolve so that they require companies to be proactive about disclosing data collection and seeking permission to sell the information.

If numerous states pass their own privacy laws, each with varying requirements, it could become increasingly difficult for companies to comply with them all. “You could live in one state, and buy something from a company based in another state, but the warehouse might be in a third state,” Zacharia explains. In those instances, she says, it’s not entirely clear which state’s laws would apply to the data that’s generated.

For that reason, Zacharia says Verizon favors Congress enacting a comprehensive federal privacy regimen that would be clearer to follow. Additionally, she argues for a consistent privacy standard that would apply to all businesses and industries and types of data.

It seems likely that privacy will become an even more complex issue as emerging technologies such as facial recognition raise new concerns among consumers. That could require chief privacy officers to play an even more integral role in companies’ strategies.  SL