Privacy Advisor

DoubleClick: The privacy profession's incubator

April 1, 2012

By Angelique Carson, CIPP/US

Today, it would be remiss to say that the privacy profession is anything but flourishing. Companies are increasingly hiring privacy officers and even elevating them to C-suite positions; the European Commission has proposed a statute in its amended data protection framework that would require data protection officers at certain organizations, and, at the IAPP, membership recently hit 10,000 worldwide.

But it's only in recent years that the need for privacy professionals has gained mainstream recognition. About a decade ago, privacy professional Jules Polonetsky, CIPP/US, recalls, one news publication--jabbing at the job titles dot-com's were coming up with--compared the title of "chief privacy officer" to "chief ninja."

"I remember the sarcasm," Polonetsky says. "They poked fun at what they thought would be an ethereal title."

But a firestorm surrounding one company's data collection practices put a spotlight on both privacy and the professionals tasked with protecting it, and out of that came a team of seasoned privacy pros who lived to tell the story.

Just over 10 years ago, Internet advertising agency DoubleClick announced that it would acquire direct marketing services company Abacus. The announcement incited criticism from privacy advocates and resulted in investigations by multiple federal and state agencies and litigators. Critics claimed the merger violated consumer privacy since it would allow for the combination of DoubleClick's data on users' online browsing habits with Abacus's database of consumers' offline personally identifiable information, such as names, addresses, ages and shopping habits.

One of those critics was the Electronic Privacy Information Center (EPIC), which filed a complaint with the Federal Trade Commission (FTC) in February 2000 alleging that DoubleClick engaged in "unfair and deceptive trade practices." EPIC called for the company to delete data it had collected from Internet users without their permission. DoubleClick's privacy policy at the time of the Abacus merger stated that it would not link the online and offline information, but a revised privacy policy soon retracted that claim.

In the heat of the firestorm, DoubleClick took action, hiring Polonetsky as its chief privacy officer and establishing a privacy advisory board. Polonetsky came to DoubleClick from his post as commissioner at New York City's Department of Consumer Affairs. He remembers the time period as one of both rapid change and success.

DoubleClick, Polonetsky says, believed it was truly providing value in helping pioneer Internet advertising, allowing websites to support cost-free content and helping advertisers transition into the digital age.

But the backlash that followed was unprecedented. It prompted a new look at privacy and the ways companies handled customer data.

It also carved out some career paths.

In fact, the team members Polonetsky assembled would become among the first and most high-profile privacy pros in the country as the media descended on the DoubleClick controversy and prodded for interviews with those on the front lines.

One of them was Nuala O'Connor Kelly, CIPP/US, CIPP/G, now chief privacy leader at GE, who came to DoubleClick in December of 2000 to serve as its first privacy counsel and then on Polonetsky's team. Elise Berkower would soon follow Polonetsky's path from the New York City Department of Consumer Affairs, where she worked as director of adjudication, to DoubleClick as a compliance officer.

Berkower says working in the privacy field at that time meant you were in a pretty small category and often circling around the same people. In fact, she calls DoubleClick the Kevin Bacon of companies--in reference to the small-world phenomenon that any Hollywood actor can be linked to Kevin Bacon within six degrees.

"You either worked there or you know someone who did," Berkower says.

Berkower arrived at DoubleClick shortly after O'Connor Kelly and was charged with checking all websites involved with online behavioral advertising and creating nonidentifiable profiles in order to retarget ads to them. She was also responsible for ensuring that websites' privacy policies complied. Brooks Dobbs would join as the company's technologist.

"There was a lot of pressure because we had to be ready for the audit, which was three or four months away," Berkower says. The first review was conducted by PricewaterhouseCoopers. Two additional audits were conducted by KPMG and two by Ernst and Young.

Dobbs was tasked with mapping personal identity information to the DoubleClick cookie and understanding who saw which ads. He'd been working in the online advertising business since 1994 and says, then, "we never considered that privacy would be an issue."

Arriving at DoubleClick, he says, he realized that the company had landed itself in the middle of a big issue.

"Once I got in there, I realized there's still sort of a dearth of understanding of where policy intersects with technical realities," he says.

For this early crew, it was a nerve-wracking time to blaze a trail.

During O'Connor Kelly's first three weeks at the company, she says, the FTC began an investigation, 21 class actions were filed and 12 attorney general investigations were launched.

"It was definitely the cutting-edge privacy and technology issue at that time," she says of the DoubleClick/Abacus investigation.

Adding to the intensity of the multiple investigations was the fact the case was unprecedented. There was no case law on the books or FTC decisions on privacy to turn to for guidance, O'Connor Kelly says. In fact, DoubleClick is listed as the first one.

"And it was a really pivotal time for Internet and e-commerce and privacy issues in particular--one that kind of brought privacy and data usage and handling into a much wider audience," she says. "I will be really candid when I say we were making some of this up as we went along. To a certain extent, in the really early days, privacy officers were flying by the seats of our pants."

"These certainly were regulatory novel issues and new technological ideas that continued to be challenging to try to figure out how to deal with in a responsible way," Polonetsky agrees. "I certainly didn't know a great deal about privacy or data protection."

Berkower says, "The learning curve was very steep and the time was very short."

"We lived every day with an unexpected privacy scandal that someone was alleging or accusing," Polonetsky says. "From front-page stories about the White House being accused of having DoubleClick cookies tied to a campaign related to teaching teens about drugs to 60 Minutes stories to new class actions and lawsuits."

But the payoff for any privacy professional engaged in front-line issues like his team at DoubleClick faced, he says, is that "it can be a huge opportunity for a savvy CPO to get what he needs done accomplished."

"I think it was a crisis opportunity, and taking advantage of a crisis to really get the policies and people in place is how we were able to assemble a good team of people, and I think that's some of the lesson for other crises. Individuals dealing with the response need to strike while the iron is hot, whereas in non-crises situations, it can take time and convincing to get the right policies and people in place," Polonetsky says.

The FTC eventually would close its DoubleClick investigation, ruling that the company had not violated its privacy policy.

"I remember when we got the letter that the case had been closed," O'Connor Kelly says. "What an exciting time."

And in the meantime, she adds, a new profession was born.

"I think the takeaway for me is that it helped me be a part of a team that built the structure of privacy, which is something I've replicated almost everywhere I've been."

What's next?

Dobbs says it will be interesting to see where the issue at the heart of the DoubleClick controversy ends up.

"We're 10 years into it, but as a business model, it's sort of ancient," he says. "We haven't figured out how to make money doing this, and there's this battle on the one side to create an advertising mechanism that generates enough utility to pay for expensive content, and on the other side, there's this growing unease about the data that's being collected. And those are pushing in opposite directions."

He says the question will become "do you, consumer, want to start giving up more data about yourself and get content for free? Or, alternatively, are you going to be part of the tragedy of the commons and exert your right to not permit data collection, and eventually run the pumps dry?"

Polonetsky says that over the years, his opinions on privacy have continued to evolve, but they've always centered around one core principle.

"Are you treating people fairly here? Because it's about treating people really well," he says. "If you want to make money doing things for people, treat them really well."